Conversation
| -t "ghcr.io/opencast/pyca:latest" \ | ||
| -t "ghcr.io/opencast/pyca:main" \ |
There was a problem hiding this comment.
This will create latest and main tagged container images from pull request branches. They aren't pushed, but this might still be confusing.
I think that's what these docker Actions take care of:
https://github.com/opencast/opencast-admin-interface/blob/aec24429505cdd9d12f4587b027ed916a7090c11/.github/workflows/deploy-container-image.yaml#L32-L44
But to be fair, I just copied them from a college who ensured me that this is what I wanted :D
There was a problem hiding this comment.
As you said, this only tags images within the build environment. In my CI pipelines, I usually tag images with any potential tag and push if necessary. For this reason, I don't use docker/build-push-action directly, as I want to control if and what tags are pushed.
| pull_request: | ||
| branches: | ||
| - main |
There was a problem hiding this comment.
I don't think this will work since you are trying to use the GITHUB_TOKEN secret in an environment which is controlled by the pull request author, isn't it? This would need to be pull_request_target.
There was a problem hiding this comment.
GITHUB_TOKEN is only used in steps with the condition github.event_name == 'push'. The idea of including pull_request is to check if the container image still builds with the PR.
| org-name: opencast | ||
| image-names: pyca | ||
| untagged-only: true | ||
| cut-off: 1 day ago UTC |
There was a problem hiding this comment.
I sometimes reference commits hashes specifically if I need a newer version which is not yet released. Removing them after one day means that it could easily be that you couldn't re-deploy something. What do you think about increasing this to a year?
Dockerfile
Outdated
| && npm i | ||
|
|
||
| RUN pip install --break-system-packages -r requirements.txt | ||
| RUN npm i |
There was a problem hiding this comment.
To make builds reproducible, I suggest
| RUN npm i | |
| RUN npm ci |
|
The latest commits also update Alpine and the |
mtneug
force-pushed
the
container-images
branch
from
ce47d38 to
5b1b0ff
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| env: | ||
| DOCKER_BUILDX_PLATFORM: linux/amd64 | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: set up Docker buildx | ||
| uses: docker/setup-buildx-action@v4 | ||
| with: | ||
| platforms: ${{ env.DOCKER_BUILDX_PLATFORM }} | ||
|
|
||
| - uses: docker/login-action@v4 | ||
| if: ${{ github.event_name == 'push' }} | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: info | ||
| run: | | ||
| docker version | ||
| docker info | ||
|
|
||
| echo '${{ github.ref_name }}' | sed -e 's/[^a-zA-Z0-9._-]/_/g' > VERSION_TAG | ||
| echo "version_tag=$(cat VERSION_TAG)" | ||
|
|
||
| - name: build | ||
| run: | | ||
| docker buildx build \ | ||
| --load \ | ||
| --platform "${DOCKER_BUILDX_PLATFORM}" \ | ||
| \ | ||
| --build-arg "VERSION=${{ github.ref_name }}" \ | ||
| --build-arg "FFMPEG_VERSION=release" \ | ||
| --build-arg "BUILD_DATE=$(date -u +"%Y-%m-%dT%TZ")" \ | ||
| --build-arg "GIT_COMMIT=${{ github.sha }}" \ | ||
| \ | ||
| -t "ghcr.io/opencast/pyca:latest" \ | ||
| -t "ghcr.io/opencast/pyca:main" \ | ||
| -t "ghcr.io/opencast/pyca:${{ github.sha }}" \ | ||
| -t "ghcr.io/opencast/pyca:$(cat VERSION_TAG)" \ | ||
| . | ||
|
|
||
| - name: push release | ||
| if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }} | ||
| run: | | ||
| docker push "ghcr.io/opencast/pyca:$(cat VERSION_TAG)" | ||
| # assumption: last tag is always latest version | ||
| docker push "ghcr.io/opencast/pyca:latest" | ||
|
|
||
| - name: push dev version | ||
| if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} | ||
| run: | | ||
| docker push "ghcr.io/opencast/pyca:main" | ||
|
|
||
| - name: delete untagged container images | ||
| uses: snok/container-retention-policy@v3.0.1 | ||
| if: ${{ github.event_name == 'push' }} | ||
| with: | ||
| account: opencast | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| tag-selection: untagged | ||
| image-names: pyca | ||
| cut-off: 1y |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
3 participants
This patch updates the build files for container images and adds a GitHub actions workflow. Further, the registry is changed to
ghcr.io. Changes are separated by commit.