Skip to content

Commit 4c218f6

Browse files
fcanovaifcanovai
committed
ci: build different image types
1 parent 03826f4 commit 4c218f6

File tree

6 files changed

+267
-86
lines changed

6 files changed

+267
-86
lines changed

.github/workflows/buildwithbake.yaml

+146
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,146 @@
1+
name: Bake images
2+
3+
on:
4+
schedule:
5+
- cron: 0 8 * * 1
6+
workflow_dispatch:
7+
inputs:
8+
environment:
9+
type: choice
10+
options:
11+
- testing
12+
- production
13+
default: testing
14+
description: "Choose the environment to bake the images for"
15+
16+
jobs:
17+
testbuild:
18+
name: Build for testing
19+
runs-on: ubuntu-latest
20+
permissions:
21+
contents: read
22+
packages: write
23+
security-events: write
24+
outputs:
25+
metadata: ${{ steps.build.outputs.metadata }}
26+
images: ${{ steps.images.outputs.images }}
27+
steps:
28+
- name: Checkout Code
29+
uses: actions/checkout@v4
30+
31+
- name: Log in to the GitHub Container registry
32+
uses: docker/login-action@v3
33+
with:
34+
registry: ghcr.io
35+
username: ${{ github.actor }}
36+
password: ${{ secrets.GITHUB_TOKEN }}
37+
38+
- name: Set up QEMU
39+
uses: docker/setup-qemu-action@v3
40+
with:
41+
platforms: 'arm64'
42+
43+
- name: Set up Docker Buildx
44+
uses: docker/setup-buildx-action@v3
45+
with:
46+
driver-opts: network=host
47+
48+
- name: Build and push
49+
uses: docker/bake-action@v6
50+
id: build
51+
env:
52+
# Set the environment variable to the value of the input. If the input is not set, we are running via cron,
53+
# so default to production.
54+
#environment: ${{ github.event.inputs.environment || 'production' }}
55+
environment: testing
56+
registry: ghcr.io/${{ github.repository_owner }}
57+
revision: ${{ github.sha }}
58+
with:
59+
push: true
60+
61+
- name: Generated images
62+
id: images
63+
run: |
64+
echo "images=$(echo '${{steps.build.outputs.metadata}}' | jq -c '[ .[]."image.name" | sub(",.*";"" )]')" >> "$GITHUB_OUTPUT"
65+
66+
security:
67+
runs-on: ubuntu-latest
68+
needs:
69+
- testbuild
70+
strategy:
71+
matrix:
72+
image: ${{fromJson(needs.testbuild.outputs.images)}}
73+
steps:
74+
- name: Checkout Code
75+
uses: actions/checkout@v4
76+
77+
- name: Log in to the GitHub Container registry
78+
uses: docker/login-action@v3
79+
with:
80+
registry: ghcr.io
81+
username: ${{ github.actor }}
82+
password: ${{ secrets.GITHUB_TOKEN }}
83+
84+
- name: Dockle
85+
uses: erzz/dockle-action@v1
86+
with:
87+
image: ${{ matrix.image }}
88+
exit-code: '1'
89+
90+
- name: Snyk
91+
uses: snyk/actions/docker@master
92+
continue-on-error: true
93+
env:
94+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
95+
with:
96+
image: "${{ matrix.image }}"
97+
args: --severity-threshold=high --file=Dockerfile
98+
99+
- name: Upload result to GitHub Code Scanning
100+
uses: github/codeql-action/upload-sarif@v3
101+
continue-on-error: true
102+
with:
103+
sarif_file: snyk.sarif
104+
105+
prodbuild:
106+
if: github.event.inputs.environment == 'production' || github.event_name == 'schedule'
107+
name: Build for production
108+
runs-on: ubuntu-latest
109+
needs:
110+
- security
111+
permissions:
112+
contents: read
113+
packages: write
114+
security-events: write
115+
steps:
116+
- name: Checkout Code
117+
uses: actions/checkout@v4
118+
119+
- name: Log in to the GitHub Container registry
120+
uses: docker/login-action@v3
121+
with:
122+
registry: ghcr.io
123+
username: ${{ github.actor }}
124+
password: ${{ secrets.GITHUB_TOKEN }}
125+
126+
- name: Set up QEMU
127+
uses: docker/setup-qemu-action@v3
128+
with:
129+
platforms: 'arm64'
130+
131+
- name: Set up Docker Buildx
132+
uses: docker/setup-buildx-action@v3
133+
with:
134+
driver-opts: network=host
135+
136+
- name: Build and push
137+
uses: docker/bake-action@v6
138+
id: build
139+
env:
140+
# Set the environment variable to the value of the input. If the input is not set, we are running via cron,
141+
# so default to production.
142+
environment: production
143+
registry: ghcr.io/${{ github.repository_owner }}
144+
revision: ${{ github.sha }}
145+
with:
146+
push: true

Dockerfile

+2-16
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,8 @@
1-
ARG DISTRO=debian:bookworm-slim
2-
FROM $DISTRO AS minimal
1+
ARG BASE=debian:bookworm-slim
2+
FROM $BASE AS minimal
33

44
ARG PG_VERSION
55
ARG PG_MAJOR=${PG_VERSION%%.*}
6-
ARG BUILDTIME
7-
ARG REVISION
8-
9-
LABEL org.opencontainers.image.created="$BUILDTIME"
10-
LABEL org.opencontainers.image.url="https://github.com/cloudnative-pg/postgres-containers"
11-
LABEL org.opencontainers.image.source="https://github.com/cloudnative-pg/postgres-containers"
12-
LABEL org.opencontainers.image.version="$PG_VERSION"
13-
LABEL org.opencontainers.image.revision="$REVISION"
14-
LABEL org.opencontainers.image.vendor="The CloudNativePG Contributors"
15-
LABEL org.opencontainers.image.title="CloudNativePG PostgreSQL $PG_VERSION minimal"
16-
LABEL org.opencontainers.image.description="A minimal PostgreSQL $PG_VERSION container image"
17-
LABEL org.opencontainers.image.documentation="https://github.com/cloudnative-pg/postgres-containers"
18-
LABEL org.opencontainers.image.authors="The CloudNativePG Contributors"
19-
LABEL org.opencontainers.image.licenses="Apache-2.0"
206

217
ENV PATH=$PATH:/usr/lib/postgresql/$PG_MAJOR/bin
228

bake.hcl

-64
This file was deleted.

docker-bake.hcl

+104
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
variable "environment" {
2+
default = "testing"
3+
validation {
4+
condition = contains(["testing", "production"], environment)
5+
error_message = "environment must be either testing or production"
6+
}
7+
}
8+
9+
variable "registry" {
10+
default = "localhost:5000"
11+
}
12+
13+
// Use the revision variable to identify the commit that generated the image
14+
variable "revision" {
15+
default = ""
16+
}
17+
18+
fullname = ( environment == "testing") ? "${registry}/postgresql-testing" : "{registry}/postgresql"
19+
now = timestamp()
20+
21+
target "default" {
22+
matrix = {
23+
tgt = [
24+
"minimal",
25+
// "standard"
26+
]
27+
pgVersion = [
28+
// "13.18",
29+
// "14.15",
30+
// "15.10",
31+
"16.6",
32+
"17.2"
33+
]
34+
base = [
35+
// renovate: datasource=docker versioning=loose
36+
// "debian:bookworm-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb",
37+
// renovate: datasource=docker versioning=loose
38+
"debian:bullseye-slim@sha256:b0c91cc181796d34c53f7ea106fbcddaf87f3e601cc371af6a24a019a489c980"
39+
]
40+
}
41+
dockerfile = "Dockerfile"
42+
name = "postgresql-${index(split(".",pgVersion),0)}-${distroVersion(base)}-${tgt}"
43+
tags = [
44+
"${fullname}:${index(split(".",pgVersion),0)}-${distroVersion(base)}-${tgt}",
45+
"${fullname}:${pgVersion}-${distroVersion(base)}-${tgt}",
46+
"${fullname}:${pgVersion}-${formatdate("YYYYMMDDhhmm", now)}-${distroVersion(base)}-${tgt}"
47+
]
48+
context = "."
49+
target = "${tgt}"
50+
args = {
51+
PG_VERSION = "${pgVersion}"
52+
BASE = "${base}"
53+
}
54+
attest = [
55+
"type=provenance,mode=max",
56+
"type=sbom"
57+
]
58+
annotations = [
59+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.created=${now}",
60+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.url=https://github.com/cloudnative-pg/postgres-containers",
61+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.source=https://github.com/cloudnative-pg/postgres-containers",
62+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.version=${pgVersion}",
63+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.revision=${revision}",
64+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.vendor=The CloudNativePG Contributors",
65+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.title=CloudNativePG PostgreSQL ${pgVersion} ${tgt}",
66+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.description=A ${tgt} PostgreSQL ${pgVersion} container image",
67+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.documentation=https://github.com/cloudnative-pg/postgres-containers",
68+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.authors=The CloudNativePG Contributors",
69+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.licenses=Apache-2.0",
70+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.base.name=docker.io/library/${tag(base)}",
71+
"index,manifest,manifest-descriptor,index-descriptor:org.opencontainers.image.base.digest=${digest(base)}"
72+
]
73+
labels = {
74+
"org.opencontainers.image.created" = "${now}",
75+
"org.opencontainers.image.url" = "https://github.com/cloudnative-pg/postgres-containers",
76+
"org.opencontainers.image.source" = "https://github.com/cloudnative-pg/postgres-containers",
77+
"org.opencontainers.image.version" = "${pgVersion}",
78+
"org.opencontainers.image.revision" = "${revision}",
79+
"org.opencontainers.image.vendor" = "The CloudNativePG Contributors",
80+
"org.opencontainers.image.title" = "CloudNativePG PostgreSQL ${pgVersion} ${tgt}",
81+
"org.opencontainers.image.description" = "A ${tgt} PostgreSQL ${pgVersion} container image",
82+
"org.opencontainers.image.documentation" = "https://github.com/cloudnative-pg/postgres-containers",
83+
"org.opencontainers.image.authors" = "The CloudNativePG Contributors",
84+
"org.opencontainers.image.licenses" = "Apache-2.0"
85+
"org.opencontainers.image.base.name" = "docker.io/library/debian:${tag(base)}"
86+
"org.opencontainers.image.base.digest" = "${digest(base)}"
87+
}
88+
//platforms = ["linux/amd64", "linux/arm64"]
89+
}
90+
91+
function tag {
92+
params = [ imageNameWithSha ]
93+
result = index(split("@", index(split(":", imageNameWithSha), 1)), 0)
94+
}
95+
96+
function distroVersion {
97+
params = [ imageNameWithSha ]
98+
result = index(split("-", tag(imageNameWithSha)), 0)
99+
}
100+
101+
function digest {
102+
params = [ imageNameWithSha ]
103+
result = index(split("@", imageNameWithSha), 1)
104+
}

renovate.json

-6
This file was deleted.

renovate.json5

+15
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
{
2+
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
3+
"extends": ["config:recommended", "docker:pinDigests"],
4+
"enabledManagers": ["custom.regex"],
5+
"customManagers": [
6+
{
7+
"customType": "regex",
8+
"fileMatch": ["docker-bake.hcl"],
9+
"matchStrings": [
10+
"\\/\\/\\s*renovate:\\s*datasource=(?<datasource>.*?)\\s+(versioning=(?<versioning>.*?))?\\s+\"(?<depName>[^:]+):(?<currentValue>[^\\s@]+)(@(?<currentDigest>sha256:[0-9a-f]*))?\""
11+
],
12+
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
13+
},
14+
],
15+
}

0 commit comments

Comments
 (0)