Replace docker.sh script with GitHub Actions

[der-eismann]

This PR replaces the docker.sh script with pure GitHub Actions, which makes it way easier to solve #3948 since we can just add platforms: linux/arm64 then.

The current behavior is copied without changes:

• Login and push only on pushes to oracle/opengrok
• Images will be tagged by branch name, PR name or tag name, where tags will also get the latest image tag

[vladak]

This looks fine on cursory view; before merging this in I need to check whether the docker Github Actions are allowed for the OpenGrok repository.

[vladak]

Confirmed that docker/* actions are allowed for this repository so from this standpoint this is okay.

[vladak]

Merging, will see how this works when the next OpenGrok release is ready. Thanks !

[vladak]

Looks like the docker image push for the master failed: https://github.com/oracle/opengrok/actions/runs/5542739458/jobs/10117809269 with:

#38 ERROR: denied: requested access to the resource is denied
------
 > pushing oracle/opengrok:master with docker:
------
ERROR: denied: requested access to the resource is denied

[der-eismann]

I'm very confused by this error. Since the login succeeded and the push failed, it would suggest that the user is actually missing permissions (like this comment said: docker/build-push-action#853 (comment)). But assuming it worked before and you didn't change anything it doesn't really make sense.

Since this is hard for me to verify and test I'd suggest you revert this PR unfortunately and maybe tackle it another day. However everything else looks fine and the token should be valid for more than 4 minutes. No idea why this is failing, sorry 😕

[vladak]

There are 2 possibilities - either the actions setup wrong username/password or the associated user has insufficient permissions. I changed the username/password recently to use a token. Looking at the token, it has all the permissions. Looking at the error message pushing oracle/opengrok:master with docker:, it is not clear to me whether the last part (docker:) is the username used.

[vladak]

The docker/build-push-action uses https://github.com/docker/buildx. The error message comes from https://github.com/docker/buildx/blob/86ae8ea854e639a3267399fdf3f99e9b900f6e09/build/build.go#L988 and there is no indication which username/password was used. The actual push is done via https://github.com/moby/buildkit. This seems to be using REST API reference on docker.io.

I created new API token on docker.io associated with the username used for the Github action, used a clone of the OpenGrok repository, set the DOCKER_USERNAME and DOCKER_PASSWORD in the Secrets and variables of that repository clone and let the Docker action run. It failed in the same way.

The user has 2FA setup, which might be related. That said, using the same username/password with the command line docker tool, I was able to successfully push the image to under my user on docker.io.

I don't have the capacity to investigate the inner workings of the above tools, so reverted the change in cf02a2b for now. It would be nice to try it again later.

[vladak]

For the record, the docker/login-action is merely a wrapper for the docker login command (https://github.com/docker/login-action/blob/553b6f090f15b58451081ce157ff1929a266131d/src/docker.ts#L28C4-L40), at least for Docker hub. So either the authentication credentials stored by this command are not getting picked up by the buildx/moby or there is some difference between how these are used compared to docker push.