Reduce memory and CPU use when scanning (#222) #637
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow builds multiplatform Nosey Parker Docker images for both the Debian and | |
| # Alpine varieties. | |
| # | |
| # For each variety, it uses a native-hardware runner to build the individual | |
| # Docker images, and then merges them into a multiplatform image. | |
| # | |
| # This approach is taken instead of using QEMU, since a QEMU build of Nosey | |
| # Parker takes several hours. Using native runners instead takes a few minutes. | |
| # | |
| # This was adapted from the Docker documentation site: | |
| # https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners | |
| # | |
| name: Docker | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| # Do not run on pull requests; the Docker registry permissions are not set up | |
| # to work except for with the canonical `noseyparker` repo. Running from pull | |
| # requests from forks will fail. | |
| # | |
| # pull_request: | |
| # branches: [ "main" ] | |
| jobs: | |
| # build single-platform docker images on native runners | |
| build: | |
| strategy: | |
| matrix: | |
| include: | |
| - base: debian | |
| platform: linux/amd64 | |
| platform-pair: linux-amd64 | |
| dockerfile: Dockerfile | |
| image: ghcr.io/${{ github.repository }} | |
| runs-on: ubuntu-22.04 | |
| - base: debian | |
| platform: linux/arm64 | |
| platform-pair: linux-arm64 | |
| dockerfile: Dockerfile | |
| image: ghcr.io/${{ github.repository }} | |
| runs-on: ubuntu-22.04-arm64-8-core | |
| - base: alpine | |
| platform: linux/amd64 | |
| platform-pair: linux-amd64 | |
| dockerfile: Dockerfile.alpine | |
| image: ghcr.io/${{ github.repository }}-alpine | |
| runs-on: ubuntu-22.04 | |
| - base: alpine | |
| platform: linux/arm64 | |
| platform-pair: linux-arm64 | |
| dockerfile: Dockerfile.alpine | |
| image: ghcr.io/${{ github.repository }}-alpine | |
| runs-on: ubuntu-22.04-arm64-8-core | |
| name: Docker (${{ matrix.platform }} ${{ matrix.base }}) | |
| runs-on: ${{ matrix.runs-on }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Authenticate with Docker registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Collect Docker metadata | |
| id: metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ matrix.image }} | |
| - name: Build and push by digest | |
| uses: docker/build-push-action@v6 | |
| id: build | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| platforms: ${{ matrix.platform }} | |
| # don't specify 'tags' here (error "get can't push tagged ref by digest") | |
| labels: ${{ steps.metadata.outputs.labels }} | |
| outputs: type=image,name=${{ matrix.image }},push-by-digest=true,name-canonical=true,push=true | |
| - name: Inspect Docker image | |
| run: | | |
| docker buildx imagetools inspect ${{ matrix.image }}:sha256@${{ steps.build.outputs.digest }} | |
| - name: Test Docker image | |
| run: docker run --rm "${{ matrix.image }}:sha256@${{ steps.build.outputs.digest }}" --version | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: digests-${{ matrix.base }}-${{ matrix.platform-pair }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| # merge single-platform images into multiplatform images | |
| merge: | |
| strategy: | |
| matrix: | |
| include: | |
| - base: debian | |
| image: ghcr.io/${{ github.repository }} | |
| - base: alpine | |
| image: ghcr.io/${{ github.repository }}-alpine | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| name: Docker (${{ matrix.base }}) | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-${{ matrix.base }}-* | |
| merge-multiple: true | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Collect Docker metadata | |
| id: metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ matrix.image }} | |
| - name: Authenticate with Docker registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push merged image | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create \ | |
| $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ matrix.image }}@sha256:%s ' *) | |
| - name: Inspect Docker image | |
| run: | | |
| docker buildx imagetools inspect ${{ matrix.image }}:${{ steps.metadata.outputs.version }} |