-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
github: move builds out of Dockerfile to remove arm64 emulation overhead
Signed-off-by: Muvaffak Onus <me@muvaf.com>
- Loading branch information
Showing
11 changed files
with
159 additions
and
133 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,101 +1,170 @@ | ||
name: publish crik | ||
|
||
name: Build and Push Images | ||
on: | ||
push: | ||
branches: | ||
- "main" | ||
- main | ||
tags: | ||
- "v*" | ||
- "*" | ||
|
||
env: | ||
REGISTRY: ghcr.io | ||
REGISTRY_IMAGE: ghcr.io/${{ github.repository }} | ||
GO_VERSION: 1.22.2 | ||
|
||
jobs: | ||
build: | ||
version: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-tags: true | ||
- name: Fetch history for all tags | ||
run: git fetch --prune --unshallow | ||
- name: Calculate version | ||
id: version | ||
run: | | ||
VERSION="v0.0.0" | ||
if [ -z "$(git tag)" ]; then | ||
echo "No tags found" | ||
VERSION="$(echo "v0.0.0-$(git rev-list HEAD --count)-$(git describe --dirty --always)" | sed 's/-/./2' | sed 's/-/./2' | sed 's/-/./2')" | ||
else | ||
echo "Tags found: $(git tag)" | ||
VERSION="$(git describe --dirty --always --tags --match 'v*' | sed 's|.*/||' | sed 's/-/./2' | sed 's/-/./2' | sed 's/-/./2')" | ||
fi | ||
echo "Version is ${VERSION}" | ||
echo "VERSION=${VERSION}" >> $GITHUB_ENV | ||
images: | ||
runs-on: ubuntu-latest | ||
needs: version | ||
permissions: | ||
contents: read | ||
packages: write | ||
contents: read | ||
id-token: write | ||
attestations: write | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
platform: | ||
- linux/amd64 | ||
- linux/arm64 | ||
app: [crik, node-state-server] | ||
steps: | ||
- name: Prepare | ||
run: | | ||
platform=${{ matrix.platform }} | ||
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | ||
- name: Checkout repository | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
- name: Setup Go | ||
uses: actions/setup-go@v5 | ||
with: | ||
images: ${{ env.REGISTRY_IMAGE }} | ||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
go-version: ${{ env.GO_VERSION }} | ||
cache: false | ||
- name: Find the Go Environment | ||
id: go | ||
run: | | ||
echo "cache=$(go env GOCACHE)" >> $GITHUB_OUTPUT | ||
echo "mod=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT | ||
- name: Cache Go Dependencies | ||
uses: actions/cache@v4 | ||
with: | ||
path: ${{ steps.go.outputs.mod }} | ||
key: mod-cache-${{ hashFiles('**/go.sum') }} | ||
restore-keys: mod-cache- | ||
|
||
- name: Cache Go Build Cache | ||
uses: actions/cache@v4 | ||
with: | ||
path: ${{ steps.go.outputs.cache }} | ||
key: build-cache-${{ matrix.app }}-${{ hashFiles('**/go.sum') }} | ||
restore-keys: build-cache-${{ matrix.app }}- | ||
|
||
- name: Check if code-gen changes anything | ||
run: | | ||
go generate ./... | ||
git diff --exit-code && echo "generated code is up to date" || (echo "go generate resulted in changes" && git diff && exit 1) | ||
- name: Build | ||
env: | ||
PLATFORMS: linux/amd64,linux/arm64 | ||
run: | | ||
for platform in $(echo $PLATFORMS | tr "," "\n"); do | ||
export os=$(echo $platform | cut -d'/' -f1) | ||
export arch=$(echo $platform | cut -d'/' -f2) | ||
echo "Building for $os/$arch" | ||
CGO_ENABLED=0 GOOS=${os} GOARCH=${arch} go build -o .work/bin/${{ matrix.app }}-${os}-${arch} cmd/${{ matrix.app }}/main.go & | ||
done | ||
wait | ||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
- name: Log in to the Github Container Registry | ||
uses: docker/login-action@v3 | ||
- name: Login to Github Container Registry | ||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
- name: Generate metadata for images | ||
uses: docker/metadata-action@v5 | ||
id: metadata | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Build and push by digest | ||
id: build | ||
images: ghcr.io/qawolf/crik/${{ matrix.app }} | ||
tags: | | ||
type=ref,event=branch | ||
type=sha,format=short,prefix= | ||
${{ steps.version.outputs.VERSION }} | ||
- name: Build and push | ||
id: push | ||
uses: docker/build-push-action@v5 | ||
with: | ||
context: . | ||
file: cmd/crik/Dockerfile | ||
platforms: ${{ matrix.platform }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true | ||
- name: Export digest | ||
run: | | ||
mkdir -p /tmp/digests | ||
digest="${{ steps.build.outputs.digest }}" | ||
touch "/tmp/digests/${digest#sha256:}" | ||
- name: Upload digest | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: digests-${{ env.PLATFORM_PAIR }} | ||
path: /tmp/digests/* | ||
if-no-files-found: error | ||
retention-days: 1 | ||
file: cmd/${{ matrix.app }}/Dockerfile | ||
platforms: linux/amd64,linux/arm64 | ||
push: true | ||
tags: ${{ steps.metadata.outputs.tags }} | ||
labels: ${{ steps.metadata.outputs.labels }} | ||
|
||
merge: | ||
- name: Attest | ||
uses: actions/attest-build-provenance@v1 | ||
with: | ||
subject-name: ghcr.io/qawolf/crik/${{ matrix.app }} | ||
subject-digest: ${{ steps.push.outputs.digest }} | ||
push-to-registry: true | ||
chart: | ||
permissions: | ||
packages: write | ||
contents: read | ||
id-token: write | ||
runs-on: ubuntu-latest | ||
needs: | ||
- build | ||
- images | ||
strategy: | ||
matrix: | ||
chart: [node-state-server] | ||
steps: | ||
- name: Download digests | ||
uses: actions/download-artifact@v4 | ||
with: | ||
path: /tmp/digests | ||
pattern: digests-* | ||
merge-multiple: true | ||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ${{ env.REGISTRY_IMAGE }} | ||
- name: Log in to the Github Container Registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Create manifest list and push | ||
working-directory: /tmp/digests | ||
run: | | ||
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | ||
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) | ||
- name: Inspect image | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
- name: Set up Helm | ||
uses: azure/setup-helm@v4 | ||
- name: Log in to GitHub Container Registry | ||
run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin | ||
- name: Install yq | ||
uses: dcarbone/install-yq-action@v1.1.1 | ||
- name: Push the chart | ||
id: push | ||
env: | ||
VERSION: ${{ steps.version.outputs.VERSION }} | ||
run: | | ||
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} | ||
# Helm doesn't accept v prefix in version. | ||
TAG=$(echo ${{ steps.version.outputs.VERSION }} | cut -d'v' -f2) | ||
if [ "${{ matrix.chart }}" == "node-state-server" ]; then | ||
yq -i ".nodeStateServer.image.tag = \"${VERSION}\"" cluster/charts/${{ matrix.chart }}/values.yaml | ||
echo "Final values.yaml" | ||
cat cluster/charts/${{ matrix.chart }}/values.yaml | ||
fi | ||
helm dependency update cluster/charts/${{ matrix.chart }} | ||
helm package cluster/charts/${{ matrix.chart }} --dependency-update --version=${VERSION} --app-version=${VERSION} | ||
OUT=$(set +e; helm push ${{ matrix.chart }}-${VERSION}.tgz oci://ghcr.io/qawolf/crik/charts 2>&1) | ||
EXIT_CODE=$? | ||
set -e | ||
echo "${OUT}" | ||
if [[ $EXIT_STATUS -ne 0 ]]; then | ||
exit $EXIT_STATUS | ||
fi | ||
DIGEST=$(echo ${OUT}| sed -n 's/.*sha256:\([^ ]*\).*/sha256:\1/p') | ||
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" | ||
- name: Attest | ||
uses: actions/attest-build-provenance@v1 | ||
with: | ||
subject-name: ghcr.io/qawolf/crik/charts/${{ matrix.chart }} | ||
subject-digest: ${{ steps.push.outputs.digest }} | ||
push-to-registry: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,3 +26,5 @@ go.work | |
*.swp | ||
*.swo | ||
*~ | ||
|
||
.work |
2 changes: 1 addition & 1 deletion
2
.../charts/crik-node-state-server/Chart.yaml → cluster/charts/node-state-server/Chart.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
apiVersion: v2 | ||
name: crik-node-state-server | ||
name: node-state-server | ||
version: 0.1.0 | ||
description: A Helm chart for the Node State Server used by crik. |
File renamed without changes.
File renamed without changes.
2 changes: 1 addition & 1 deletion
2
...charts/crik-node-state-server/values.yaml → cluster/charts/node-state-server/values.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
nodeStateServer: | ||
debug: false | ||
image: | ||
repository: ghcr.io/qawolf/crik-node-state-server | ||
repository: ghcr.io/qawolf/crik/node-state-server | ||
tag: v0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,37 +1,8 @@ | ||
FROM golang:1.22 as build | ||
FROM gcr.io/distroless/static-debian12:nonroot | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
|
||
WORKDIR /build | ||
COPY .work/bin/crik-${TARGETOS}-${TARGETARCH} /usr/local/bin/crik | ||
USER 65532 | ||
|
||
COPY go.mod go.mod | ||
COPY go.sum go.sum | ||
RUN go mod download | ||
|
||
COPY cmd cmd | ||
COPY internal internal | ||
|
||
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o crik cmd/crik/main.go && \ | ||
chmod +x crik | ||
|
||
|
||
FROM ubuntu:22.04 | ||
|
||
RUN apt-get update && apt-get install --no-install-recommends --yes gnupg curl ca-certificates | ||
|
||
RUN curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x4E2A48715C45AEEC077B48169B29EEC9246B6CE2" | gpg --dearmor > /usr/share/keyrings/criu-ppa.gpg \ | ||
&& echo "deb [signed-by=/usr/share/keyrings/criu-ppa.gpg] https://ppa.launchpadcontent.net/criu/ppa/ubuntu jammy main" > /etc/apt/sources.list.d/criu.list \ | ||
&& apt-get update \ | ||
&& apt-get install --no-install-recommends --yes criu iptables | ||
|
||
# The PR https://github.com/checkpoint-restore/criu/pull/2360 is not merged yet, so we use criu from the docker image | ||
# built from the PR. This is necessary if you get sched policy error during restore, which is the case with webkit-based | ||
# browsers. | ||
|
||
#RUN apt-get update \ | ||
# && apt install --no-install-recommends --yes libprotobuf-dev libprotobuf-c-dev protobuf-c-compiler protobuf-compiler python3-protobuf iptables nftables iproute2 libnftables-dev libcap-dev libnl-3-dev libnet-dev libaio-dev | ||
#COPY --from=docker.io/muvaf/criu-x86_64:rst0git-6673a3b /criu/criu/criu /usr/sbin/criu | ||
|
||
COPY --from=build /build/crik /usr/local/bin/crik | ||
|
||
ENTRYPOINT ["crik", "run", "--"] | ||
ENTRYPOINT ["crik"] |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
FROM gcr.io/distroless/static-debian12:nonroot | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
|
||
COPY .work/bin/node-state-server-${TARGETOS}-${TARGETARCH} /usr/local/bin/node-state-server | ||
USER 65532 | ||
|
||
ENTRYPOINT ["node-state-server"] |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters