buildkit #697
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: buildkit | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
on: | |
schedule: | |
- cron: '0 10 * * *' | |
workflow_dispatch: | |
push: | |
branches: | |
- 'master' | |
- 'v[0-9]+.[0-9]+' | |
tags: | |
- 'v*' | |
pull_request: | |
paths-ignore: | |
- 'README.md' | |
- 'docs/**' | |
- 'frontend/dockerfile/docs/**' | |
env: | |
GO_VERSION: "1.23" | |
SETUP_BUILDX_VERSION: "latest" | |
SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest" | |
SCOUT_VERSION: "1.13.0" | |
IMAGE_NAME: "moby/buildkit" | |
PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le,linux/riscv64" | |
DESTDIR: "./bin" | |
jobs: | |
prepare: | |
runs-on: ubuntu-24.04 | |
outputs: | |
tag: ${{ steps.prep.outputs.tag }} | |
push: ${{ steps.prep.outputs.push }} | |
platforms: ${{ steps.prep.outputs.platforms }} | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Prepare | |
id: prep | |
run: | | |
TAG=pr | |
PUSH=false | |
if [ "${{ github.event_name }}" = "schedule" ]; then | |
TAG=nightly | |
PUSH=push | |
elif [[ $GITHUB_REF == refs/tags/v* ]]; then | |
TAG=${GITHUB_REF#refs/tags/} | |
PUSH=push | |
elif [[ $GITHUB_REF == refs/heads/* ]]; then | |
TAG=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g') | |
if [ $GITHUB_REF = "refs/heads/${{ github.event.repository.default_branch }}" ]; then | |
PUSH=push | |
fi | |
fi | |
if [ "$GITHUB_REPOSITORY" != "moby/buildkit" ]; then | |
PUSH=false | |
fi | |
echo "tag=${TAG}" >>${GITHUB_OUTPUT} | |
echo "push=${PUSH}" >>${GITHUB_OUTPUT} | |
platforms=$(docker buildx bake release --print | jq -cr '.target."release".platforms') | |
echo "platforms=$platforms" >>${GITHUB_OUTPUT} | |
binaries: | |
runs-on: ubuntu-24.04 | |
needs: | |
- prepare | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: ${{ fromJson(needs.prepare.outputs.platforms) }} | |
steps: | |
- | |
name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- | |
name: Expose GitHub Runtime | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: ${{ env.SETUP_BUILDX_VERSION }} | |
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} | |
buildkitd-flags: --debug | |
- | |
name: Build | |
run: | | |
make release | |
env: | |
RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
PLATFORMS: ${{ matrix.platform }} | |
CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} | |
CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: buildkit-${{ env.PLATFORM_PAIR }} | |
path: ${{ env.DESTDIR }}/* | |
if-no-files-found: error | |
retention-days: 1 | |
test: | |
uses: ./.github/workflows/.test.yml | |
secrets: inherit | |
needs: | |
- binaries | |
with: | |
cache_scope: build-integration-tests | |
pkgs: ./client ./cmd/buildctl ./worker/containerd ./solver ./frontend | |
kinds: integration | |
codecov_flags: core | |
includes: | | |
- pkg: ./... | |
skip-integration-tests: 1 | |
typ: integration gateway | |
- pkg: ./client | |
worker: containerd | |
tags: nydus | |
typ: integration | |
- pkg: ./client | |
worker: oci | |
tags: nydus | |
typ: integration | |
- pkg: ./... | |
tags: nydus | |
skip-integration-tests: 1 | |
typ: integration | |
govulncheck: | |
runs-on: ubuntu-24.04 | |
permissions: | |
# required to write sarif report | |
security-events: write | |
# required to check out the repository | |
contents: read | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: ${{ env.SETUP_BUILDX_VERSION }} | |
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} | |
buildkitd-flags: --debug | |
- | |
name: Run | |
uses: docker/bake-action@v5 | |
with: | |
targets: govulncheck | |
env: | |
GOVULNCHECK_FORMAT: sarif | |
- | |
name: Upload SARIF report | |
if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }} | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: ${{ env.DESTDIR }}/govulncheck.out | |
image: | |
runs-on: ubuntu-24.04 | |
needs: | |
- prepare | |
- test | |
strategy: | |
fail-fast: false | |
matrix: | |
target-stage: | |
- '' | |
- rootless | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Expose GitHub Runtime | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: ${{ env.SETUP_BUILDX_VERSION }} | |
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} | |
buildkitd-flags: --debug | |
- | |
name: Login to DockerHub | |
if: needs.prepare.outputs.push == 'push' | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- | |
name: Build ${{ needs.prepare.outputs.tag }} | |
run: | | |
./hack/images "${{ needs.prepare.outputs.tag }}" "$IMAGE_NAME" "${{ needs.prepare.outputs.push }}" | |
env: | |
RELEASE: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }} | |
TARGET: ${{ matrix.target-stage }} | |
CACHE_FROM: type=gha,scope=image${{ matrix.target-stage }} | |
CACHE_TO: type=gha,scope=image${{ matrix.target-stage }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
scout: | |
runs-on: ubuntu-24.04 | |
if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }} | |
permissions: | |
# required to write sarif report | |
security-events: write | |
needs: | |
- image | |
strategy: | |
fail-fast: false | |
matrix: | |
tag: | |
- master | |
- master-rootless | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- | |
name: Scout | |
id: scout | |
uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 | |
with: | |
version: ${{ env.SCOUT_VERSION }} | |
format: sarif | |
image: registry://${{ env.IMAGE_NAME }}:${{ matrix.tag }} | |
- | |
name: Result output | |
run: | | |
jq . ${{ steps.scout.outputs.result-file }} | |
- | |
name: Upload SARIF report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: ${{ steps.scout.outputs.result-file }} | |
release: | |
runs-on: ubuntu-24.04 | |
needs: | |
- prepare | |
- test | |
- binaries | |
- image | |
steps: | |
- | |
name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: ${{ env.DESTDIR }} | |
pattern: buildkit-* | |
merge-multiple: true | |
- | |
name: List artifacts | |
run: | | |
tree -nh ${{ env.DESTDIR }} | |
- | |
name: GitHub Release | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
draft: true | |
files: ${{ env.DESTDIR }}/* | |
name: ${{ needs.prepare.outputs.tag }} |