Workflow: Docker: Add more archs: armv6/v7, i386 #233
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: docker-build | |
| on: | |
| # pipeline runs per trigger condition, so release trigger not required as tag is sufficient | |
| #release: | |
| # types: [published] | |
| push: | |
| branches: | |
| - 'main' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| branches: | |
| - '**' | |
| env: | |
| DOCKERHUB_REPO: akkudoktor/eos | |
| GHCR_REPO: ghcr.io/akkudoktor-eos/eos | |
| EOS_LICENSE: Apache-2.0 | |
| # From https://docs.docker.com/build/ci/github-actions/multi-platform/ | |
| # Changes: | |
| # - adjusted rw permissions | |
| # - manually set undetected license (label+annotation) | |
| # - set description for index manifest | |
| # - add attestation | |
| # - conditionally don't push on pr | |
| # - on pr just use amd64 platform | |
| jobs: | |
| # Build platform matrix excludes. if-conditional with matrix on job level is not | |
| # supported, see https://github.com/actions/runner/issues/1985 | |
| platform-excludes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| excludes: ${{ steps.excludes.outputs.matrix }} | |
| steps: | |
| - id: excludes | |
| run: | | |
| if ${{ github.event_name == 'pull_request' }}; then | |
| echo 'matrix=[ | |
| {"platform": {"name": "linux/amd64"}}, | |
| {"platform": {"name": "linux/arm64"}}, | |
| {"platform": {"name": "linux/arm/v7"}}, | |
| {"platform": {"name": "linux/386"}} | |
| ]' | tr -d '[:space:]' >> $GITHUB_OUTPUT | |
| else | |
| echo 'matrix=[]' >> $GITHUB_OUTPUT | |
| fi | |
| build: | |
| needs: platform-excludes | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: | |
| - name: linux/amd64 | |
| base: python | |
| python: 3.12 # pendulum not yet on pypi for 3.13 | |
| rustup_install: "" | |
| apt_packages: "" | |
| apt_build_packages: "" | |
| pip_extra_url: "" | |
| - name: linux/arm64 | |
| base: python | |
| python: 3.12 # pendulum not yet on pypi for 3.13 | |
| rustup_install: "" | |
| apt_packages: "" | |
| apt_build_packages: "" | |
| pip_extra_url: "" | |
| - name: linux/arm/v6 | |
| base: python | |
| python: 3.11 # highest version on piwheels | |
| rustup_install: "" | |
| apt_packages: "" | |
| # pendulum: git (apply patch) | |
| # matplotlib (countourpy): g++ | |
| # fastapi (MarkupSafe): gcc | |
| apt_build_packages: "git g++ cargo rustc" | |
| pip_extra_url: "https://www.piwheels.org/simple" # armv6/v7 packages | |
| - name: linux/arm/v7 | |
| base: python | |
| python: 3.11 # highest version on piwheels | |
| rustup_install: true | |
| apt_packages: "" | |
| # pendulum: git (apply patch) | |
| # matplotlib (countourpy): g++ | |
| # fastapi (MarkupSafe): gcc | |
| apt_build_packages: "curl git g++" | |
| pip_extra_url: "https://www.piwheels.org/simple" # armv6/v7 packages | |
| - name: linux/386 | |
| # Get 32bit distributor fix for pendulum, not yet officially released. | |
| # Needs Debian testing instead of python:xyz which is based on Debian stable. | |
| base: debian | |
| python: trixie | |
| rustup_install: "" | |
| apt_packages: "python3-pendulum python3-pip" | |
| # numpy: g++, libc-dev | |
| # skikit: pkgconf python3-dev, gfortran, libopenblas-pthread-dev | |
| # h5py: libhdf5-dev | |
| # uvloop: make | |
| # many others g++/gcc | |
| apt_build_packages: "g++ pkgconf libc-dev python3-dev gfortran libopenblas-pthread-dev libhdf5-dev make" | |
| pip_extra_url: "" | |
| exclude: ${{ fromJSON(needs.platform-excludes.outputs.excludes) }} | |
| steps: | |
| - name: Prepare | |
| run: | | |
| platform=${{ matrix.platform.name }} | |
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.DOCKERHUB_REPO }} | |
| ${{ env.GHCR_REPO }} | |
| labels: | | |
| org.opencontainers.image.licenses=${{ env.EOS_LICENSE }} | |
| annotations: | | |
| org.opencontainers.image.licenses=${{ env.EOS_LICENSE }} | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| # Prepare to extract description so it can be manually set for index manifest (group of platform manifests) | |
| - name: Prepare description | |
| id: get_description | |
| run: | | |
| echo "EOS_REPO_DESCRIPTION=$(jq -cr '.labels."org.opencontainers.image.description"' <<< "$DOCKER_METADATA_OUTPUT_JSON")" >> $GITHUB_ENV | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| # skip for pull requests | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| # skip for pull requests | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| # skip for pull requests | |
| if: ${{ github.event_name != 'pull_request' }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| platforms: ${{ matrix.platform.name }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,"push=${{ github.event_name != 'pull_request' }}","annotation-index.org.opencontainers.image.description=${{ env.EOS_REPO_DESCRIPTION }}" | |
| build-args: | | |
| BASE_IMAGE=${{ matrix.platform.base }} | |
| PYTHON_VERSION=${{ matrix.platform.python }} | |
| PIP_EXTRA_INDEX_URL=${{ matrix.platform.pip_extra_url }} | |
| APT_PACKAGES=${{ matrix.platform.apt_packages }} | |
| APT_BUILD_PACKAGES=${{ matrix.platform.apt_build_packages }} | |
| RUSTUP_INSTALL=${{ matrix.platform.rustup_install }} | |
| - name: Generate artifact attestation DockerHub | |
| uses: actions/attest-build-provenance@v2 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| subject-name: docker.io/${{ env.DOCKERHUB_REPO }} | |
| subject-digest: ${{ steps.build.outputs.digest }} | |
| push-to-registry: true | |
| - name: Generate artifact attestation GitHub | |
| uses: actions/attest-build-provenance@v2 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| subject-name: ${{ env.GHCR_REPO }} | |
| subject-digest: ${{ steps.build.outputs.digest }} | |
| push-to-registry: true | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: digests-${{ env.PLATFORM_PAIR }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| merge: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| needs: | |
| - build | |
| # skip for pull requests | |
| if: ${{ github.event_name != 'pull_request' }} | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-* | |
| merge-multiple: true | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.DOCKERHUB_REPO }} | |
| ${{ env.GHCR_REPO }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| labels: | | |
| org.opencontainers.image.licenses=${{ env.EOS_LICENSE }} | |
| annotations: | | |
| org.opencontainers.image.licenses=${{ env.EOS_LICENSE }} | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| - name: Create manifest list and push | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) | |
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *) | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }} | |
| docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ steps.meta.outputs.version }} |