diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bd744c7..174a4f8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -37,14 +37,19 @@ jobs: docker-bake.hcl versions.json load: true + # Use GitHub Actions cache (type=gha) — scoped per target, lives in + # GitHub's per-repo cache backend, not the public Docker Hub repo. set: | *.platform=linux/amd64 full.tags=scalr/runner:sha-${{ github.sha }} python39.tags=scalr/runner:sha-${{ github.sha }}-python39 slim.tags=scalr/runner:sha-${{ github.sha }}-slim - full.cache-to=type=registry,ref=scalr/runner:buildcache,mode=max - python39.cache-to=type=registry,ref=scalr/runner:buildcache-python39,mode=max - slim.cache-to=type=registry,ref=scalr/runner:buildcache-slim,mode=max + full.cache-from=type=gha,scope=full + full.cache-to=type=gha,scope=full,mode=max + python39.cache-from=type=gha,scope=python39 + python39.cache-to=type=gha,scope=python39,mode=max + slim.cache-from=type=gha,scope=slim + slim.cache-to=type=gha,scope=slim,mode=max - name: Test full image run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4ce1f76..0931f69 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -78,8 +78,8 @@ jobs: push: true # Append both GAR region tags to each target so a single push writes # to Docker Hub (declared in docker-bake.hcl) and both regional GAR - # mirrors. Cache-to is injected here because the docker-container - # driver supports it, while the bake file stays local-driver-friendly. + # mirrors. Cache uses GitHub Actions cache (per-repo, private) so + # nothing cache-related leaks into the public Docker Hub repo. set: | full.tags+=${{ steps.gar.outputs.image_eu }}:${{ steps.image_tag.outputs.tag }} full.tags+=${{ steps.gar.outputs.image_us }}:${{ steps.image_tag.outputs.tag }} @@ -87,9 +87,12 @@ jobs: python39.tags+=${{ steps.gar.outputs.image_us }}:${{ steps.image_tag.outputs.tag }}-python39 slim.tags+=${{ steps.gar.outputs.image_eu }}:${{ steps.image_tag.outputs.tag }}-slim slim.tags+=${{ steps.gar.outputs.image_us }}:${{ steps.image_tag.outputs.tag }}-slim - full.cache-to=type=registry,ref=scalr/runner:buildcache,mode=max - python39.cache-to=type=registry,ref=scalr/runner:buildcache-python39,mode=max - slim.cache-to=type=registry,ref=scalr/runner:buildcache-slim,mode=max + full.cache-from=type=gha,scope=full + full.cache-to=type=gha,scope=full,mode=max + python39.cache-from=type=gha,scope=python39 + python39.cache-to=type=gha,scope=python39,mode=max + slim.cache-from=type=gha,scope=slim + slim.cache-to=type=gha,scope=slim,mode=max - name: Report published images env: diff --git a/.github/workflows/test_release.yaml b/.github/workflows/test_release.yaml new file mode 100644 index 0000000..7019e61 --- /dev/null +++ b/.github/workflows/test_release.yaml @@ -0,0 +1,141 @@ +name: Test Release Pipeline + +# PR-triggered mirror of release.yaml — used to exercise the release pipeline +# end-to-end without actually publishing a release. Runs only when the PR +# carries the `test` label; rebuilds on every push to that PR while the label +# is applied. +# +# Differences from release.yaml: +# - Triggered by `test` label on a PR, not by a semver tag push. +# - Image tag is derived from the PR branch (prefixed `test-`) so it cannot +# collide with real release tags. +# - Docker Hub login + push is commented out (temporary) — pushes only to +# the internal GAR mirrors. +# - No update_changelog job. + +on: + pull_request: + types: [labeled, synchronize, reopened] + +permissions: + contents: read + # Required by google-github-actions/auth for workload identity federation. + id-token: write + +jobs: + build: + name: Build and Push (test) + if: contains(github.event.pull_request.labels.*.name, 'test') + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + # Docker Hub login temporarily disabled — see workflow header. + # - name: Login to Docker Hub + # uses: docker/login-action@v3 + # with: + # username: ${{ vars.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_PASSWORD }} + + - name: Authenticate to Google Cloud + id: gcp-auth + uses: google-github-actions/auth@v3 + with: + workload_identity_provider: ${{vars.GOOGLE_WORKLOAD_IDENTITY_POOL_PROVIDER}} + service_account: ${{vars.GOOGLE_SERVICE_ACCOUNT_EMAIL}} + token_format: access_token + + # - name: Login to GAR (EU dev) + # uses: docker/login-action@v3 + # with: + # registry: ${{ vars.EU_DEV_MIRROR_LOCATION }}-docker.pkg.dev + # username: oauth2accesstoken + # password: ${{ steps.gcp-auth.outputs.access_token }} + + - name: Login to GAR (US prod) + uses: docker/login-action@v3 + with: + registry: ${{ vars.US_PROD_MIRROR_LOCATION }}-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.gcp-auth.outputs.access_token }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + # PR source branch → Docker tag. Lower-cased, slashes → dashes, and + # prefixed `test-` so the tag cannot collide with a semver release tag + # pushed by release.yaml. + - name: Format Image Tag + id: image_tag + run: | + raw='${{ github.head_ref }}' + sanitized="${raw,,}" + sanitized="${sanitized//\//-}" + echo "tag=test-${sanitized}" | tee -a $GITHUB_OUTPUT + + # Two regional GAR mirrors — EU dev and US production. + - name: Compose GAR image paths + id: gar + run: | + echo "image_eu=${{ vars.EU_DEV_MIRROR_LOCATION }}-docker.pkg.dev/${{ vars.EU_DEV_GOOGLE_PROJECT }}/main/scalr/runner" | tee -a $GITHUB_OUTPUT + echo "image_us=${{ vars.US_PROD_MIRROR_LOCATION }}-docker.pkg.dev/${{ vars.US_PROD_GOOGLE_PROJECT }}/main/scalr/runner" | tee -a $GITHUB_OUTPUT + + - name: Build and push images + uses: docker/bake-action@v5 + env: + VERSION: ${{ steps.image_tag.outputs.tag }} + with: + files: | + docker-bake.hcl + versions.json + push: true + # Replace each target's tag list (`tags=` removes the Docker Hub + # default from docker-bake.hcl since DH login is disabled). EU dev + # push is temporarily disabled — only US prod is pushed. + set: | + full.tags=${{ steps.gar.outputs.image_us }}:${{ steps.image_tag.outputs.tag }} + python39.tags=${{ steps.gar.outputs.image_us }}:${{ steps.image_tag.outputs.tag }}-python39 + slim.tags=${{ steps.gar.outputs.image_us }}:${{ steps.image_tag.outputs.tag }}-slim + full.cache-from=type=gha,scope=full + full.cache-to=type=gha,scope=full,mode=max + python39.cache-from=type=gha,scope=python39 + python39.cache-to=type=gha,scope=python39,mode=max + slim.cache-from=type=gha,scope=slim + slim.cache-to=type=gha,scope=slim,mode=max + + - name: Report published images + env: + TAG: ${{ steps.image_tag.outputs.tag }} + IMG_EU: ${{ steps.gar.outputs.image_eu }} + IMG_US: ${{ steps.gar.outputs.image_us }} + run: | + echo "Published test runner images for tag ${TAG}" + echo "" + echo "GAR — EU dev:" + echo " ${IMG_EU}:${TAG}" + echo " ${IMG_EU}:${TAG}-python39" + echo " ${IMG_EU}:${TAG}-slim" + echo "" + echo "GAR — US prod:" + echo " ${IMG_US}:${TAG}" + echo " ${IMG_US}:${TAG}-python39" + echo " ${IMG_US}:${TAG}-slim" + { + echo "## Published test runner images — \`${TAG}\`" + echo "" + echo "**GAR — EU dev**" + echo "" + echo "- \`${IMG_EU}:${TAG}\`" + echo "- \`${IMG_EU}:${TAG}-python39\`" + echo "- \`${IMG_EU}:${TAG}-slim\`" + echo "" + echo "**GAR — US prod**" + echo "" + echo "- \`${IMG_US}:${TAG}\`" + echo "- \`${IMG_US}:${TAG}-python39\`" + echo "- \`${IMG_US}:${TAG}-slim\`" + } >> "$GITHUB_STEP_SUMMARY" diff --git a/docker-bake.hcl b/docker-bake.hcl index ebb57f1..0f1cac1 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -36,25 +36,22 @@ group "default" { } target "full" { - target = "full" - platforms = ["linux/amd64", "linux/arm64"] - args = merge(versions_base, versions_full) - tags = ["scalr/runner:${VERSION}"] - cache-from = ["type=registry,ref=scalr/runner:buildcache"] + target = "full" + platforms = ["linux/amd64", "linux/arm64"] + args = merge(versions_base, versions_full) + tags = ["scalr/runner:${VERSION}"] } target "python39" { - target = "full" - platforms = ["linux/amd64", "linux/arm64"] - args = merge(versions_base, versions_full, versions_python39) - tags = ["scalr/runner:${VERSION}-python39"] - cache-from = ["type=registry,ref=scalr/runner:buildcache-python39"] + target = "full" + platforms = ["linux/amd64", "linux/arm64"] + args = merge(versions_base, versions_full, versions_python39) + tags = ["scalr/runner:${VERSION}-python39"] } target "slim" { - target = "slim" - platforms = ["linux/amd64", "linux/arm64"] - args = versions_base - tags = ["scalr/runner:${VERSION}-slim"] - cache-from = ["type=registry,ref=scalr/runner:buildcache-slim"] + target = "slim" + platforms = ["linux/amd64", "linux/arm64"] + args = versions_base + tags = ["scalr/runner:${VERSION}-slim"] }