feat(container): alpine with CI deploy workflow

Alwatr · Aug 27, 2022 · e63b9ef · e63b9ef
1 parent b60abc1
commit e63b9ef
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 0 deletions.
diff --git a/.github/workflows/publish-container.yml b/.github/workflows/publish-container.yml
@@ -0,0 +1,90 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Container Publish
+
+on:
+  push:
+    branches:
+      - next
+    tags:
+      - 'v*.*.*'
+
+  pull_request:
+    paths:
+      - 'packages/container/**'
+    branches:
+      - next
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    if: github.repository_owner == 'AliMD'
+
+    name: Build & Publish Containers
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image: alpine
+
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{env.REGISTRY}}/${{github.repository_owner}}/${{matrix.image}}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - run: echo '${{ toJSON(steps.meta.outputs) }}'
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@main
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log into registry ${{env.REGISTRY}}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{env.REGISTRY}}
+          username: ${{github.repository_owner}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Build and push container image
+        id: build-and-push
+        uses: docker/build-push-action@v3
+        with:
+          context: packages/container/${{matrix.image}}
+          push: ${{github.event_name != 'pull_request'}}
+          tags: ${{steps.meta.outputs.tags}}
+          labels: ${{steps.meta.outputs.labels}}
+
+      - name: Sign the published container image
+        if: ${{github.event_name != 'pull_request'}}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${{steps.meta.outputs.tags}}" | xargs -I {} cosign sign {}@${{steps.build-and-push.outputs.digest}}
diff --git a/packages/container/alpine/Dockerfile b/packages/container/alpine/Dockerfile
@@ -0,0 +1,22 @@
+ARG ALPINE_VERSION=3.16
+FROM docker.io/alpine:${ALPINE_VERSION}
+
+ARG APK_TESTING
+RUN set -ex; \
+  if [ "$APK_TESTING" != "1" ]; then \
+    echo "Skip alpine edge testing repository"; \
+  else \
+    echo "Add alpine edge testing repository"; \
+    echo 'https://dl-cdn.alpinelinux.org/alpine/edge/testing/' >> /etc/apk/repositories; \
+  fi
+
+ARG APK_INSTALL
+RUN set -ex; \
+  if [ "$APK_INSTALL" != "1" ]; then \
+    echo "Skip apk install"; \
+  else \
+    echo "Add alpine edge testing repository"; \
+    apk add --no-cache ${APK_INSTALL}; \
+  fi
+
+CMD ["/bin/sh"]