From 9cbc7fb3b53ff3162351e912be0eccc7c63f8604 Mon Sep 17 00:00:00 2001 From: Leon Stoldt Date: Wed, 15 Nov 2023 22:36:52 +0100 Subject: [PATCH 1/3] add test folder to gitignore --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 20a9254..3804386 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .idea -ansible/playbooks/templates/.env \ No newline at end of file +ansible/playbooks/templates/.env +test \ No newline at end of file From 1356684b9c9a256564c9fd7b21ee013e27f38bc6 Mon Sep 17 00:00:00 2001 From: Leon Stoldt Date: Wed, 15 Nov 2023 22:37:56 +0100 Subject: [PATCH 2/3] add support for arm64 images --- .github/actions/build-and-push/action.yaml | 78 ++++++++++++++ .github/actions/integration-test/action.yaml | 19 ++++ .github/actions/post-run/action.yaml | 12 +++ .github/workflows/build-and-push.yml | 104 ------------------- .github/workflows/release.yml | 56 ++++++++++ .github/workflows/verify.yml | 16 +++ Dockerfile | 8 +- Makefile | 12 ++- ansible/playbooks/install-ghostfolio.yml | 2 +- 9 files changed, 196 insertions(+), 111 deletions(-) create mode 100644 .github/actions/build-and-push/action.yaml create mode 100644 .github/actions/integration-test/action.yaml create mode 100644 .github/actions/post-run/action.yaml delete mode 100644 .github/workflows/build-and-push.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/verify.yml diff --git a/.github/actions/build-and-push/action.yaml b/.github/actions/build-and-push/action.yaml new file mode 100644 index 0000000..766b594 --- /dev/null +++ b/.github/actions/build-and-push/action.yaml @@ -0,0 +1,78 @@ +name: Build and push image +description: "Builds docker image and pushes it to registry" + +inputs: + platform: + description: "Platform for docker build" + default: "amd64" + required: true + ansible_image_tag: + description: "Image tag of ansible base image" + default: "alpine" + required: true + +runs: + using: "composite" + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR https://github.com/sigstore/cosign-installer + - name: Install cosign + uses: sigstore/cosign-installer@v3.2.0 + + - name: Set up QEMU + if: ${{ inputs.platform != 'amd64' }} + uses: docker/setup-qemu-action@v3 + with: + platforms: ${{ inputs.platform }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.repository }} + ghcr.io/${{ github.repository }} + tags: | + type=raw,value=latest,enable=${{ is_default_branch && inputs.platform == 'amd64' }} + type=raw,value=latest,suffix={{inputs.platform}},enable=${{ is_default_branch && inputs.platform != 'amd64' }} + type=sha + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/${{ inputs.platform }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + push: true + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Sign the published Docker image + shell: bash + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate against the sigstore community Fulcio instance. + run: | + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/actions/integration-test/action.yaml b/.github/actions/integration-test/action.yaml new file mode 100644 index 0000000..4dbed53 --- /dev/null +++ b/.github/actions/integration-test/action.yaml @@ -0,0 +1,19 @@ +name: Run integration test +description: "Runs the ansible container as integration test and checks if all containers are up and running" + +runs: + using: "composite" + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install wait-for-it + shell: bash + run: | + sudo apt-get update + sudo apt-get install -y wait-for-it + + - name: Run integration test + shell: bash + run: | + make test diff --git a/.github/actions/post-run/action.yaml b/.github/actions/post-run/action.yaml new file mode 100644 index 0000000..af4ac4e --- /dev/null +++ b/.github/actions/post-run/action.yaml @@ -0,0 +1,12 @@ +name: Post-run +description: "Tasks to run after pipeline is done" + + +runs: + using: "composite" + steps: + - name: Update Docker Hub Description + uses: peter-evans/dockerhub-description@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml deleted file mode 100644 index 8b17fd6..0000000 --- a/.github/workflows/build-and-push.yml +++ /dev/null @@ -1,104 +0,0 @@ -name: Docker Build and Push - -on: - workflow_dispatch: - schedule: - - cron: '0 12 * * *' - push: - branches: - - main - -env: - IMAGE_NAME: ghostfolio-installer - -jobs: - test: - name: Run integration test - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install wait-for-it - run: | - sudo apt-get update - sudo apt-get install -y wait-for-it - - - name: Run integration test - run: | - make test - - - build-and-push: - needs: [test] - name: Build and push image - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge with sigstore/fulcio when running outside of PRs. - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Install the cosign tool except on PR https://github.com/sigstore/cosign-installer - - name: Install cosign - uses: sigstore/cosign-installer@v3.2.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }} - ghcr.io/${{ github.repository }} - tags: | - type=raw,value=latest,enable={{is_default_branch}} - type=sha - - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@v5 - with: - context: . - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - push: true - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Sign the published Docker image - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate against the sigstore community Fulcio instance. - run: | - echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - - - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..242d33c --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,56 @@ +name: Release Docker Image + +on: + workflow_dispatch: + schedule: + - cron: '0 9 * * 5' + push: + branches: + - main + +jobs: + integration-test: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: ./.github/actions/integration-test + + build-and-push: + needs: [integration-test] + name: Build and push image + runs-on: ubuntu-latest + strategy: + matrix: + fail-fast: false + include: + - platform: amd64 + base_image_tag: 2.15-alpine-3.18 + - platform: arm64 + ansible_image_tag: alpine + permissions: + contents: read + packages: write + # This is used to complete the identity challenge with sigstore/fulcio when running outside of PRs. + id-token: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: ./.github/actions/build-and-push + with: + platform: ${{ matrix.platform }} + ansible_image_tag: ${{ matrix.ansible_image_tag }} + + post-run: + needs: [ build-and-push ] + name: Post-run + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: ./.github/actions/post-run diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 0000000..a8d44e6 --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,16 @@ +name: Run integration tests + +on: + workflow_dispatch: + push: + branches-ignore: + - main + +jobs: + integration-test: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: ./.github/actions/integration-test diff --git a/Dockerfile b/Dockerfile index a549182..0bfedc0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ -FROM willhallonline/ansible:2.15-alpine-3.18 +ARG ANSIBLE_CORE_TAG +FROM willhallonline/ansible:${ANSIBLE_CORE_TAG} LABEL maintainer="tech@leon-stoldt.de" \ org.label-schema.schema-version="1.0" \ @@ -13,11 +14,8 @@ LABEL maintainer="tech@leon-stoldt.de" \ net.unraid.docker.icon="https://avatars.githubusercontent.com/u/82473144?s=200" # Install Docker Compose -ARG DOCKER_COMPOSE_VERSION=2.23.0 RUN apk --no-cache add \ - curl && \ - curl -L "https://github.com/docker/compose/releases/download/v${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && \ - chmod +x /usr/local/bin/docker-compose + docker-compose WORKDIR /ansible diff --git a/Makefile b/Makefile index baba667..7baff4f 100644 --- a/Makefile +++ b/Makefile @@ -14,8 +14,18 @@ define wait_for_container done endef +define docker-build + docker buildx build --pull \ + --build-arg ANSIBLE_CORE_TAG=$(1) \ + --platform $(2) \ + -t ghostfolio-installer . +endef + build: - docker build -t ghostfolio-installer . + $(call docker-build,"2.15-alpine-3.18","linux/amd64") + +build-arm: + $(call docker-build,"alpine","linux/arm64") run: build docker run --rm\ diff --git a/ansible/playbooks/install-ghostfolio.yml b/ansible/playbooks/install-ghostfolio.yml index b3c60ec..5398c25 100644 --- a/ansible/playbooks/install-ghostfolio.yml +++ b/ansible/playbooks/install-ghostfolio.yml @@ -38,6 +38,6 @@ chdir: "{{ ghostfolio_dir }}" - name: Start Docker Compose - command: docker-compose up --wait + command: docker-compose up -d args: chdir: "{{ ghostfolio_dir }}" \ No newline at end of file From f2396c374a059f0e9335734992a8c9be2ee05e28 Mon Sep 17 00:00:00 2001 From: Leon Stoldt Date: Fri, 17 Nov 2023 22:57:52 +0100 Subject: [PATCH 3/3] add job summary --- .github/actions/build-and-push/action.yaml | 14 +++++++++++ .github/actions/post-run/action.yaml | 29 +++++++++++++++++++++- .github/workflows/release.yml | 11 ++++++-- 3 files changed, 51 insertions(+), 3 deletions(-) diff --git a/.github/actions/build-and-push/action.yaml b/.github/actions/build-and-push/action.yaml index 766b594..f93e86d 100644 --- a/.github/actions/build-and-push/action.yaml +++ b/.github/actions/build-and-push/action.yaml @@ -11,6 +11,14 @@ inputs: default: "alpine" required: true +outputs: + digests: + description: "Image digests" + value: ${{ steps.build-and-push.outputs.digest }} + tags: + description: "Image tags" + value: ${{ steps.meta.outputs.tags }} + runs: using: "composite" steps: @@ -76,3 +84,9 @@ runs: # This step uses the identity token to provision an ephemeral certificate against the sigstore community Fulcio instance. run: | echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + - name: Set output variables + shell: bash + run: | + echo "digests=${{ steps.build-and-push.outputs.digest }}" >> $GITHUB_OUTPUT + echo "tags=${{ steps.meta.outputs.tags }}" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/actions/post-run/action.yaml b/.github/actions/post-run/action.yaml index af4ac4e..e210d46 100644 --- a/.github/actions/post-run/action.yaml +++ b/.github/actions/post-run/action.yaml @@ -1,6 +1,13 @@ name: Post-run description: "Tasks to run after pipeline is done" +inputs: + digests: + description: "Digests from previous build step" + required: false + tags: + description: "Tags from previous build step" + required: false runs: using: "composite" @@ -9,4 +16,24 @@ runs: uses: peter-evans/dockerhub-description@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} \ No newline at end of file + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Set job summary + shell: bash + run: | + cat >> $GITHUB_STEP_SUMMARY < ${{ inputs.tags }}" + + ## Image Digests + > ${{ inputs.digests }}" + + [docker_hub_url]: https://hub.docker.com/r/${{ github.repository_owner }}/${{ github.repository }} + [ghcr_io_url]: ${{ github.server_url}}/${{ github.repository_owner }}/${{ github.repository }}/pkgs/container/${{ github.repository }} + EOB diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 242d33c..982c9a5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,7 @@ jobs: - uses: ./.github/actions/integration-test - build-and-push: + release: needs: [integration-test] name: Build and push image runs-on: ubuntu-latest @@ -36,17 +36,21 @@ jobs: packages: write # This is used to complete the identity challenge with sigstore/fulcio when running outside of PRs. id-token: write + outputs: + digests: ${{ steps.build.outputs.digests }} + tags: ${{ steps.build.outputs.tags }} steps: - name: Checkout repository uses: actions/checkout@v4 - uses: ./.github/actions/build-and-push + id: build with: platform: ${{ matrix.platform }} ansible_image_tag: ${{ matrix.ansible_image_tag }} post-run: - needs: [ build-and-push ] + needs: [ release ] name: Post-run runs-on: ubuntu-latest steps: @@ -54,3 +58,6 @@ jobs: uses: actions/checkout@v4 - uses: ./.github/actions/post-run + with: + digests: ${{ needs.release.outputs.digests }} + tags: ${{ needs.release.outputs.tags }}