feat: introducing distroless-python #54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: main | |
on: | |
schedule: | |
# update the pointers once a week | |
# https://crontab.guru/once-a-week | |
- cron: "0 0 * * 0" | |
push: | |
branches: main | |
pull_request: | |
branches: main | |
jobs: | |
docker: | |
strategy: | |
fail-fast: false | |
matrix: | |
repository: | |
- 'ghcr.io' | |
- 'docker.io' | |
python: | |
- '3.12' | |
- '3.11' | |
- '3.10' | |
- '3.9' | |
- '3.8' | |
alpine: | |
- '3.20' | |
os: | |
- 'ubuntu-latest' | |
runs-on: ${{ matrix.os }} | |
permissions: | |
packages: write | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Convert README.rst to markdown | |
uses: docker://pandoc/core:2.9 | |
with: | |
args: >- | |
-s | |
--wrap=none | |
-t gfm | |
-o README.md | |
README.rst | |
- | |
name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
id: image_env | |
run: | | |
. ./env.sh \ | |
'${{ matrix.alpine }}' \ | |
'${{ matrix.python }}' \ | |
'${{ github.repository_owner }}' \ | |
'${{ matrix.repository }}' | |
docker pull "${SOURCE_IMAGE}" | |
echo ALPINE_VERSION="${ALPINE_VERSION}" >> "$GITHUB_OUTPUT" | |
echo PYTHON_VERSION="${PYTHON_VERSION}" >> "$GITHUB_OUTPUT" | |
echo SOURCE_IMAGE="${SOURCE_IMAGE}" >> "$GITHUB_OUTPUT" | |
echo IMAGE_TAG="${IMAGE_TAG}" >> "$GITHUB_OUTPUT" | |
echo REPOSITORY="${REPOSITORY}" >> "$GITHUB_OUTPUT" | |
echo BASE_IMAGE_DIGEST="$(digest_of "$SOURCE_IMAGE")" >> "$GITHUB_OUTPUT" | |
echo 'LONG_DESCRIPTION<<EOF' >> "$GITHUB_OUTPUT" | |
<README.md cat >> "$GITHUB_OUTPUT" | |
echo 'EOF' >> "$GITHUB_OUTPUT" | |
echo 'IMAGE_DESCRIPTION<<EOF' >> "$GITHUB_OUTPUT" | |
echo "Distroless Python $PYTHON_VERSION on alpine$ALPINE_VERSION." | |
echo '${{ github.event.repository.description }}' >> "$GITHUB_OUTPUT" | |
echo 'EOF' >> "$GITHUB_OUTPUT" | |
- | |
name: Buildroot | |
uses: docker/build-push-action@v6 | |
with: | |
platforms: | | |
linux/amd64 | |
linux/arm64 | |
context: "." | |
file: Dockerfile.alpine | |
target: buildroot | |
cache-from: | | |
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
type=registry,ref=docker.io/${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
build-args: | | |
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
BUILD_ROOT=/d | |
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot" | |
- | |
name: distroless | |
uses: docker/build-push-action@v6 | |
with: | |
platforms: | | |
linux/amd64 | |
linux/arm64 | |
context: "." | |
file: Dockerfile.alpine | |
# target: distroless-python | |
cache-from: | | |
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | |
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
type=registry,ref=docker.io/${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
build-args: | | |
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
BUILD_ROOT=/d | |
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}" | |
# - | |
# name: distroless-tests | |
# uses: docker/build-push-action@v6 | |
# with: | |
# context: "." | |
# platforms: | | |
# linux/amd64 | |
# linux/arm64 | |
# file: Dockerfile.alpine | |
# target: tests | |
# cache-from: | | |
# type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | |
# type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
# type=registry,ref=docker.io/${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
# build-args: | | |
# ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
# BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
# PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
# SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
# BUILD_ROOT=/d | |
# tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-test" | |
# - | |
# name: export annotations | |
# id: inspect | |
# run: | | |
# echo 'annotations<<EOF' >> "$GITHUB_OUTPUT" | |
# docker inspect '${{ steps.image_env.outputs.IMAGE_TAG }}' | jq -r '.[].Config.Labels| keys[] as $k | "\($k)=\(.[$k])"' >> "$GITHUB_OUTPUT" | |
# echo 'EOF' >> "$GITHUB_OUTPUT" | |
- | |
name: Login to GitHub Container Registry | |
if: ${{ matrix.repository == 'ghcr.io' }} | |
uses: docker/login-action@v3 | |
with: | |
registry: 'ghcr.io' | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Login to DockerHub | |
if: ${{ matrix.repository == 'docker.io' }} | |
uses: docker/login-action@v3 | |
with: | |
registry: 'docker.io' | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- | |
name: Upload Buildroot | |
uses: docker/build-push-action@v6 | |
with: | |
push: true | |
platforms: | | |
linux/amd64 | |
linux/arm64 | |
context: "." | |
file: Dockerfile.alpine | |
target: buildroot | |
cache-from: | | |
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
type=registry,ref=docker.io/${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
build-args: | | |
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
BUILD_ROOT=/d | |
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot" | |
- | |
name: Upload | |
uses: docker/build-push-action@v6 | |
env: | |
SOURCE_DATE_EPOCH: 0 | |
with: | |
push: true | |
context: "." | |
platforms: | | |
linux/amd64 | |
linux/arm64 | |
file: Dockerfile.alpine | |
cache-from: | | |
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | |
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
type=registry,ref=docker.io/${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
build-args: | | |
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
BUILD_ROOT=/d | |
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}" | |
labels: ${{steps.image_env.outputs.IMAGE_LABELS}} | |
sbom: true | |
annotations: | | |
index,manifest:org.opencontainers.image.authors=distroless-python image developers <autumn.jolitz+distroless-python@gmail.com> | |
index,manifest:org.opencontainers.image.source=https://github.com/autumnjolitz/distroless-python | |
index,manifest:org.opencontainers.image.title=distroless-python${{ steps.image_env.outputs.PYTHON_VERSION }}-alpine${{ steps.image_env.outputs.ALPINE_VERSION }} | |
index,manifest:org.opencontainers.image.description="${{ steps.image_env.outputs.IMAGE_DESCRIPTION }}" | |
index,manifest:org.opencontainers.image.base.digest=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
index,manifest:org.opencontainers.image.base.name=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
index,manifest:distroless.python-version=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
index,manifest:distroless.alpine-version=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
index,manifest:distroless.base-image=alpine${{ steps.image_env.outputs.ALPINE_VERSION }} | |
- name: Update repo description | |
if: ${{ matrix.repository == 'docker.io' }} | |
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0 | |
with: | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
short-description: ${{ github.event.repository.description }} |