Skip to content

Commit

Permalink
update workflow to use reusable join action
Browse files Browse the repository at this point in the history
  • Loading branch information
Kim Fehrs committed Feb 5, 2024
1 parent 65ddf94 commit 0529b52
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 95 deletions.
136 changes: 43 additions & 93 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,53 +20,6 @@ jobs:
with:
access_token: ${{ github.token }}

join_multiarch_image_dockerhub:
permissions:
id-token: write
contents: read
pull-requests: read
name: Join Multiarch Image Dockerhub
runs-on: ubuntu-latest
needs:
- build_push_container_dockerhub
- build_push_container_dockerhub_arm
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
## Dockerhub
- name: "Configure AWS credentials"
uses: RDXWorks-actions/configure-aws-credentials@main
with:
role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
aws-region: eu-west-2
- name: Read secrets from AWS Secrets Manager into environment variables
uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main
with:
secret-ids: |
DOCKERHUB, github-actions/rdxworks/dockerhub-images/release-credentials
parse-json-secrets: true
- name: Login to Docker Hub
uses: RDXWorks-actions/login-action@master
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Install and Configure Buildx
run: |
wget https://github.com/docker/buildx/releases/download/v0.10.4/buildx-v0.10.4.linux-amd64
echo "---- Configure Docker plugins ----"
mkdir -p /home/runner/.docker/cli-plugins/
mv buildx-v0.10.4.linux-amd64 /home/runner/.docker/cli-plugins/docker-buildx
chmod +x /home/runner/.docker/cli-plugins/docker-buildx
echo "---- Create build context ----"
docker context create babylon-node
docker buildx create babylon-node --use
- name: Join multiarch images
run: |
docker buildx imagetools create -t docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }} \
docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-arm64 \
docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-amd64
build_deb:
name: Build debian package
runs-on: selfhosted-ubuntu-22.04-16-cores
Expand Down Expand Up @@ -111,24 +64,6 @@ jobs:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb
restore-keys: ${{ runner.os }}-gradle-deb
- id: auth
uses: RDXWorks-actions/auth@main
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
create_credentials_file: true
token_format: access_token
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce'
- name: 'Register gcloud as Docker credential helper'
run: |
gcloud auth configure-docker -q
- name: Login to Artifact Registry
uses: RDXWorks-actions/login-action@master
with:
registry: europe-west2-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Restore cached image-cache
id: cache-image-restore
uses: RDXWorks-actions/cache/restore@main
Expand Down Expand Up @@ -169,6 +104,11 @@ jobs:
name: (PRIVATE) Docker AMD
needs:
- setup_tags
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-latest
Expand Down Expand Up @@ -201,6 +141,11 @@ jobs:
name: (PRIVATE) Docker ARM
needs:
- setup_tags
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: babylon-node-arm
Expand Down Expand Up @@ -229,42 +174,31 @@ jobs:
build-args: |
WGET_VERSION=1.21.3-1+b1
tag_suffix_remover:
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
name: Calculate base tag
runs-on: ubuntu-latest
outputs:
BASE_TAG: ${{ steps.tag_suffix_remover.outputs.BASE_TAG }}
needs:
- build_push_container_private
- build_push_container_private_arm
steps:
- name: tag_suffix_remover
id: tag_suffix_remover
run: |
echo ${{needs.build_push_container_private.outputs.default_tag}} | rev | cut -d- -f2- | rev
echo BASE_TAG=$(echo ${{needs.build_push_container_private.outputs.default_tag}} | rev | cut -d- -f2- | rev) >> $GITHUB_OUTPUT
join_multiarch_image_private_dockerhub:
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
name: Join Multiarch Image Private Dockerhub
needs:
- build_push_container_private
- build_push_container_private_arm
- tag_suffix_remover
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
permissions:
id-token: write
contents: read
pull-requests: read
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
with:
aws_dockerhub_secret: github-actions/common/dockerhub-credentials
image_tag: ${{needs.tag_suffix_remover.outputs.BASE_TAG}}
image_name: "private-babylon-node"
tag_suffix_1: "amd64"
tag_suffix_2: "arm64"
amd_meta_data_json: ${{needs.build_push_container_private.outputs.json}}
secrets:
role-to-assume: "arn:aws:iam::308190735829:role/gh-common-secrets-read-access"

build_push_container_dockerhub:
if: github.event_name == 'release'
name: (DockerHub) Docker AMD
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-latest
Expand All @@ -282,13 +216,16 @@ jobs:
enable_dockerhub: "true"
provenance: "false"
secrets:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}

build_push_container_dockerhub_arm:
if: github.event_name == 'release'
name: (DockerHub) Docker ARM
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: babylon-node-arm
Expand All @@ -308,10 +245,25 @@ jobs:
build-args: |
WGET_VERSION=1.21.3-1+b1
secrets:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}

join_multiarch_image_dockerhub:
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
name: Join Multiarch Image Private Dockerhub
needs:
- build_push_container_dockerhub
- build_push_container_dockerhub_arm
permissions:
id-token: write
contents: read
pull-requests: read
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
with:
aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
amd_meta_data_json: ${{needs.build_push_container_dockerhub.outputs.json}}
secrets:
role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}

snyk_container_monitor:
name: Snyk monitor container
runs-on: ubuntu-latest
Expand All @@ -328,10 +280,8 @@ jobs:
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-cntr-monitor-amd'
dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
image: docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-amd64
target_ref: ${{ github.ref_name }}
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ RUN apt-get update \
wget=${WGET_VERSION} \
software-properties-common=0.99.30-4 \
&& apt-get install -y --no-install-recommends \
openjdk-17-jdk=17.0.9+9-1~deb12u1 \
openjdk-17-jdk=17.0.10+7-1~deb12u1 \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

Expand Down Expand Up @@ -206,7 +206,7 @@ LABEL org.opencontainers.image.authors="devops@radixdlt.com"
# - curl is needed for the docker-healthcheck
RUN apt-get update -y \
&& apt-get -y --no-install-recommends install \
openjdk-17-jre-headless=17.0.9+9-1~deb12u1 \
openjdk-17-jre-headless=17.0.10+7-1~deb12u1 \
# https://security-tracker.debian.org/tracker/CVE-2023-38545
curl=7.88.1-10+deb12u5 \
gettext-base=0.21-12 \
Expand Down

0 comments on commit 0529b52

Please sign in to comment.