diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml new file mode 100644 index 0000000..82c55ef --- /dev/null +++ b/.github/workflows/docker_build.yml @@ -0,0 +1,243 @@ +name: Build & Push Docker Images +run-name: Build & Push ${{ github.base_ref || github.ref_name }} + +on: + push: + branches: [ main, develop ] + pull_request: + branches: [ main ] + workflow_dispatch: + inputs: + + platform_version: + description: 'platform version' + required: true + default: '7.3' + + push_images: + description: 'Y/N push images to container registry' + type: boolean + default: true + +permissions: + id-token: write + contents: read +env: + PLATFORM_VERSION: ${{ github.event.inputs.platform_version || '7.3' }} + DOCKER_BUILD_SUMMARY: true + DOCKER_BUILD_RECORD_UPLOAD: true + +jobs: + + build-build-image: + runs-on: ubuntu-latest + env: + image_name: ${{ vars.registry }}/${{ vars.repository }}/${{ vars.image_name }}-build + outputs: + digest: ${{ steps.build.outputs.digest }} + image-id: ${{ steps.build.outputs.imageid }} + metadata: ${{ steps.build.outputs.metadata }} + steps: + - + name: checkout + uses: actions/checkout@v4 + with: + lfs: true + + ### `cloud-addon-modules` has been officially deprecated. + # - name: checkout `cloud-addon-modules` + # uses: actions/checkout@v4 + # with: + # repository: IQGeo/cloud-addon-modules + # path: cloud-addons + # token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT (personal access token) + # lfs: true + + - + name: setup Docker BuildX + uses: docker/setup-buildx-action@v3 + - + name: login to Harbor Registry (for pulling base images) + uses: docker/login-action@v3 + with: + registry: ${{ vars.registry }} + username: ${{ vars.registry_username }} + password: ${{ secrets.registry_password }} + + - + name: extract metadata for `build` image + id: meta-build + uses: docker/metadata-action@v5 + with: + images: ${{ env.image_name }} + tags: | + type=raw,value=${{ env.PLATFORM_VERSION }} + type=raw,value=${{ github.run_number }} + type=raw,value=${{ github.base_ref || github.ref_name }} + type=sha,prefix={{branch}}- + + - + name: build and push `build` image + id: build + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64,linux/arm64 + context: . + file: ./deployment/dockerfile.build + pull: true + push: false + tags: ${{ steps.meta-build.outputs.tags }} + labels: ${{ steps.meta-build.outputs.labels }} + annotations: ${{ steps.meta-build.outputs.annotations }} + build-args: | + PRODUCT_REGISTRY=harbor.delivery.iqgeo.cloud/releases_ + cache-from: | + type=gha,scope=build-latest + type=gha,scope=build-${{ github.sha }} + type=registry,ref=${{ env.image_name }}:buildcache + cache-to: | + type=gha,scope=build-${{ github.sha }},mode=min + type=registry,ref=${{ env.image_name }}:buildcache,mode=min + provenance: mode=max + sbom: true + + build-appserver-image: + needs: build-build-image + runs-on: ubuntu-latest + env: + image_name: ${{ vars.registry }}/${{ vars.repository }}/${{ vars.image_name }}-appserver + outputs: + digest: ${{ steps.build.outputs.digest }} + image-id: ${{ steps.build.outputs.imageid }} + metadata: ${{ steps.build.outputs.metadata }} + steps: + - + name: checkout + uses: actions/checkout@v4 + with: + lfs: true + - + name: setup Docker BuildX + uses: docker/setup-buildx-action@v3 + - + name: login to Harbor Registry (for pulling base images) + uses: docker/login-action@v3 + with: + registry: ${{ vars.registry }} + username: ${{ vars.registry_username }} + password: ${{ secrets.registry_password }} + - + name: extract metadata for `appserver` image + id: meta-appserver + uses: docker/metadata-action@v5 + with: + images: ${{ env.image_name }} + tags: | + type=raw,value=${{ env.PLATFORM_VERSION }} + type=raw,value=${{ github.run_number }} + type=raw,value=${{ github.base_ref || github.ref_name }} + type=sha,prefix={{branch}}- + - + name: build and push `appserver` image + id: build + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64,linux/arm64 + context: ./deployment + file: ./deployment/dockerfile.appserver + pull: true + push: ${{ github.event.inputs.push_images != 'false' }} + tags: ${{ steps.meta-appserver.outputs.tags }} + labels: ${{ steps.meta-appserver.outputs.labels }} + annotations: ${{ steps.meta-appserver.outputs.annotations }} + build-args: | + PRODUCT_REGISTRY=harbor.delivery.iqgeo.cloud/releases_ + cache-from: | + type=gha,scope=appserver-latest + type=gha,scope=appserver-${{ github.sha }} + type=registry,ref=${{ env.image_name }}:buildcache + cache-to: | + type=gha,scope=appserver-${{ github.sha }},mode=min + type=registry,ref=${{ env.image_name }}:buildcache,mode=min + provenance: mode=max + sbom: true + + build-tools-image: + needs: build-build-image + runs-on: ubuntu-latest + env: + image_name: ${{ vars.registry }}/${{ vars.repository }}/${{ vars.image_name }}-tools + outputs: + digest: ${{ steps.build.outputs.digest }} + image-id: ${{ steps.build.outputs.imageid }} + metadata: ${{ steps.build.outputs.metadata }} + steps: + - + name: checkout + uses: actions/checkout@v4 + with: + lfs: true + - + name: setup Docker BuildX + uses: docker/setup-buildx-action@v3 + - + name: login to Harbor Registry (for pulling base images) + uses: docker/login-action@v3 + with: + registry: ${{ vars.registry }} + username: ${{ vars.registry_username }} + password: ${{ secrets.registry_password }} + - + name: extract metadata for `tools` image + id: meta-tools + uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + with: + images: ${{ env.image_name }} + tags: | + type=raw,value=${{ env.PLATFORM_VERSION }} + type=raw,value=${{ github.run_number }} + type=raw,value=${{ github.base_ref || github.ref_name }} + type=sha,prefix={{branch}}- + - + name: build and push `tools` image + id: build + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64,linux/arm64 + context: . + file: ./deployment/dockerfile.tools + pull: true + push: ${{ github.event.inputs.push_images != 'false' }} + tags: ${{ steps.meta-tools.outputs.tags }} + labels: ${{ steps.meta-tools.outputs.labels }} + annotations: ${{ steps.meta-tools.outputs.annotations }} + build-args: | + PRODUCT_REGISTRY=harbor.delivery.iqgeo.cloud/releases_ + cache-from: | + type=gha,scope=tools-latest + type=gha,scope=tools-${{ github.sha }} + type=registry,ref=${{ env.image_name }}:buildcache + cache-to: | + type=gha,scope=tools-${{ github.sha }},mode=min + type=registry,ref=${{ env.image_name }}:buildcache,mode=min + provenance: mode=max + sbom: true + + cleanup: + if: always() + needs: + - build-build-image + - build-appserver-image + - build-tools-image + runs-on: ubuntu-latest + steps: + - name: clean-up temporary artifacts + uses: geekyeggo/delete-artifact@v5 + with: + name: | + build-image-metadata + appserver-image-metadata + tools-image-metadata + if: always() diff --git a/PROJECT_README.md b/PROJECT_README.md index f63fb72..86f5e56 100644 --- a/PROJECT_README.md +++ b/PROJECT_README.md @@ -6,7 +6,10 @@ Project description - [Project Name](#project-name) - [Development](#development) - - [Running a dev environment on windows.](#running-a-dev-environment-on-windows) + - [Running a dev environment on Windows](#running-a-dev-environment-on-windows) + - [GitHub Actions Configuration](#github-actions-configuration) + - [Required Variables](#required-variables) + - [Required Secrets](#required-secrets) - [Deployment](#deployment) - [Container images hierarchy](#container-images-hierarchy) @@ -14,12 +17,35 @@ Project description Check out the [development README](.devcontainer/README.md) for instructions on how to build and run the development environment. -### Running a dev environment on windows. +### Running a dev environment on Windows Using host-bound volumes when running linux containers on a windows host comes with considerable overhead. Using **myw_product build** and **myw_product watch** within a container becomes impractical. By following these steps, you will be able to checkout and access your source code within WSL2, and cut on the need to access the windows host at all. [Developing with Containers on Windows](https://github.com/IQGeo/utils-project-template/wiki/Developing-with-containers-on-Windows) +## GitHub Actions Configuration + +The project uses GitHub Actions workflows for building and pushing Docker images. The following variables and secrets must be configured in your repository settings to enable the Docker build workflow (`.github/workflows/docker_build.yml`). + +### Required Variables + +Configure these in **Settings > Secrets and variables > Actions > Variables**: + +| Variable | Description | Example | +| ------------------- | ------------------------------------ | ---------------------- | +| `registry` | Container registry URL | `harbor.example.com` | +| `repository` | Repository path within the registry | `myproject/containers` | +| `image_name` | Base name for the Docker images | `myproject` | +| `registry_username` | Username for registry authentication | `robot-account` | + +### Required Secrets + +Configure these in **Settings > Secrets and variables > Actions > Secrets**: + +| Secret | Description | +| ------------------- | --------------------------------------------- | +| `registry_password` | Password or token for registry authentication | + ## Deployment Check out the [deployment README](deployment/README.md) for instructions on how to build and run the deployment environment. @@ -64,4 +90,4 @@ flowchart TD style K fill:#D50000,color:#FFFFFF style L fill:#D50000,color:#FFFFFF -``` \ No newline at end of file +``` diff --git a/deployment/dockerfile.appserver b/deployment/dockerfile.appserver index ae300cc..92f2e51 100644 --- a/deployment/dockerfile.appserver +++ b/deployment/dockerfile.appserver @@ -45,3 +45,4 @@ USER www-data COPY --chown=www-data:www-data entrypoint.d/* /entrypoint.d/ COPY --chown=www-data:www-data appserver_config/ /opt/iqgeo/config/ +# RUN --mount=type=secret,id=oidc,target=/opt/iqgeo/config/oidc/conf.json