-
Notifications
You must be signed in to change notification settings - Fork 0
120 lines (107 loc) · 4.33 KB
/
Copy pathpublish-docker.yml
File metadata and controls
120 lines (107 loc) · 4.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: Publish Docker image to GHCR
# Reusable workflow invoked by cargo-dist's release pipeline as a
# user_publish_job (see dist-workspace.toml `publish-jobs`).
#
# Builds a multi-arch (linux/amd64 + linux/arm64) image from the
# pre-built musl binaries attached to the GitHub release, pushes
# per-arch tags to GHCR, and stitches them into a multi-arch manifest
# at the canonical tag. The image is published private — see Phase 2
# of the packaging plan for the visibility flip.
on:
workflow_call:
inputs:
plan:
description: dist-manifest JSON for this announcement
required: true
type: string
# Permissions must NOT exceed what the caller grants. cargo-dist's
# github-custom-job-permissions in dist-workspace.toml controls what
# the caller grants — keep these in sync. `contents: read` is needed
# for actions/checkout on this internal repo; `packages: write` is
# needed for GHCR push; `id-token: write` enables OIDC-backed
# attestations on the pushed image.
permissions:
contents: read
packages: write
id-token: write
env:
REGISTRY: ghcr.io
IMAGE_NAME: quicknode/qn
jobs:
publish:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Extract release tag from plan
id: meta
env:
PLAN: ${{ inputs.plan }}
run: |
tag=$(echo "$PLAN" | jq -r '.announcement_tag')
version=$(echo "$PLAN" | jq -r '.releases[0].app_version')
is_prerelease=$(echo "$PLAN" | jq -r '.announcement_is_prerelease')
echo "tag=$tag" >> "$GITHUB_OUTPUT"
echo "version=$version" >> "$GITHUB_OUTPUT"
echo "is_prerelease=$is_prerelease" >> "$GITHUB_OUTPUT"
- name: Download musl artifacts from the GitHub release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir -p artifacts
gh release download "${{ steps.meta.outputs.tag }}" \
--pattern '*linux-musl*.tar.xz' \
--dir artifacts/
- name: Stage per-arch binaries
run: |
mkdir -p build/amd64 build/arm64
tar -xf artifacts/quicknode-cli-x86_64-unknown-linux-musl.tar.xz \
--strip-components=1 -C build/amd64 \
--wildcards '*/qn'
tar -xf artifacts/quicknode-cli-aarch64-unknown-linux-musl.tar.xz \
--strip-components=1 -C build/arm64 \
--wildcards '*/qn'
chmod +x build/amd64/qn build/arm64/qn
file build/amd64/qn build/arm64/qn
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push linux/amd64
id: amd64
uses: docker/build-push-action@v6
with:
context: build/amd64
file: Dockerfile
platforms: linux/amd64
push: true
provenance: true
sbom: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-amd64
- name: Build and push linux/arm64
id: arm64
uses: docker/build-push-action@v6
with:
context: build/arm64
file: Dockerfile
platforms: linux/arm64
push: true
provenance: true
sbom: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-arm64
- name: Create and push multi-arch manifest for v${{ steps.meta.outputs.version }}
run: |
docker buildx imagetools create \
-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} \
-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:v${{ steps.meta.outputs.version }} \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-amd64 \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-arm64
- name: Promote to :latest (skip for prereleases)
if: ${{ steps.meta.outputs.is_prerelease == 'false' }}
run: |
docker buildx imagetools create \
-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}