build base image first, then build everything else

Ultramarine-Linux · Sep 24, 2024 · 54b0a70 · 54b0a70
1 parent 962a65b
commit 54b0a70
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 75 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,89 @@
+# Workflow dispatch template
+
+name: Docker Buildx
+on:
+ workflow_call:
+ inputs:
+ variant:
+ description: 'Variant to build'
+ required: true
+ default: 'base'
+ type: string
+env:
+ # Use docker.io for Docker Hub if empty
+ REGISTRY: ghcr.io
+ # github.repository as <account>/<repo>
+ IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+ build:
+ strategy:
+ fail-fast: false
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ id-token: write
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ - name: Install cosign
+ if: github.event_name != 'pull_request'
+ uses: sigstore/cosign-installer@v3
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v3
+ # with:
+ # platforms: arm64
+ - name: Setup Docker buildx
+ uses: docker/setup-buildx-action@v3
+ # with:
+ # platforms: linux/amd64,linux/arm64
+
+ # Login against a Docker registry except on PR
+ - name: Log into registry ${{ env.REGISTRY }}
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@v3
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Extract Docker metadata
+ id: meta
+ uses: docker/metadata-action@v5
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+ # Build and push Docker image with Buildx (don't push on PR)
+ # https://github.com/docker/build-push-action
+ - name: Build and push Docker image
+ id: build-and-push
+ uses: docker/build-push-action@v5
+ with:
+ context: ${{ inputs.variant }}
+ file: ${{ inputs.variant }}/Containerfile
+ push: ${{ github.event_name != 'pull_request' }}
+ # tags: ${{ steps.meta.outputs.tags }}
+ tags: ghcr.io/ultramarine-linux/${{ inputs.variant }}-bootc
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+ # platforms: linux/amd64,linux/arm64
+
+ # Sign the resulting Docker image digest except on PRs.
+ # This will only write to the public Rekor transparency log when the Docker
+ # repository is public to avoid leaking data. If you would like to publish
+ # transparency data even for private images, pass --force to cosign below.
+ # https://github.com/sigstore/cosign
+ - name: Sign the published Docker image
+ if: github.event_name != 'pull_request'
+ env:
+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+ TAGS: ${{ steps.meta.outputs.tags }}
+ DIGEST: ${{ steps.build-and-push.outputs.digest }}
+ # This step uses the identity token to provision an ephemeral certificate
+ # against the sigstore community Fulcio instance.
+ run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -1,4 +1,4 @@
-name: Docker
+name: Build and push Docker images
 
 on:
  schedule:
@@ -16,92 +16,43 @@ env:
  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
- build:
+ build-base:
+ strategy:
+ fail-fast: false
+
+ runs-on: ubuntu-latest
+
+ permissions:
+ contents: read
+ packages: write
+ id-token: write
+
+ steps:
+ - name: Build base image
+ uses: ./.github/actions/docker-build.yml
+ with:
+ variant: base
+
+ build-all:
+ needs: build-base
  strategy:
  fail-fast: false
  matrix:
  variant:
- - base
  - gnome
  - flagship
  - xfce
  - kde
-
+ 
  runs-on: ubuntu-latest
+
  permissions:
  contents: read
  packages: write
- # This is used to complete the identity challenge
- # with sigstore/fulcio when running outside of PRs.
  id-token: write
-
+ 
  steps:
- - name: Checkout repository
- uses: actions/checkout@v4
-
- # Install the cosign tool except on PR
- # https://github.com/sigstore/cosign-installer
- - name: Install cosign
- if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@v3
-
- - name: Set up QEMU
- uses: docker/setup-qemu-action@v3
- # with:
- # platforms: arm64
-
- # Workaround: https://github.com/docker/build-push-action/issues/461
- - name: Setup Docker buildx
- uses: docker/setup-buildx-action@v3
- # with:
- # platforms: linux/amd64,linux/arm64
-
- # Login against a Docker registry except on PR
- # https://github.com/docker/login-action
- - name: Log into registry ${{ env.REGISTRY }}
- if: github.event_name != 'pull_request'
- uses: docker/login-action@v3
+ - name: Build all images
+ uses: ./.github/actions/docker-build.yml
  with:
- registry: ${{ env.REGISTRY }}
- username: ${{ github.actor }}
- password: ${{ secrets.GITHUB_TOKEN }}
-
- # Extract metadata (tags, labels) for Docker
- # https://github.com/docker/metadata-action
- - name: Extract Docker metadata
- id: meta
- uses: docker/metadata-action@v5
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
- # Build and push Docker image with Buildx (don't push on PR)
- # https://github.com/docker/build-push-action
- - name: Build and push Docker image
- id: build-and-push
- uses: docker/build-push-action@v5
- with:
- context: ${{ matrix.variant }}
- file: ${{ matrix.variant }}/Containerfile
- push: ${{ github.event_name != 'pull_request' }}
- # tags: ${{ steps.meta.outputs.tags }}
- tags: ghcr.io/ultramarine-linux/${{ matrix.variant }}-bootc
- labels: ${{ steps.meta.outputs.labels }}
- cache-from: type=gha
- cache-to: type=gha,mode=max
- # platforms: linux/amd64,linux/arm64
-
- # Sign the resulting Docker image digest except on PRs.
- # This will only write to the public Rekor transparency log when the Docker
- # repository is public to avoid leaking data. If you would like to publish
- # transparency data even for private images, pass --force to cosign below.
- # https://github.com/sigstore/cosign
- - name: Sign the published Docker image
- if: github.event_name != 'pull_request'
- env:
- # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
- TAGS: ${{ steps.meta.outputs.tags }}
- DIGEST: ${{ steps.build-and-push.outputs.digest }}
- # This step uses the identity token to provision an ephemeral certificate
- # against the sigstore community Fulcio instance.
- run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+ variant: ${{ matrix.variant }}