diff --git a/.github/workflows/docker_build_kanidm.yml b/.github/workflows/docker_build_kanidm.yml index 68c120155..3a9ffeab3 100644 --- a/.github/workflows/docker_build_kanidm.yml +++ b/.github/workflows/docker_build_kanidm.yml @@ -35,9 +35,30 @@ jobs: needs: - set_tag_values steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Docker metadata + id: meta + uses: docker/metadata-action@v5 + - uses: Swatinem/rust-cache@v2 + with: + prefix-key: v0-rust-linux/amd64-base + id: rust-cache + - name: Inject cache into Docker + uses: reproducible-containers/buildkit-cache-dance@v3.1.2 + with: + cache-map: | + { + "/home/runner/.cargo/registry": "/usr/local/cargo/registry", + "/home/runner/.cargo/git/db": "/usr/local/cargo/git/db", + "./target": "/app/target" + } + - name: Get Git commit timestamps + run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV - name: Build kanidm uses: docker/build-push-action@v6 with: @@ -47,8 +68,16 @@ jobs: build-args: | "KANIDM_FEATURES=" file: tools/Dockerfile + context: . + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=gha + cache-to: type=gha,mode=max + sbom: true # Must use OCI exporter for multi-arch: https://github.com/docker/buildx/pull/1813 outputs: type=oci,dest=/tmp/kanidm-docker.tar + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} - name: Upload artifact uses: actions/upload-artifact@v4 with: @@ -60,8 +89,8 @@ jobs: # This step is split so that we don't apply "packages: write" permission # except when uploading the final Docker image to GHCR. runs-on: ubuntu-latest - if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' ) && github.repository == 'kanidm/kanidm' - needs: kanidm_build + if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' ) + needs: [kanidm_build, set_tag_values] permissions: packages: write @@ -78,4 +107,4 @@ jobs: echo "${{ secrets.GITHUB_TOKEN }}" | \ oras login -u "${{ github.actor }}" --password-stdin ghcr.io oras copy --from-oci-layout "/tmp/kanidm-docker.tar:devel" \ - "ghcr.io/${{ github.repository_owner }}/kanidm:devel" + "ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/kanidm:devel" \ No newline at end of file diff --git a/.github/workflows/docker_build_kanidmd.yml b/.github/workflows/docker_build_kanidmd.yml index a4ada5cb6..6820250a7 100644 --- a/.github/workflows/docker_build_kanidmd.yml +++ b/.github/workflows/docker_build_kanidmd.yml @@ -35,27 +35,30 @@ jobs: runs-on: ubuntu-latest needs: set_tag_values steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Docker metadata id: meta uses: docker/metadata-action@v5 + - uses: Swatinem/rust-cache@v2 with: - # list of Docker images to use as base name for tags - # images: | - # kanidm/kanidmd - # ghcr.io/username/app - # generate Docker tags based on the following events/attributes - tags: | - type=schedule - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - + prefix-key: v0-rust-linux/amd64-base + id: rust-cache + - name: Inject cache into Docker + uses: reproducible-containers/buildkit-cache-dance@v3.1.2 + with: + cache-map: | + { + "/home/runner/.cargo/registry": "/usr/local/cargo/registry", + "/home/runner/.cargo/git/db": "/usr/local/cargo/git/db", + "./target": "/app/target" + } + - name: Get Git commit timestamps + run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV - name: Build kanidmd uses: docker/build-push-action@v6 with: @@ -64,8 +67,16 @@ jobs: # build-args: | # "KANIDM_BUILD_OPTIONS=-j1" file: server/Dockerfile + context: . + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=gha + cache-to: type=gha,mode=max + sbom: true # Must use OCI exporter for multi-arch: https://github.com/docker/buildx/pull/1813 outputs: type=oci,dest=/tmp/kanidmd-docker.tar + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} - name: Upload artifact uses: actions/upload-artifact@v4 with: @@ -77,8 +88,8 @@ jobs: # This step is split so that we don't apply "packages: write" permission # except when uploading the final Docker image to GHCR. runs-on: ubuntu-latest - if: ( github.ref_type== 'tag' || github.ref == 'refs/heads/master' ) && github.repository == 'kanidm/kanidm' - needs: kanidmd_build + if: ( github.ref_type== 'tag' || github.ref == 'refs/heads/master' ) + needs: [kanidmd_build, set_tag_values] permissions: packages: write @@ -95,4 +106,4 @@ jobs: echo "${{ secrets.GITHUB_TOKEN }}" | \ oras login -u "${{ github.actor }}" --password-stdin ghcr.io oras copy --from-oci-layout "/tmp/kanidmd-docker.tar:devel" \ - "ghcr.io/${{ github.repository_owner }}/kanidmd:devel" + "ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/kanidmd:devel" \ No newline at end of file diff --git a/.github/workflows/docker_build_radiusd.yml b/.github/workflows/docker_build_radiusd.yml index c6f8a8846..c3f9a8874 100644 --- a/.github/workflows/docker_build_radiusd.yml +++ b/.github/workflows/docker_build_radiusd.yml @@ -35,19 +35,34 @@ jobs: runs-on: ubuntu-latest needs: set_tag_values steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Docker metadata + id: meta + uses: docker/metadata-action@v5 + - name: Get Git commit timestamps + run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV - name: Build radius uses: docker/build-push-action@v6 with: platforms: linux/arm64,linux/amd64 tags: ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/radius:devel,ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/radius:${{ needs.set_tag_values.outputs.ref_name}} file: rlm_python/Dockerfile + context: . + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=gha + cache-to: type=gha,mode=max # Must use OCI exporter for multi-arch: https://github.com/docker/buildx/pull/1813 outputs: type=oci,dest=/tmp/radius-docker.tar + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} - name: Upload artifact uses: actions/upload-artifact@v4 with: @@ -59,8 +74,8 @@ jobs: # This step is split so that we don't apply "packages: write" permission # except when uploading the final Docker image to GHCR. runs-on: ubuntu-latest - if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' ) && github.repository == 'kanidm/kanidm' - needs: radius_build + if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' ) + needs: [radius_build, set_tag_values] permissions: packages: write @@ -79,4 +94,4 @@ jobs: echo "${{ secrets.GITHUB_TOKEN }}" | \ oras login -u "${{ github.actor }}" --password-stdin ghcr.io oras copy --from-oci-layout "/tmp/radius-docker.tar:devel" \ - "ghcr.io/${{ github.repository_owner }}/radius:devel" + "ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/radius:devel" \ No newline at end of file