From ce410f440c8d54cbe6eb87d4d3659e7b43431cca Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Fri, 14 Feb 2025 10:25:04 +0000
Subject: [PATCH] ci: uniform Docker builds (#3430)

---
 .github/workflows/docker_build_kanidm.yml  | 17 ++++++++++---
 .github/workflows/docker_build_kanidmd.yml | 29 ++++++++--------------
 .github/workflows/docker_build_radiusd.yml | 17 ++++++++++---
 3 files changed, 36 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/docker_build_kanidm.yml b/.github/workflows/docker_build_kanidm.yml
index 68c120155..1bd9548f8 100644
--- a/.github/workflows/docker_build_kanidm.yml
+++ b/.github/workflows/docker_build_kanidm.yml
@@ -35,9 +35,15 @@ jobs:
     needs:
       - set_tag_values
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
       - name: Build kanidm
         uses: docker/build-push-action@v6
         with:
@@ -47,6 +53,9 @@ jobs:
           build-args: |
             "KANIDM_FEATURES="
           file: tools/Dockerfile
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
           # Must use OCI exporter for multi-arch: https://github.com/docker/buildx/pull/1813
           outputs: type=oci,dest=/tmp/kanidm-docker.tar
       - name: Upload artifact
@@ -60,8 +69,8 @@ jobs:
     # This step is split so that we don't apply "packages: write" permission
     # except when uploading the final Docker image to GHCR.
     runs-on: ubuntu-latest
-    if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' ) && github.repository == 'kanidm/kanidm'
-    needs: kanidm_build
+    if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' )
+    needs: [kanidm_build, set_tag_values]
     permissions:
       packages: write
 
@@ -78,4 +87,4 @@ jobs:
           echo "${{ secrets.GITHUB_TOKEN }}" | \
             oras login -u "${{ github.actor }}" --password-stdin ghcr.io
           oras copy --from-oci-layout "/tmp/kanidm-docker.tar:devel" \
-            "ghcr.io/${{ github.repository_owner }}/kanidm:devel"
+            "ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/kanidm:devel"
\ No newline at end of file
diff --git a/.github/workflows/docker_build_kanidmd.yml b/.github/workflows/docker_build_kanidmd.yml
index a4ada5cb6..d1c239602 100644
--- a/.github/workflows/docker_build_kanidmd.yml
+++ b/.github/workflows/docker_build_kanidmd.yml
@@ -35,27 +35,15 @@ jobs:
     runs-on: ubuntu-latest
     needs: set_tag_values
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Docker metadata
         id: meta
         uses: docker/metadata-action@v5
-        with:
-          # list of Docker images to use as base name for tags
-          # images: |
-          #   kanidm/kanidmd
-          #   ghcr.io/username/app
-          # generate Docker tags based on the following events/attributes
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-
       - name: Build kanidmd
         uses: docker/build-push-action@v6
         with:
@@ -64,6 +52,9 @@ jobs:
           # build-args: |
           #  "KANIDM_BUILD_OPTIONS=-j1"
           file: server/Dockerfile
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
           # Must use OCI exporter for multi-arch: https://github.com/docker/buildx/pull/1813
           outputs: type=oci,dest=/tmp/kanidmd-docker.tar
       - name: Upload artifact
@@ -77,8 +68,8 @@ jobs:
     # This step is split so that we don't apply "packages: write" permission
     # except when uploading the final Docker image to GHCR.
     runs-on: ubuntu-latest
-    if: ( github.ref_type== 'tag' || github.ref == 'refs/heads/master' ) && github.repository == 'kanidm/kanidm'
-    needs: kanidmd_build
+    if: ( github.ref_type== 'tag' || github.ref == 'refs/heads/master' )
+    needs: [kanidmd_build, set_tag_values]
     permissions:
       packages: write
 
@@ -95,4 +86,4 @@ jobs:
           echo "${{ secrets.GITHUB_TOKEN }}" | \
             oras login -u "${{ github.actor }}" --password-stdin ghcr.io
           oras copy --from-oci-layout "/tmp/kanidmd-docker.tar:devel" \
-            "ghcr.io/${{ github.repository_owner }}/kanidmd:devel"
+            "ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/kanidmd:devel"
\ No newline at end of file
diff --git a/.github/workflows/docker_build_radiusd.yml b/.github/workflows/docker_build_radiusd.yml
index c6f8a8846..f1ff4476c 100644
--- a/.github/workflows/docker_build_radiusd.yml
+++ b/.github/workflows/docker_build_radiusd.yml
@@ -35,17 +35,26 @@ jobs:
     runs-on: ubuntu-latest
     needs: set_tag_values
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
       - name: Build radius
         uses: docker/build-push-action@v6
         with:
           platforms: linux/arm64,linux/amd64
           tags: ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/radius:devel,ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/radius:${{ needs.set_tag_values.outputs.ref_name}}
           file: rlm_python/Dockerfile
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
           # Must use OCI exporter for multi-arch: https://github.com/docker/buildx/pull/1813
           outputs: type=oci,dest=/tmp/radius-docker.tar
       - name: Upload artifact
@@ -59,8 +68,8 @@ jobs:
     # This step is split so that we don't apply "packages: write" permission
     # except when uploading the final Docker image to GHCR.
     runs-on: ubuntu-latest
-    if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' ) && github.repository == 'kanidm/kanidm'
-    needs: radius_build
+    if: ( github.ref_type == 'tag' || github.ref == 'refs/heads/master' )
+    needs: [radius_build, set_tag_values]
     permissions:
       packages: write
 
@@ -79,4 +88,4 @@ jobs:
           echo "${{ secrets.GITHUB_TOKEN }}" | \
             oras login -u "${{ github.actor }}" --password-stdin ghcr.io
           oras copy --from-oci-layout "/tmp/radius-docker.tar:devel" \
-            "ghcr.io/${{ github.repository_owner }}/radius:devel"
+            "ghcr.io/${{ needs.set_tag_values.outputs.owner_lc }}/radius:devel"
\ No newline at end of file