From 90ae2a99a91e1ad05e4b5cde0edd71c100a28c14 Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 11:45:43 -0600 Subject: [PATCH 01/10] image build directory --- .github/workflows/publish-image.yml | 97 +++++++++++++++++++ Dockerfile => build/Dockerfile | 0 .../jupyter_notebook_config.py | 0 postBuild => build/postBuild | 0 requirements.txt => build/requirements.txt | 0 5 files changed, 97 insertions(+) create mode 100644 .github/workflows/publish-image.yml rename Dockerfile => build/Dockerfile (100%) rename jupyter_notebook_config.py => build/jupyter_notebook_config.py (100%) rename postBuild => build/postBuild (100%) rename requirements.txt => build/requirements.txt (100%) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml new file mode 100644 index 0000000..6e273bd --- /dev/null +++ b/.github/workflows/publish-image.yml @@ -0,0 +1,97 @@ +name: docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: +# schedule: +# - cron: '39 23 * * *' + push: +# branches: [ "main" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + pull_request: + branches: [ "main" ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + with: + cosign-release: 'v1.13.1' + + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: build + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + diff --git a/Dockerfile b/build/Dockerfile similarity index 100% rename from Dockerfile rename to build/Dockerfile diff --git a/jupyter_notebook_config.py b/build/jupyter_notebook_config.py similarity index 100% rename from jupyter_notebook_config.py rename to build/jupyter_notebook_config.py diff --git a/postBuild b/build/postBuild similarity index 100% rename from postBuild rename to build/postBuild diff --git a/requirements.txt b/build/requirements.txt similarity index 100% rename from requirements.txt rename to build/requirements.txt From 0c2ea944bd419fe22a0f085a3194ef62180c6028 Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 11:56:24 -0600 Subject: [PATCH 02/10] try upgrading actions versions --- .github/workflows/publish-image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 6e273bd..584a36a 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -48,13 +48,13 @@ jobs: # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + uses: docker/setup-buildx-action@v2.5.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + uses: docker/login-action@v2.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -64,7 +64,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@v4.3.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -72,7 +72,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@v4.0.0 with: context: build push: ${{ github.event_name != 'pull_request' }} From d1e0d3f9e835223ed3b2cef9e71aaafea8f4669b Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 12:11:17 -0600 Subject: [PATCH 03/10] dockerfile referencing build image --- Dockerfile | 1 + 1 file changed, 1 insertion(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..8babf5d --- /dev/null +++ b/Dockerfile @@ -0,0 +1 @@ +FROM ghcr.io/ml-starter-packs/microservice-workshop:v0.0.1-rc0 From cbe20d2451af6806e790f21e700e5183f8482cbe Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 12:47:42 -0600 Subject: [PATCH 04/10] labels, build-platform --- .github/workflows/publish-image.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 584a36a..8175921 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -67,6 +67,11 @@ jobs: uses: docker/metadata-action@v4.3.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.title=Microservices Workshop + org.opencontainers.image.description=Development Image with VSCode for a Workshop on Microservices + org.opencontainers.image.licenses=MIT + # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action @@ -75,6 +80,7 @@ jobs: uses: docker/build-push-action@v4.0.0 with: context: build + platforms: amd64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 04910d02aaf9c198132610f7c95bc61ee5f2cf9d Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 13:05:10 -0600 Subject: [PATCH 05/10] labels not working. try without buildx --- .github/workflows/publish-image.yml | 39 +++++++++++++---------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 8175921..312cab3 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -39,16 +39,16 @@ jobs: # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 - with: - cosign-release: 'v1.13.1' + #- name: Install cosign + # if: github.event_name != 'pull_request' + # uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + # with: + # cosign-release: 'v1.13.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@v2.5.0 + #- name: Setup Docker buildx + # uses: docker/setup-buildx-action@v2.5.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action @@ -67,13 +67,8 @@ jobs: uses: docker/metadata-action@v4.3.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - labels: | - org.opencontainers.image.title=Microservices Workshop - org.opencontainers.image.description=Development Image with VSCode for a Workshop on Microservices - org.opencontainers.image.licenses=MIT - - # Build and push Docker image with Buildx (don't push on PR) + # Build and push Docker image (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push @@ -84,8 +79,8 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + #cache-from: type=gha + #cache-to: type=gha,mode=max # Sign the resulting Docker image digest except on PRs. @@ -93,11 +88,11 @@ jobs: # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + #- name: Sign the published Docker image + # if: ${{ github.event_name != 'pull_request' }} + # env: + # COSIGN_EXPERIMENTAL: "true" + # # This step uses the identity token to provision an ephemeral certificate + # # against the sigstore community Fulcio instance. + # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} From 63961f5e5524300543867bed751b0c4c675c4eb3 Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 13:13:09 -0600 Subject: [PATCH 06/10] labels work without buildx. try buildx again. --- .github/workflows/publish-image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 312cab3..8192add 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -47,8 +47,8 @@ jobs: # Workaround: https://github.com/docker/build-push-action/issues/461 - #- name: Setup Docker buildx - # uses: docker/setup-buildx-action@v2.5.0 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v2.5.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action @@ -79,8 +79,8 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - #cache-from: type=gha - #cache-to: type=gha,mode=max + cache-from: type=gha + cache-to: type=gha,mode=max # Sign the resulting Docker image digest except on PRs. From 5f771d34c7b01c1b35383cfb7fcc7f10fcad7d62 Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 13:29:12 -0600 Subject: [PATCH 07/10] try outputs section for adding labels --- .github/workflows/publish-image.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 8192add..9c6ff0a 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -69,18 +69,22 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # Build and push Docker image (don't push on PR) + # Since buildx is used, annotations must be set via outputs (for now) + # see https://github.com/docker/build-push-action/issues/447 for more # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v4.0.0 with: context: build - platforms: amd64 + platforms: linux/amd64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max + outputs: | + type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }},annotation-index.org.opencontainers.image.source=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.source'] }},annotation-index.org.opencontainers.image.licenses=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.licenses'] }} # Sign the resulting Docker image digest except on PRs. From 299933a695df216975e876474c0d11bb2383f1c1 Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 13:30:36 -0600 Subject: [PATCH 08/10] v0.0.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8babf5d..97df3ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1 +1 @@ -FROM ghcr.io/ml-starter-packs/microservice-workshop:v0.0.1-rc0 +FROM ghcr.io/ml-starter-packs/microservice-workshop:v0.0.1 From a20524ac401c874279ff0c1bb37b58209a5e0f56 Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 13:43:54 -0600 Subject: [PATCH 09/10] provenance=False --- .github/workflows/publish-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 9c6ff0a..7cf1375 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -71,6 +71,8 @@ jobs: # Build and push Docker image (don't push on PR) # Since buildx is used, annotations must be set via outputs (for now) # see https://github.com/docker/build-push-action/issues/447 for more + # provenance is to prevent unknown/unknown arch from being published, may be removed in future? + # see https://github.com/docker/build-push-action/issues/820 for more # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push @@ -78,6 +80,7 @@ jobs: with: context: build platforms: linux/amd64 + provenance: false push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 236972099a7203a45c81dd91e3dfcce97b8e09ca Mon Sep 17 00:00:00 2001 From: Michael Pilosov Date: Thu, 13 Apr 2023 13:51:06 -0600 Subject: [PATCH 10/10] try multi-platform --- .github/workflows/publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 7cf1375..92f641d 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -79,7 +79,7 @@ jobs: uses: docker/build-push-action@v4.0.0 with: context: build - platforms: linux/amd64 + platforms: linux/amd64, linux/arm64 provenance: false push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }}