Add jetson for aarch64 & differentiate build

- fix metadata parsing & manifest - add aarch64 dockerfile for jetson + rough runner - add debug variable to enable/disable image builds - add login step to push manifest - set provenance: false due to a build-and-push action issue: docker/build-push-action#755 (comment) Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
nubispc · Mar 25, 2023 · e794496 · e794496
1 parent 56921cc
commit e794496
Show file tree

Hide file tree

Showing 5 changed files with 230 additions and 196 deletions.
diff --git a/.github/workflows/nubis-build.yaml b/.github/workflows/nubis-build.yaml
@@ -15,6 +15,30 @@ on:
         type: string
 
 jobs:
+  setup:
+    runs-on: [ self-hosted, gcc, lite ]
+    outputs:
+      enable: ${{ steps.set-variable.outputs.enable }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set test variable
+        id: set-variable
+        run: |
+          if [ ${{ github.ref }} != 'refs/heads/main' ]; then
+            echo "will NOT build dockerfiles"
+            #echo "::set-output name=enable::false"
+          else
+            echo "WILL build dockerfiles"
+            #echo "::set-output name=enable::true"
+          fi
+          # Enable build
+          echo "::set-output name=enable::true"
+        shell: bash
+      - name: Read exported variable
+        run: |
+          echo "OUTPUT: ${{ steps.set-variable.outputs.enable }}"
+
+
   build:
     runs-on: [ self-hosted, "${{ matrix.architecture }}", gcc, lite ]
 
@@ -34,37 +58,53 @@ jobs:
     outputs:
       image_name: ${{ steps.build.outputs.image_name }}
 
+    needs: [setup]
     steps:
     - name: Build
       id: build
       run: |
           echo ${{ matrix.architecture }}
           GEN=$( echo "${{ inputs.dockerfile }}" | sed s/Dockerfile\.// )
-          echo "image_name=harbor.nbfc.io/nubificus/gh-actions-runner-$GEN" >> "$GITHUB_OUTPUT"
+          echo "image_name=gh-actions-runner-$GEN" >> "$GITHUB_OUTPUT"
+
+    - name: Fix filename
+      id: fix-filename
+      run: |
+         ARCH=$( echo "${{ matrix.architecture }}" )
+         FILENAME=$( echo "${{ inputs.dockerfile }}" )   
+         if [ $ARCH == "aarch64" ] && [ $FILENAME == "Dockerfile.jetson" ];
+         then
+             FILENAME=$( echo "jetson-aarch64-dockerfile" )   
+             echo "dockerfilename=$FILENAME" >> "$GITHUB_OUTPUT"
+         else
+             echo "dockerfilename=$FILENAME" >> "$GITHUB_OUTPUT"
+         fi
 
     - name: Checkout
       uses: actions/checkout@v3
     - name: Install cosign
-      if: github.event_name != 'pull_request'
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       uses: sigstore/cosign-installer@ca922a571676e06d3299cce5d520e178ba89a276
       with:
         cosign-release: 'v1.13.1'
     - name: Check install!
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       run: cosign version
     - name: Set up Docker Context for Buildx
       id: buildx-context
       run: |
           docker context create builders || true
     # Workaround: https://github.com/docker/build-push-action/issues/461
     - name: Setup Docker buildx
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
       with:
         version: latest
         endpoint: builders
     # Login against a Docker registry except on PR
     # https://github.com/docker/login-action
     - name: Log into registry ${{ inputs.REGISTRY }}
-      if: github.event_name != 'pull_request'
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
       with:
         registry: ${{ inputs.REGISTRY }}
@@ -78,42 +118,46 @@ jobs:
       uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
       with:
         images: ${{ inputs.registry }}/${{ steps.build.outputs.image_name }}
+        tags: |
+          type=sha,prefix=${{ matrix.architecture }}-
 
     # Build and push Docker image with Buildx (don't push on PR)
     # https://github.com/docker/build-push-action
-    - name: Build and push Docker image
+    - name: Build and push ${{ steps.fix-filename.outputs.dockerfilename }}-${{ matrix.architecture }}
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       id: build-and-push
-      uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+      uses: docker/build-push-action@master
       with:
         context: .
         push: ${{ github.event_name != 'pull_request' }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         #cache-from: type=local,src=/tmp
         #cache-to: type=local,mode=max,dest=/tmp
-        file: ${{ inputs.dockerfile }}
-
+        file: ${{ steps.fix-filename.outputs.dockerfilename }}
+        provenance: false
 
     # Sign the resulting Docker image digest except on PRs.
     # This will only write to the public Rekor transparency log when the Docker
     # repository is public to avoid leaking data.  If you would like to publish
     # transparency data even for private images, pass --force to cosign below.
     # https://github.com/sigstore/cosign
     - name: Sign the published Docker image
-      if: ${{ github.event_name != 'pull_request' }}
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       env:
         COSIGN_EXPERIMENTAL: "true"
       # This step uses the identity token to provision an ephemeral certificate
       # against the sigstore community Fulcio instance.
       run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
     - name: Clean up Docker Context for Buildx
       id: buildx-context-cleanup
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       run: |
           docker context remove builders || true
 
   manifest:
     runs-on: [ self-hosted, gcc, lite ]
-    needs: [build]
+    needs: [setup, build]
 
     permissions:
       contents: read
@@ -123,12 +167,55 @@ jobs:
       id-token: write
 
     steps:
+    - uses: actions/checkout@v3
+    - uses: benjlevesque/short-sha@v2.2
+      id: short-sha
+      with:
+        length: 7
+
+    # Login against a Docker registry except on PR
+    # https://github.com/docker/login-action
+    - name: Log into registry ${{ inputs.REGISTRY }}
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
+      uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+      with:
+        registry: ${{ inputs.REGISTRY }}
+        username: ${{ secrets.HARBOR_USER }}
+        password: ${{ secrets.HARBOR_SECRET }}
+
+    - name: Set image name
+      id: set-image-name
+      run: |
+          NAME=$( echo "${{ needs.build.outputs.image_name }}" )
+          REGISTRY=$( echo "${{ inputs.REGISTRY }}" )
+          #NAMESPACE="runners"
+          #echo "image_name=$REGISTRY/$NAMESPACE/$NAME" >> "$GITHUB_OUTPUT"
+          echo "image_name=$REGISTRY/$NAME" >> "$GITHUB_OUTPUT"
+
+    - name: Create manifest for ${{ needs.build.outputs.image_name }}
+      id: debug-echo
+      run: |
+          VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }}-$SHA )
+          VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }}-$SHA )
+          echo docker manifest rm ${{ steps.set-image-name.outputs.image_name }}:generic || true
+          echo docker manifest create ${{ steps.set-image-name.outputs.image_name }}:generic \
+              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR1) \
+              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR2) 
+          echo docker manifest push ${{ steps.set-image-name.outputs.image_name }}:generic
+      env:
+        SHA: ${{ steps.short-sha.outputs.sha }}
+
     - name: Create manifest for ${{ needs.build.outputs.image_name }}
+      id: create-manifest
+      if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }}
       run: |
-          VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }})
-          VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }})
-          echo docker manifest rm ${{ needs.build.outputs.image_name }}:generic || true
-          echo docker manifest create ${{ needs.build.outputs.image_name }}:generic \
-              --amend ${{ needs.build.outputs.image_name }}:$(echo $VAR1) \
-              --amend ${{ needs.build.outputs.image_name }}:$(echo $VAR2) 
+          VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }}-$SHA )
+          VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }}-$SHA )
+          docker manifest rm ${{ steps.set-image-name.outputs.image_name }}:generic || true
+          docker manifest create ${{ steps.set-image-name.outputs.image_name }}:generic \
+              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR1) \
+              --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR2) 
+          docker manifest push ${{ steps.set-image-name.outputs.image_name }}:generic
+      env:
+        SHA: ${{ steps.short-sha.outputs.sha }}
 
diff --git a/.github/workflows/nubis-manifest.yaml b/.github/workflows/nubis-manifest.yaml
diff --git a/.github/workflows/nubis-meta.yaml b/.github/workflows/nubis-meta.yaml
@@ -2,7 +2,7 @@ name: build
 on:
   push:
     branches:
-    - nubis-runners-meta
+      - nubis-runners
   workflow_dispatch:
 
 env:
@@ -56,7 +56,7 @@ jobs:
           if [[ $JSON == *, ]]; then
           JSON="${JSON%?}"
           fi
-          JSON="$JSON], \"architecture\":[\"x86_64\", \"arm64\"]}"
+          JSON="$JSON], \"architecture\":[\"x86_64\", \"aarch64\"]}"
           echo $JSON
           # Set output
           echo "::set-output name=matrix::$( echo "$JSON" )"