mirror of
https://github.com/coder/coder.git
synced 2026-06-03 13:08:25 +00:00
dependabot[bot]
edd5d83280
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lukasz <CommanderK5@users.noreply.github.com> Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
107 lines
3.3 KiB
YAML
107 lines
3.3 KiB
YAML
name: docker-base
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- scripts/Dockerfile.base
|
|
- scripts/Dockerfile
|
|
|
|
pull_request:
|
|
paths:
|
|
- scripts/Dockerfile.base
|
|
- .github/workflows/docker-base.yaml
|
|
|
|
schedule:
|
|
# Run every week at 09:43 on Monday, Wednesday and Friday. We build this
|
|
# frequently to ensure that packages are up-to-date.
|
|
- cron: "43 9 * * 1,3,5"
|
|
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
# Avoid running multiple jobs for the same commit.
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-docker-base
|
|
|
|
jobs:
|
|
build:
|
|
permissions:
|
|
# Necessary for depot.dev authentication.
|
|
id-token: write
|
|
# Necessary to push docker images to ghcr.io.
|
|
packages: write
|
|
runs-on: ubuntu-latest
|
|
if: github.repository_owner == 'coder'
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Docker login
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Create empty base-build-context directory
|
|
run: mkdir base-build-context
|
|
|
|
- name: Install depot.dev CLI
|
|
uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
|
|
|
|
# This uses OIDC authentication, so no auth variables are required.
|
|
- name: Build base Docker image via depot.dev
|
|
uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
|
|
with:
|
|
project: wl5hnrrkns
|
|
context: base-build-context
|
|
file: scripts/Dockerfile.base
|
|
platforms: linux/amd64,linux/arm64,linux/arm/v7
|
|
provenance: true
|
|
pull: true
|
|
no-cache: true
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: |
|
|
ghcr.io/coder/coder-base:latest
|
|
|
|
- name: Verify that images are pushed properly
|
|
if: github.event_name != 'pull_request'
|
|
run: |
|
|
# retry 10 times with a 5 second delay as the images may not be
|
|
# available immediately
|
|
for i in {1..10}; do
|
|
rc=0
|
|
raw_manifests=$(docker buildx imagetools inspect --raw ghcr.io/coder/coder-base:latest) || rc=$?
|
|
if [[ "$rc" -eq 0 ]]; then
|
|
break
|
|
fi
|
|
if [[ "$i" -eq 10 ]]; then
|
|
echo "Failed to pull manifests after 10 retries"
|
|
exit 1
|
|
fi
|
|
echo "Failed to pull manifests, retrying in 5 seconds"
|
|
sleep 5
|
|
done
|
|
|
|
manifests=$(
|
|
echo "$raw_manifests" | \
|
|
jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
|
|
)
|
|
|
|
# Verify all 3 platforms are present.
|
|
set -euxo pipefail
|
|
echo "$manifests" | grep -q linux/amd64
|
|
echo "$manifests" | grep -q linux/arm64
|
|
echo "$manifests" | grep -q linux/arm/v7
|