Skip to content

ci: use docker github builder to build the image #1544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
crazy-max wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

ci: use docker github builder to build the image #1544

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
001430f
ci: use docker github builder to build the image
crazy-max Nov 13, 2025
3f8d69f
ci: use docker github builder to build artifacts
crazy-max Nov 28, 2025
d2e7da2
test
crazy-max Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
227 changes: 93 additions & 134 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ jobs:
runs-on: ubuntu-latest
outputs:
validate-includes: ${{ steps.validate.outputs.matrix }}
artifact-includes: ${{ steps.artifact.outputs.matrix }}
steps:
-
name: Checkout
Expand All @@ -42,13 +41,6 @@ jobs:
fields: platforms
env:
GOLANGCI_LINT_MULTIPLATFORM: 1
-
name: Artifact matrix
id: artifact
uses: docker/bake-action/subaction/matrix@v7
with:
target: artifact-all
fields: platforms

validate:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -128,62 +120,65 @@ jobs:
with:
sarif_file: ${{ env.DESTDIR }}/govulncheck.out

artifact:
artifacts:
uses: docker/github-builder/.github/workflows/bake.yml@git-query-fetch-depth
permissions:
contents: read # same as global permission
id-token: write # for signing attestation(s) with GitHub OIDC Token
with:
runner: amd64
output: local
artifact-name: diun
push: ${{ github.event_name != 'pull_request' }}
sbom: true
target: artifact-all

artifacts-finalize:
runs-on: ubuntu-latest
needs:
- prepare
- validate
strategy:
fail-fast: false
matrix:
include: ${{ fromJson(needs.prepare.outputs.artifact-includes) }}
- artifacts
steps:
-
name: Prepare
run: |
platform=${{ matrix.platforms }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
-
name: Set up QEMU
uses: docker/setup-qemu-action@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
-
name: Build
uses: docker/bake-action@v7
name: Download artifacts
uses: actions/download-artifact@v6
with:
source: .
targets: artifact
provenance: mode=max
sbom: true
pull: true
set: |
*.platform=${{ matrix.platforms }}
path: /tmp/buildx-output
pattern: ${{ needs.artifacts.outputs.artifact-name }}*
merge-multiple: true
-
name: Rename provenance and sbom
working-directory: ${{ env.DESTDIR }}/artifact
run: |
binname=$(find . -name 'diun_*')
filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binary.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
for pdir in /tmp/buildx-output/*/; do
(
cd "$pdir"
binname=$(find . -name 'diun_*')
filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binary.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
if [ -f "provenance.sigstore.json" ]; then
mv "provenance.sigstore.json" "${filename}.provenance.sigstore.json"
fi
)
done
mkdir -p "${{ env.DESTDIR }}"
mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/"
-
name: List artifacts
working-directory: ${{ env.DESTDIR }}
run: |
tree -nh ${{ env.DESTDIR }}
tree -nh .
-
name: Upload artifact
uses: actions/upload-artifact@v7
name: Check artifacts
working-directory: ${{ env.DESTDIR }}
run: |
find . -type f -exec file -e ascii -- {} +
-
name: Upload release binaries
uses: actions/upload-artifact@v5
with:
name: diun-${{ env.PLATFORM_PAIR }}
path: ${{ env.DESTDIR }}
name: release
path: ${{ env.DESTDIR }}/*
if-no-files-found: error

release:
Expand All @@ -192,23 +187,18 @@ jobs:
# required to create GitHub release
contents: write
needs:
- artifact
- artifacts-finalize
- test
steps:
-
name: Checkout
uses: actions/checkout@v6
-
name: Download artifacts
name: Download release binaries
uses: actions/download-artifact@v8
with:
path: ${{ env.DESTDIR }}
pattern: diun-*
merge-multiple: true
-
name: List artifacts
run: |
tree -nh ${{ env.DESTDIR }}
path: ${{ env.DESTDIR }}/artifact
name: release
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
Expand All @@ -219,6 +209,11 @@ jobs:
source: .
targets: release
provenance: false
-
name: List artifacts
working-directory: ${{ env.DESTDIR }}/release
run: |
tree -nh .
-
name: GitHub Release
uses: softprops/action-gh-release@v2
Expand All @@ -230,88 +225,52 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

image:
image-prepare:
runs-on: ubuntu-latest
outputs:
repo-slugs: |
${{ env.DOCKERHUB_SLUG }}
${{ env.GHCR_SLUG }}
steps:
# FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671
- run: echo "Exposing env vars for reusable workflow"

image:
uses: docker/github-builder/.github/workflows/bake.yml@git-query-fetch-depth
permissions:
# same as global permissions
contents: read
# required to push to GHCR
packages: write
contents: read # same as global permission
id-token: write # for signing attestation(s) with GitHub OIDC Token
needs:
- artifact
- image-prepare
- artifacts-finalize
- test
steps:
-
name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
-
name: Docker meta
id: meta
uses: docker/metadata-action@v6
with:
images: |
${{ env.DOCKERHUB_SLUG }}
${{ env.GHCR_SLUG }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=ref,event=pr
type=edge
labels: |
org.opencontainers.image.title=Diun
org.opencontainers.image.description=Docker image update notifier
org.opencontainers.image.vendor=CrazyMax
-
name: Set up QEMU
uses: docker/setup-qemu-action@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v4
with:
with:
runner: amd64
output: image
target: image-all
push: ${{ github.event_name != 'pull_request' }}
sbom: true
set-meta-labels: true
meta-images: |
${{ needs.image-prepare.outputs.repo-slugs }}
meta-tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=ref,event=pr
type=edge
meta-labels: |
org.opencontainers.image.title=Diun
org.opencontainers.image.description=Docker image update notifier
org.opencontainers.image.vendor=CrazyMax
secrets:
registry-auths: |
- registry: docker.io
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
-
name: Login to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@v4
with:
registry: ghcr.io
- registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build
uses: docker/bake-action@v7
with:
source: .
files: |
./docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
targets: image-all
provenance: mode=max
sbom: true
pull: true
push: ${{ github.event_name != 'pull_request' }}
-
name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
-
name: Inspect image
if: github.event_name != 'pull_request'
run: |
docker pull ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.meta.outputs.version }}
docker pull ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}
docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.meta.outputs.version }}

scout:
runs-on: ubuntu-latest
Expand Down
9 changes: 1 addition & 8 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# syntax=docker/dockerfile:1

ARG GO_VERSION="1.25"
ARG ALPINE_VERSION="3.23"
ARG XX_VERSION="1.9.0"
Expand All @@ -14,14 +12,9 @@ RUN apk add --no-cache file git
WORKDIR /src

FROM base AS version
ARG GIT_REF
RUN --mount=target=. <<EOT
set -e
case "$GIT_REF" in
refs/tags/v*) version="${GIT_REF#refs/tags/}" ;;
*) version=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) ;;
esac
echo "$version" | tee /tmp/.version
echo "$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags)" | tee /tmp/.version
EOT

FROM base AS test
Expand Down
9 changes: 2 additions & 7 deletions docker-bake.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,6 @@ variable "DESTDIR" {
default = "./bin"
}

# GITHUB_REF is the actual ref that triggers the workflow and used as version
# when tag is pushed: https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
variable "GITHUB_REF" {
default = ""
}

variable "GOLANGCI_LINT_MULTIPLATFORM" {
default = null
}
Expand All @@ -23,7 +17,8 @@ variable "GOLANGCI_FROM_SOURCE" {
target "_common" {
args = {
GO_VERSION = GO_VERSION
GIT_REF = GITHUB_REF
BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
BUILDKIT_DEBUG_GIT_COMMANDS = 1
}
}

Expand Down
Loading