Some pipeline improvements #474
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Rust | |
# TODO: Add a job to release the tracing-utils crate!! | |
on: | |
push: | |
branches: ["main"] | |
pull_request: | |
branches: ["main"] | |
types: [opened, reopened, ready_for_review, synchronize] | |
workflow_dispatch: | |
# Automatically cancel in-progress actions on the same branch | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} | |
cancel-in-progress: true | |
env: | |
CARGO_TERM_COLOR: always | |
DOCKER_CONTAINER_IMAGE_BASE: lhr.ocir.io/lrdyqp2xtoja/hello-rust-backend | |
# get correct commit sha for pull requests as well | |
COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }} | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
# if: ${{ !github.event.pull_request.draft }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: DeterminateSystems/nix-installer-action@main | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: nix-community | |
- uses: DeterminateSystems/magic-nix-cache-action@main | |
- uses: Swatinem/rust-cache@v2 | |
with: | |
cache-on-failure: "true" | |
- uses: rui314/setup-mold@v1 | |
- name: Run tests | |
run: nix develop .#buildShell/x86_64-linux -c cargo test | |
clippy: | |
runs-on: ubuntu-latest | |
# if: ${{ !github.event.pull_request.draft }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: DeterminateSystems/nix-installer-action@main | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: nix-community | |
- uses: DeterminateSystems/magic-nix-cache-action@main | |
- uses: Swatinem/rust-cache@v2 | |
with: | |
cache-on-failure: "true" | |
- run: nix develop .#buildShell/x86_64-linux -c cargo clippy | |
build: | |
# runs-on: [self-hosted, linux, ARM64] | |
runs-on: ubuntu-latest | |
services: | |
# Run a local docker registry | |
# This is needed for pushing the multiarch base image to, | |
# because buildkit can't access a loaded image for another architecture | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
strategy: | |
matrix: | |
target: | |
- rust: aarch64-unknown-linux-gnu | |
nix: aarch64-linux | |
steps: | |
- uses: actions/checkout@v3 | |
# - uses: dtolnay/rust-toolchain@stable | |
# with: | |
# targets: ${{ matrix.target.rust }} | |
- uses: DeterminateSystems/nix-installer-action@main | |
- uses: cachix/cachix-action@v12 | |
with: | |
name: nix-community | |
- uses: DeterminateSystems/magic-nix-cache-action@main | |
- uses: Swatinem/rust-cache@v2 | |
- name: Set up Docker Context for Buildx | |
id: buildx-context | |
run: | | |
docker context create builders | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
version: v0.11.2 | |
endpoint: builders | |
install: true | |
# required for the docker buildx container to connect to the localhost registry | |
driver-opts: network=host | |
# TODO: Make this build across a matrix, and then merge the images into a docker manifest in another step | |
- name: nix build | |
run: nix build -L .#docker/${{ matrix.target.nix }} && ./result | docker load | |
# # Should probably just prebuild a docker container for Cross, and put it on DockerHub or somewhere similar | |
# - run: cargo install cross | |
# # - uses: rui314/setup-mold@v1 | |
# - name: Build Docker image for cross | |
# uses: docker/build-push-action@v3 | |
# with: | |
# context: . | |
# file: CrossDockerfile | |
# push: false | |
# load: true | |
# tags: cross-docker-image:tag | |
# build-args: CROSS_BASE_IMAGE=ghcr.io/cross-rs/${{ matrix.target.rust }}:latest | |
# cache-from: type=gha,scope=cross-docker-image | |
# cache-to: type=gha,scope=cross-docker-image | |
# - name: Build binary of project using cross | |
# run: | | |
# cross build --target=${{ matrix.target.rust }} --release | |
- name: nix build base docker image | |
run: | | |
nix build -L .#dockerDependenciesOnly/${{ matrix.target.nix }} && ./result | docker load | |
docker tag hello-rust-backend-dependencies:nix-latest-build-tag localhost:5000/hello-rust-backend-dependencies:nix-latest-build-tag | |
docker push localhost:5000/hello-rust-backend-dependencies:nix-latest-build-tag | |
- name: Build binary of project using nix shell | |
run: | | |
nix develop .#buildShell/${{ matrix.target.nix }} -c cargo build --target=${{ matrix.target.rust }} --release | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
registry: lhr.ocir.io | |
username: ${{ secrets.OCIR_USERNAME }} | |
password: ${{ secrets.OCIR_TOKEN }} | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v4 | |
env: | |
DOCKER_METADATA_PR_HEAD_SHA: true | |
with: | |
images: | | |
${{ env.DOCKER_CONTAINER_IMAGE_BASE }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
# An edge tag reflects the last commit of the active branch on your Git repository | |
type=edge | |
# git commit sha | |
type=sha,format=long | |
# set latest tag for default branch | |
type=raw,value=latest,enable={{is_default_branch}} | |
- name: Build Dockerfile | |
id: build-and-push-action-1 | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
file: Dockerfile | |
push: false | |
load: true | |
# doesn't need to have the correct final tag or labels here, this build just puts | |
# something in the local cache rather than pushing it. Correct tags and labels | |
# are set in the next docker/build-push-action | |
tags: docker-built-image:latest-image | |
cache-from: type=gha | |
# cache-to: type=local,dest=buildkit-docker-cache-location | |
cache-to: type=gha | |
platforms: linux/arm64 | |
# BASE_IMAGE referring to the nix built base docker image | |
build-args: | | |
RUST_TARGET_DIR=target/${{ matrix.target.rust }}/release | |
BASE_IMAGE=localhost:5000/hello-rust-backend-dependencies:nix-latest-build-tag | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: hello-rust-backend:nix-latest-build-tag | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: docker-built-image:latest-image | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
# size comparison | |
- name: size comparison | |
run: | | |
echo "# Size Comparison" >> "$GITHUB_STEP_SUMMARY" | |
echo nix: $(docker image ls hello-rust-backend:nix-latest-build-tag --format "{{.Size}}") >> "$GITHUB_STEP_SUMMARY" | |
echo cross: $(docker image ls docker-built-image:latest-image --format "{{.Size}}") >> "$GITHUB_STEP_SUMMARY" | |
# tag nix image | |
- name: re-tag docker image and get the image id and final image size | |
run: | | |
# export IMAGE_TO_RETAG_AND_PUSH="hello-rust-backend:nix-latest-build-tag" | |
export IMAGE_TO_RETAG_AND_PUSH="docker-built-image:latest-image" | |
echo image_id=`docker image ls $IMAGE_TO_RETAG_AND_PUSH --format "{{.ID}}"` | |
echo image_id=`docker image ls $IMAGE_TO_RETAG_AND_PUSH --format "{{.ID}}"` >> "$GITHUB_OUTPUT" | |
echo final_image_size=$(docker image ls $IMAGE_TO_RETAG_AND_PUSH --format "{{.Size}}") >> "$GITHUB_OUTPUT" | |
echo "${{steps.meta.outputs.tags}}" | xargs -n1 docker tag $IMAGE_TO_RETAG_AND_PUSH | |
docker rmi $IMAGE_TO_RETAG_AND_PUSH | |
id: nix-image-tagging | |
- name: docker push (and get digest) | |
run: | | |
echo ${{ env.DOCKER_CONTAINER_IMAGE_BASE }} | |
docker push --all-tags ${{ env.DOCKER_CONTAINER_IMAGE_BASE }} | |
echo image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' ${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA} | sed 's/.*@//') \ | |
>> $GITHUB_OUTPUT | |
id: docker-push | |
- name: Job summary info (as markdown) | |
run: | | |
echo "# Built image info" >> $GITHUB_STEP_SUMMARY | |
echo "- image digest: \`${{ steps.docker-push.outputs.image_digest }}\`" >> $GITHUB_STEP_SUMMARY | |
echo "- revision (commit-sha): \`${{ env.COMMIT_SHA }}\`" >> $GITHUB_STEP_SUMMARY | |
echo "- tags: \`${{ steps.meta.outputs.tags }}\`" >> $GITHUB_STEP_SUMMARY | |
echo "- image size: \`${{ steps.nix-image-tagging.outputs.final_image_size }}\`" >> $GITHUB_STEP_SUMMARY | |
outputs: | |
docker-image-published-digest: ${{ steps.docker-push.outputs.image_digest }} | |
app-version: ${{ env.COMMIT_SHA }} | |
deploy: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
needs: [build, clippy, test] | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
repository: SG60/hello-rust-infrastructure-config | |
ref: "main" | |
token: ${{ secrets.WRITE_INFRASTRUCTURE_REPOSITORY_PAT }} | |
- name: install kustomize | |
id: kustomize-installation | |
run: | | |
curl -sfLo kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.7/kustomize_v4.5.7_linux_amd64.tar.gz | |
tar xzf ./kustomize.tar.gz | |
echo "KUSTOMIZE_COMMAND=$PWD/kustomize" >> $GITHUB_OUTPUT | |
- name: Update kustomization for new image | |
# in 'prod' folder | |
run: | | |
cd k8s/prod | |
${{ steps.kustomize-installation.outputs.KUSTOMIZE_COMMAND }} edit set image ${{ env.DOCKER_CONTAINER_IMAGE_BASE }}@${{ needs.build.outputs.docker-image-published-digest }} | |
# update version label | |
echo "apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: hello-rust-backend | |
labels: | |
app.kubernetes.io/version: ${{ needs.build.outputs.app-version }} | |
" > ./generated/labels.patch.yaml | |
- name: Commit to git | |
run: | | |
git config user.name github-actions | |
git config user.email [email protected] | |
git add k8s/prod/kustomization.yaml k8s/prod/generated | |
git commit -m "update: SG60/hello-rust@${{ needs.build.outputs.app-version }} " | |
git push | |
echo "Committed to infra: https://github.com/SG60/hello-rust-infrastructure-config/commit/`git rev-parse HEAD` " >> $GITHUB_STEP_SUMMARY |