Skip to content

Container Images Scheduled Maintenance #28

Container Images Scheduled Maintenance

Container Images Scheduled Maintenance #28

---
name: Container Images Scheduled Maintenance
on:
# TODO: think about adding a (filtered) push event trigger here in case we change the patches
# ---
# Allow manual workflow triggers in case we need to repair images on Docker Hub (build and replace)
workflow_dispatch:
inputs:
force_build:
type: boolean
required: false
default: false
description: "Build and deploy even if no newer Java images or package updates are found."
schedule:
- cron: '23 3 * * 0' # Run for 'develop' every Sunday at 03:23 UTC
env:
PLATFORMS: linux/amd64,linux/arm64
NUM_PAST_RELEASES: 3
# TODO: change to "develop" in final PR
DEVELOP_BRANCH: 10478-version-base-img
jobs:
discover:
name: Discover Release Matrix
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
# TODO: re-enable for final PR
# Only run in upstream repo - avoid unnecessary runs in forks and only for scheduled
#if: ${{ github.repository_owner == 'IQSS' }}
outputs:
branches: ${{ steps.matrix.outputs.branches }}
current_release: ${{ steps.matrix.outputs.current_release }}
steps:
- name: Build branch matrix options
id: matrix
run: |
echo "branches=$(curl -f -sS https://api.github.com/repos/IQSS/dataverse/releases | \
jq '[ .[0:${{ env.NUM_PAST_RELEASES }}] | .[].tag_name, "${{ env.DEVELOP_BRANCH }}" ]')" | tr -d "\n" | tr -s " " | \
tee -a "$GITHUB_OUTPUT"
echo "current_release=$(curl -f -sS https://api.github.com/repos/IQSS/dataverse/releases | jq '.[0].tag_name' )" | tee -a "$GITHUB_OUTPUT"
build:
name: Build image
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
needs: discover
strategy:
fail-fast: false
matrix:
branch: ${{ fromJson(needs.discover.outputs.branches) }}
# TODO: re-enable for final PR
# Only run in upstream repo - avoid unnecessary runs in forks
#if: ${{ github.repository_owner == 'IQSS' }}
steps:
- name: Checkout and Setup Maven
# TODO: change to upstream location in final PR
# Necessary as the checked out release branch might not contain the action as files
uses: gdcc/wip-dataverse-base-image/.github/actions/setup-maven@10478-version-base-img
with:
git-reference: ${{ matrix.branch }}
pom-paths: modules/container-base/pom.xml
# Note: Accessing, pushing tags etc. to DockerHub will only succeed in upstream and
# on events in context of upstream because secrets. PRs run in context of forks by default!
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up QEMU for multi-arch builds
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ env.PLATFORMS }}
# Try to retrieve backport patches for this git ref (but don't fail if there aren't any)
# and try to apply them if present
- name: Get and apply backported patches
# There might be no patches - ignore errors
continue-on-error: true
run: |
mkdir -p "${GITHUB_WORKSPACE}/patches"
curl -sSL "https://github.com/${GITHUB_REPOSITORY}/archive/${DEVELOP_BRANCH}.tar.gz" | \
tar -zxf - -C "${GITHUB_WORKSPACE}/patches" --wildcards "*/modules/container-base/src/backports/${{ matrix.branch }}" --strip-components=6
find "${GITHUB_WORKSPACE}/patches" -type f -name '*.patch' -print0 | xargs -0 -n1 patch -p1 -s -i
# Determine the base image name we are going to use from here on
- name: Determine base image name
run: |
if [[ "${{ matrix.branch }}" = "${{ env.DEVELOP_BRANCH }}" ]]; then
NAME=$( mvn initialize help:evaluate -Pct -f modules/container-base -Dexpression=base.image -q -DforceStdout )
else
NAME=$( mvn help:evaluate -Pct -f modules/container-base -Dexpression=base.image -Dbase.image.tag='${base.image.tag.release}' -q -DforceStdout )
fi
echo "BASE_IMAGE=${NAME}" | tee -a "${GITHUB_ENV}"
# Figure out if a rebuild is necessary because either there is an updated Java image or our installed packages need updates
- name: Check for recent Temurin image updates
id: temurin-check
# TODO: change to upstream location in final PR
uses: gdcc/wip-dataverse-base-image/.github/actions/check-newer-base-image@10478-version-base-img
with:
base: "$( mvn help:evaluate -Pct -f modules/container-base -Dexpression=java.image -q -DforceStdout )"
derived: "${{ env.BASE_IMAGE }}"
# TODO: if we introduce more flavors as a matrix, we need to adapt the install command to check for updates
- name: Check for package updates in base image
id: package-check
if: ${{ steps.temurin-check.outputs.is_more_recent == 'false' }}
run: |
PKGS="$( grep "ARG PKGS" modules/container-base/src/main/docker/Dockerfile | cut -f2 -d= | tr -d '"' )"
if [[ ! $( docker run --rm -u 0 "${BASE_IMAGE}" sh -c "apt update && apt install -s ${PKGS}" | grep "0 upgraded" ) ]]; then
echo "Base image $BASE_IMAGE needs package updates"
echo "newer_packages=true" >> "${GITHUB_OUTPUT}"
else
echo "Base image $BASE_IMAGE has no package updates"
echo "newer_packages=false" >> "${GITHUB_OUTPUT}"
fi
- name: Calculate revision number for immutable tag (on release branches only)
if: ${{ matrix.branch != env.DEVELOP_BRANCH }}
run: |
# Get the revision logic script (not present on older releases)
curl -sSL "https://github.com/${GITHUB_REPOSITORY}/archive/${DEVELOP_BRANCH}.tar.gz" | \
tar -zxf - -C "." --wildcards "*/.github/workflows/scripts/get_next_revision.sh" --strip-components=1
# Now get the new revision number
REVISION_TAG="${BASE_IMAGE#*:}-r$( .github/workflows/scripts/get_next_revision.sh "${BASE_IMAGE}" )"
echo "DOCKER_TAGS=-Dbase.image.tag=\${base.image.tag.release} -Ddocker.imagePropertyConfiguration=override -Ddocker.tags.revision=${REVISION_TAG}" | tee -a "${GITHUB_ENV}"
- name: Configure update of "latest" tag for development branch
if: ${{ matrix.branch == env.DEVELOP_BRANCH }}
run: |
echo "DOCKER_TAGS=-Ddocker.imagePropertyConfiguration=override -Ddocker.tags.develop=latest" | tee -a "${GITHUB_ENV}"
- name: Deploy multi-arch base container image to Docker Hub
if: ${{ steps.temurin-check.outputs.is_more_recent == 'true' || steps.package-check.outputs.newer_packages == 'true' || inputs.force_build }}
id: build
run: |
mvn -f modules/container-base -Pct deploy -Ddocker.noCache ${DOCKER_TAGS} -Ddocker.platforms=${{ env.PLATFORMS }}
echo "rebuild=true" | tee -a "${GITHUB_OUTPUT}"
# - if: always()
# name: Save status (workaround for matrix outputs)
# run: |
# # steps.build.outcome is the status BEFORE continue-on-error
# echo "STATUS_$( echo "${{ matrix.branch }}" | tr ".:;,-/ " "_" )=${{ steps.build.outcome }}" | tee -a "${GITHUB_ENV}"
- name: Rebuild application container
if: ${{ steps.build.outputs.rebuild }}
uses: ./.github/actions/deploy-app-container
with:
registry: ""
registry_token: ""
ref: ""
base_image: ""
base_image_tag: ""
#push-app-img:
# name: "Rebase & Publish App Image"
# permissions:
# contents: read
# packages: write
# pull-requests: write
# secrets: inherit
# needs:
# - discover
# - build
# strategy:
# fail-fast: false
# matrix:
# branch: ${{ fromJson(needs.discover.outputs.branches) }}
# uses: ./.github/workflows/container_app_push.yml
# with:
# branch: ${{ matrix.branch }}
# TODO: job to update the docker hub description with supported tags and all
# - name: Push description to DockerHub
# uses: peter-evans/dockerhub-description@v3
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# repository: gdcc/base
# short-description: "Dataverse Base Container image providing Payara application server and optimized configuration"
# readme-filepath: ./modules/container-base/README.md