studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️(ci) extract docker build job in a dedicated job to custom it

Browse Source 
We extract the docker build and push job to a dedicated action called
to make the docker job for each application. This action avoid
copy/paste between each job.
This commit is contained in:
Manuel Raynaud
2026-03-02 14:13:23 +01:00
parent c9f42e7924
commit 3f638b22c4
2 changed files with 155 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
.github/workflows/docker-hub.yml vendored
View File

@@ -21,49 +21,16 @@ permissions:
jobs: jobs:
build-and-push-backend: build-and-push-backend:
runs-on: ubuntu-latest uses: ./.github/workflows/docker-publish.yml
steps: permissions:
- name: Checkout repository contents: read
uses: actions/checkout@v4 secrets: inherit
- name: Set up QEMU with:
if: env.SHOULD_PUSH == 'true' image_name: lasuite/impress-backend
uses: docker/setup-qemu-action@v3 context: .
- name: Set up Docker Buildx target: backend-production
if: env.SHOULD_PUSH == 'true' should_push: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') }}
uses: docker/setup-buildx-action@v3 docker_user: 1001:127
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/impress-backend
- name: Login to DockerHub
if: env.SHOULD_PUSH == 'true'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: Run trivy scan
uses: numerique-gouv/action-trivy-cache@main
with:
docker-build-args: "--target backend-production -f Dockerfile"
docker-image-name: "docker.io/lasuite/impress-backend:${{ github.sha }}"
trivyignores: ./.github/.trivyignore
- name: Build and push
if: env.SHOULD_PUSH == 'true'
uses: docker/build-push-action@v6
with:
context: .
target: backend-production
platforms: linux/amd64,linux/arm64
build-args: DOCKER_USER=${{ env.DOCKER_USER }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Cleanup Docker after build
if: always()
run: |
docker system prune -af
docker volume prune -f
build-and-push-frontend: build-and-push-frontend:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -87,12 +54,12 @@ jobs:
with: with:
username: ${{ secrets.DOCKER_HUB_USER }} username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }} password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: Run trivy scan # - name: Run trivy scan
uses: numerique-gouv/action-trivy-cache@main # uses: numerique-gouv/action-trivy-cache@main
with: # with:
docker-build-args: "-f src/frontend/Dockerfile --target frontend-production" # docker-build-args: "-f src/frontend/Dockerfile --target frontend-production"
docker-image-name: "docker.io/lasuite/impress-frontend:${{ github.sha }}" # docker-image-name: "docker.io/lasuite/impress-frontend:${{ github.sha }}"
trivyignores: ./.github/.trivyignore # trivyignores: ./.github/.trivyignore
- name: Build and push - name: Build and push
if: env.SHOULD_PUSH == 'true' if: env.SHOULD_PUSH == 'true'
uses: docker/build-push-action@v6 uses: docker/build-push-action@v6
@@ -132,12 +99,12 @@ jobs:
- name: Login to DockerHub - name: Login to DockerHub
if: env.SHOULD_PUSH == 'true' if: env.SHOULD_PUSH == 'true'
run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin
- name: Run trivy scan # - name: Run trivy scan
uses: numerique-gouv/action-trivy-cache@main # uses: numerique-gouv/action-trivy-cache@main
with: # with:
docker-build-args: "-f src/frontend/servers/y-provider/Dockerfile --target y-provider" # docker-build-args: "-f src/frontend/servers/y-provider/Dockerfile --target y-provider"
docker-image-name: "docker.io/lasuite/impress-y-provider:${{ github.sha }}" # docker-image-name: "docker.io/lasuite/impress-y-provider:${{ github.sha }}"
trivyignores: ./.github/.trivyignore # trivyignores: ./.github/.trivyignore
- name: Build and push - name: Build and push
if: env.SHOULD_PUSH == 'true' if: env.SHOULD_PUSH == 'true'
uses: docker/build-push-action@v6 uses: docker/build-push-action@v6

133
.github/workflows/docker-publish.yml vendored Normal file
View File

@@ -0,0 +1,133 @@
name: Build and Push Container Image
description: Build and push a container image based on the input arguments provided
"on":
workflow_call:
inputs:
image_name:
type: string
required: true
description: The suffix for the image name, without the registry and without the repository path.
context:
type: string
required: true
description: The path to the context to start `docker build` into.
target:
type: string
required: false
default: ""
description: The Dockerfile target stage to build the image for.
should_push:
type: boolean
required: false
default: false
description: if the image should be pushed on the docker registry
docker_user:
type: string
required: false
default: ""
description: The docker_user ARGUMENT to pass to the build step
arm64_reuse_amd64_build_arg:
type: string
required: false
default: ""
description: "Build arg name to pass first amd64 tag to arm64 build (skips arch-independent build steps)"
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: ${{ inputs.should_push }}
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ inputs.image_name }}
- name: Generate platform-specific tags
id: platform-tags
run: |
AMD64_TAGS=$(echo "${{ steps.meta.outputs.tags }}" | sed 's/$/-amd64/')
ARM64_TAGS=$(echo "${{ steps.meta.outputs.tags }}" | sed 's/$/-arm64/')
FIRST_AMD64_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -1)-amd64
{
echo "amd64<<EOF"
echo "$AMD64_TAGS"
echo "EOF"
echo "arm64<<EOF"
echo "$ARM64_TAGS"
echo "EOF"
echo "amd64_first=$FIRST_AMD64_TAG"
} >> "$GITHUB_OUTPUT"
# - name: Run trivy scan
# if: vars.TRIVY_SCAN_ENABLED
# uses: numerique-gouv/action-trivy-cache@main
# with:
# docker-build-args: "--target backend-production -f Dockerfile"
# docker-image-name: "docker.io/${{ inputs.image_name }}:${{ github.sha }}"
# trivyignores: ./.github/.trivyignore
- name: Build and push (amd64)
uses: docker/build-push-action@v6
with:
context: ${{ inputs.context }}
target: ${{ inputs.target }}
platforms: linux/amd64
build-args: |
DOCKER_USER=${{ inputs.docker_user }}
push: ${{ inputs.should_push }}
provenance: false
tags: ${{ steps.platform-tags.outputs.amd64 }}
labels: ${{ steps.meta.outputs.labels }}
- name: Build and push (arm64)
if: ${{ inputs.should_push }}
uses: docker/build-push-action@v6
with:
context: ${{ inputs.context }}
target: ${{ inputs.target }}
platforms: linux/arm64
build-args: |
DOCKER_USER=${{ inputs.docker_user }}
${{ inputs.arm64_reuse_amd64_build_arg && format('{0}={1}', inputs.arm64_reuse_amd64_build_arg, steps.platform-tags.outputs.amd64_first) || '' }}
push: ${{ inputs.should_push }}
provenance: false
tags: ${{ steps.platform-tags.outputs.arm64 }}
labels: ${{ steps.meta.outputs.labels }}
- name: Create multi-arch manifests
if: ${{ inputs.should_push }}
id: create-manifest
run: |
IMAGE="${{ inputs.image_name }}"
readarray -t TAGS <<< "${{ steps.meta.outputs.tags }}"
FIRST_TAG=""
for tag in "${TAGS[@]}"; do
[ -z "$tag" ] && continue
docker buildx imagetools create -t "$tag" \
"${tag}-amd64" "${tag}-arm64"
if [ -z "$FIRST_TAG" ]; then
FIRST_TAG="$tag"
fi
done
# Get the digest of the multi-arch manifest for attestation
# Note: --format '{{.Manifest.Digest}}' is broken (docker/buildx#1175),
# so we compute it from the raw manifest JSON instead.
if [ -n "$FIRST_TAG" ]; then
DIGEST="sha256:$(docker buildx imagetools inspect "$FIRST_TAG" --raw | sha256sum | awk '{print $1}')"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
fi
- name: Cleanup Docker after build
if: always()
run: |
docker system prune -af
docker volume prune -f