studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

ci: Publish multi-arch manifest. (fixes #74)

Browse Source 
ci: Toggle package install checks via vars.

docker: Disable provenance attestations which auto-generate manifests.

Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2025-06-20 10:52:35 +00:00
parent aa1609d611
commit 31a3676cd8
5 changed files with 201 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/main.yml vendored
View File

@@ -39,6 +39,10 @@ jobs:
sys_versions: ${{vars.SYS_VERSIONS || env.default_sys_versions}}
machines: ${{vars.MACHINES || env.default_machines}}
release_url: ${{steps.release.outputs.upload_url}}
check_pkgs: ${{vars.CHECK_PKGS || 'false'}}
complement: ${{vars.COMPLEMENT || 'true'}}
complement_runner: 'het'
docker_repo: ${{vars.DOCKER_REPO}}
strategy:
fail-fast: true
@@ -149,7 +153,8 @@ jobs:
needs: [init, lint]
uses: ./.github/workflows/test.yml
with:
complement: ${{fromJSON(vars.COMPLEMENT || 'true')}}
complement: ${{fromJSON(needs.init.outputs.complement)}}
complement_runner: ${{needs.init.outputs.complement_runner}}
cargo_profiles: ${{needs.init.outputs.cargo_profiles}}
feat_sets: ${{needs.init.outputs.feat_sets}}
rust_toolchains: ${{needs.init.outputs.rust_toolchains}}
@@ -158,7 +163,6 @@ jobs:
sys_targets: ${{needs.init.outputs.sys_targets}}
sys_versions: ${{needs.init.outputs.sys_versions}}
machines: ${{needs.init.outputs.machines}}
complement_runner: 'het'
excludes: >
[
{"cargo_profile": "test", "rust_toolchain": "stable", "feat_set": "none"},
@@ -186,6 +190,7 @@ jobs:
uses: ./.github/workflows/package.yml
with:
release_url: ${{needs.init.outputs.release_url}}
check_pkgs: ${{needs.init.outputs.check_pkgs}}
cargo_profiles: ${{needs.init.outputs.cargo_profiles}}
feat_sets: ${{needs.init.outputs.feat_sets}}
rust_toolchains: ${{needs.init.outputs.rust_toolchains}}
@@ -224,7 +229,7 @@ jobs:
needs: [init, test, package]
uses: ./.github/workflows/publish.yml
with:
docker_repo: ${{vars.DOCKER_REPO}}
docker_repo: ${{needs.init.outputs.docker_repo}}
release_url: ${{needs.init.outputs.release_url}}
cargo_profiles: ${{needs.init.outputs.cargo_profiles}}
feat_sets: ${{needs.init.outputs.feat_sets}}

5
.github/workflows/package.yml vendored
View File

@@ -38,6 +38,9 @@ on:
release_url:
type: string
description: For release assets
check_pkgs:
type: string
default: 'false'
jobs:
book:
@@ -179,7 +182,7 @@ jobs:
&& contains(fromJSON(inputs.feat_sets), fromJSON('["all"]')[0])
&& contains(fromJSON(inputs.cargo_profiles), fromJSON('["release"]')[0])
&& contains(fromJSON(inputs.rust_toolchains), fromJSON('["stable"]')[0])
&& github.ref == 'refs/heads/main'
&& fromJSON(inputs.check_pkgs)
name: Check Packages
needs: [pkgs]

160
.github/workflows/publish.yml vendored
View File

@@ -75,11 +75,10 @@ jobs:
name: Containers
runs-on: ${{matrix.machine}}
permissions: write-all
continue-on-error: false
strategy:
fail-fast: true
matrix:
bake_target: ${{fromJSON('["github", "dockerhub"]')}}
bake_target: ${{fromJSON('["docker_io", "ghcr_io"]')}}
cargo_profile: ${{fromJSON(inputs.cargo_profiles)}}
rust_toolchain: ${{fromJSON(inputs.rust_toolchains)}}
feat_set: ${{fromJSON(inputs.feat_sets)}}
@@ -92,6 +91,10 @@ jobs:
include: ${{fromJSON(inputs.includes)}}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: GitHub Login
uses: docker/login-action@v3
with:
@@ -120,8 +123,157 @@ jobs:
acct: ${{github.actor}}
repo: ${{github.repository}}
docker_repo: ${{inputs.docker_repo}}
docker_tag_preview: ${{ matrix.cargo_profile == 'release' && matrix.feat_set == 'all' && matrix.sys_target == 'x86_64-linux-gnu' && contains(github.ref, 'refs/tags/v') }}
docker_tag_latest: ${{ matrix.cargo_profile == 'release' && matrix.feat_set == 'all' && matrix.sys_target == 'x86_64-linux-gnu' && contains(github.ref, 'refs/tags/v') && !contains(github.ref, '-rc') }}
run: |
docker/bake.sh "${{matrix.bake_target}}"
bundles:
if: >
!failure() && !cancelled()
&& inputs.machines
&& inputs.docker_repo != ''
&& contains(fromJSON(inputs.cargo_profiles), fromJSON('["release"]')[0])
&& contains(fromJSON(inputs.feat_sets), fromJSON('["all"]')[0])
&& contains(fromJSON(inputs.rust_toolchains), fromJSON('["stable"]')[0])
&& contains(github.ref, 'refs/tags/v')
&& !contains(github.ref, '-draft')
name: Bundles
needs: [containers]
runs-on: 'het'
permissions: write-all
strategy:
fail-fast: true
matrix:
bake_target: ${{fromJSON('["docker_io", "ghcr_io"]')}}
cargo_profile: ${{fromJSON('["release"]')}}
feat_set: ${{fromJSON('["all"]')}}
rust_toolchain: ${{fromJSON('["stable"]')}}
sys_name: ${{fromJSON(inputs.sys_names)}}
sys_version: ${{fromJSON(inputs.sys_versions)}}
rust_target: ${{fromJSON(inputs.rust_targets)}}
sys_target: ${{fromJSON(inputs.sys_targets)}}
machine: ${{fromJSON(inputs.machines)}}
exclude: ${{fromJSON(inputs.excludes)}}
include: ${{fromJSON(inputs.includes)}}
steps:
- name: GitHub Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.ghcr_token }}
- name: DockerHub Login
uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ github.actor }}
password: ${{ secrets.dockerhub_token }}
- name: Release Preview
if: >
!failure() && !cancelled()
&& !contains(github.ref, '-draft')
env:
acct: ${{github.actor}}
ghcr_repo: ${{github.repository}}
docker_repo: ${{inputs.docker_repo}}
registry: ${{matrix.bake_target}}
cargo_profile: ${{matrix.cargo_profile}}
feat_set: ${{matrix.feat_set}}
sys_target: ${{matrix.sys_target}}
ref_name: ${{github.ref_name}}
run: |
registry="$(echo -n $registry | sed s/_/./)"
if test "$registry" = "ghcr.io"; then
repo="$ghcr_repo"
else
repo="$docker_repo"
fi
docker manifest create "${registry}/${repo}:preview" \
--amend "${registry}/${repo}:${ref_name}-${cargo_profile}-${feat_set}-${sys_target}"
- name: Release Latest
if: >
!failure() && !cancelled()
&& !contains(github.ref, '-draft')
&& !contains(github.ref, '-rc')
env:
acct: ${{github.actor}}
ghcr_repo: ${{github.repository}}
docker_repo: ${{inputs.docker_repo}}
registry: ${{matrix.bake_target}}
cargo_profile: ${{matrix.cargo_profile}}
feat_set: ${{matrix.feat_set}}
sys_target: ${{matrix.sys_target}}
ref_name: ${{github.ref_name}}
run: |
registry="$(echo -n $registry | sed s/_/./)"
if test "$registry" = "ghcr.io"; then
repo="$ghcr_repo"
else
repo="$docker_repo"
fi
docker manifest create "${registry}/${repo}:latest" \
--amend "${registry}/${repo}:${ref_name}-${cargo_profile}-${feat_set}-${sys_target}"
delivery:
if: >
!failure() && !cancelled()
&& inputs.machines
&& inputs.docker_repo != ''
&& contains(github.ref, 'refs/tags/v')
name: Delivery
needs: [bundles, documents]
runs-on: 'het'
permissions: write-all
steps:
- name: GitHub Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.ghcr_token }}
- name: DockerHub Login
uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ github.actor }}
password: ${{ secrets.dockerhub_token }}
- name: Push Preview
if: >
!failure() && !cancelled()
&& !contains(github.ref, '-draft')
env:
ghcr_repo: ${{github.repository}}
docker_repo: ${{inputs.docker_repo}}
run: |
docker manifest push -p "ghcr.io/${ghcr_repo}:preview"
docker manifest push -p "docker.io/${docker_repo}:preview"
- name: Push Latest
if: >
!failure() && !cancelled()
&& !contains(github.ref, '-draft')
&& !contains(github.ref, '-rc')
env:
ghcr_repo: ${{github.repository}}
docker_repo: ${{inputs.docker_repo}}
run: |
docker manifest push -p "ghcr.io/${ghcr_repo}:latest"
docker manifest push -p "docker.io/${docker_repo}:latest"

44
docker/bake.hcl
View File

@@ -16,11 +16,8 @@ variable "repo" {
variable "docker_repo" {
default = "${repo}"
}
variable "docker_tag_preview" {
default = false
}
variable "docker_tag_latest" {
default = false
variable "docker_targets" {
default = "[\"local\"]"
}
variable "git_ref" {
@@ -279,28 +276,24 @@ group "publish" {
]
}
target "github" {
target "ghcr_io" {
name = elem("github", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
tags = [
"ghcr.io/${repo}:${git_ref_name}-${cargo_profile}-${feat_set}-${sys_target}",
docker_tag_preview? "ghcr.io/${repo}:preview": "",
docker_tag_latest? "ghcr.io/${repo}:latest": "",
]
output = ["type=registry,compression=zstd,mode=min,compression-level=${zstd_image_compress_level}"]
output = ["type=registry,compression=gzip,mode=min,compression-level=${gz_image_compress_level}"]
matrix = cargo_rust_feat_sys
inherits = [
elem("docker", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
]
}
target "dockerhub" {
target "docker_io" {
name = elem("dockerhub", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
tags = [
"${docker_repo}:${git_ref_name}-${cargo_profile}-${feat_set}-${sys_target}",
docker_tag_preview? "${docker_repo}:preview": "",
docker_tag_latest? "${docker_repo}:latest": "",
"docker.io/${docker_repo}:${git_ref_name}-${cargo_profile}-${feat_set}-${sys_target}",
]
output = ["type=registry,compression=zstd,mode=min,compression-level=${zstd_image_compress_level}"]
output = ["type=registry,compression=gzip,mode=min,compression-level=${gz_image_compress_level}"]
matrix = cargo_rust_feat_sys
inherits = [
elem("docker", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
@@ -534,7 +527,7 @@ group "installs" {
install_labels = {
"org.opencontainers.image.authors" = "${package_authors}"
"org.opencontainers.image.created" ="${package_last_modified}"
"org.opencontainers.image.created" = "${package_last_modified}"
"org.opencontainers.image.description" = "Matrix Chat Server in Rust"
"org.opencontainers.image.documentation" = "https://github.com/matrix-construct/tuwunel/tree/main/docs/"
"org.opencontainers.image.licenses" = "Apache-2.0"
@@ -546,6 +539,20 @@ install_labels = {
"org.opencontainers.image.version" = "${package_version}"
}
install_annotations = [
"org.opencontainers.image.authors=${package_authors}",
"org.opencontainers.image.created=${package_last_modified}",
"org.opencontainers.image.description=Matrix Chat Server in Rust",
"org.opencontainers.image.documentation=https://github.com/matrix-construct/tuwunel/tree/main/docs/",
"org.opencontainers.image.licenses=Apache-2.0",
"org.opencontainers.image.revision=${package_revision}",
"org.opencontainers.image.source=https://github.com/matrix-construct/tuwunel",
"org.opencontainers.image.title=${package_name}",
"org.opencontainers.image.url=https://github.com/matrix-construct/tuwunel",
"org.opencontainers.image.vendor=matrix-construct",
"org.opencontainers.image.version=${package_version}",
]
target "oci" {
name = elem("oci", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
tags = [
@@ -580,8 +587,7 @@ target "docker" {
)
}
dockerfile-inline =<<EOF
FROM scratch AS install
COPY --from=input . .
FROM input AS install
EXPOSE 8008 8448
ENTRYPOINT ["tuwunel"]
EOF
@@ -643,7 +649,8 @@ target "install" {
elem_tag("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
]
labels = install_labels
output = ["type=docker,compression=zstd,mode=min,compression-level=${zstd_image_compress_level}"]
annotations = install_annotations
output = ["type=docker,compression=uncompressed,mode=max"]
cache_to = ["type=local,compression=zstd,mode=max,compression-level=${cache_compress_level}"]
dockerfile = "${docker_dir}/Dockerfile.install"
target = "install"
@@ -1713,6 +1720,7 @@ target "system" {
cache_to = ["type=local,compression=zstd,mode=max,compression-level=${cache_compress_level}"]
cache_from = ["type=local"]
dockerfile = "${docker_dir}/Dockerfile.system"
platforms = jsondecode(docker_targets)
matrix = sys
context = "."
args = {

7
docker/bake.sh
View File

@@ -16,6 +16,7 @@ default_rust_targets='["x86_64-unknown-linux-gnu"]'
default_sys_names='["debian"]'
default_sys_targets='["x86_64-linux-gnu"]'
default_sys_versions='["testing-slim"]'
default_docker_targets='["local"]'
if test ! -z "$cargo_profile"; then
env_cargo_profiles="[\"${cargo_profile}\"]"
@@ -45,6 +46,10 @@ if test ! -z "$sys_version"; then
env_sys_versions="[\"${sys_version}\"]"
fi
if test ! -z "$docker_target"; then
env_docker_targets="[\"${docker_target}\"]"
fi
set -a
bake_target="${bake_target:-$@}"
cargo_profiles="${env_cargo_profiles:-$default_cargo_profiles}"
@@ -54,6 +59,7 @@ rust_toolchains="${env_rust_toolchains:-$default_rust_toolchains}"
sys_names="${env_sys_names:-$default_sys_names}"
sys_targets="${env_sys_targets:-$default_sys_targets}"
sys_versions="${env_sys_versions:-$default_sys_versions}"
docker_targets="${env_docker_targets:-$default_docker_targets}"
docker_dir="$PWD/$BASEDIR"
builder_name="${GITHUB_ACTOR:-owo}"
@@ -83,6 +89,7 @@ if test "$CI" = "true"; then
fi
args=""
args="$args --provenance=false"
args="$args --builder ${builder_name}"
#args="$args --set *.platform=${sys_platform}"