Improve Docker CI for PRs and add manual release workflow #85
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image | |
| # Controls when the action will run. | |
| on: | |
| # When a release is published | |
| release: | |
| types: [published] | |
| # Push excluding tags and workflow changes | |
| push: | |
| branches: | |
| - main | |
| tags-ignore: | |
| - '*.*' | |
| paths-ignore: | |
| - '**/*.md' | |
| # PR | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/*.md' | |
| # Manual trigger | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.head.sha || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| IMAGE_NAME: ${{ vars.DOCKERHUB_NAMESPACE || github.repository_owner }}/postgresql | |
| jobs: | |
| build_arch_images: | |
| name: Build ${{ matrix.arch }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - arch: amd64 | |
| platform: linux/amd64 | |
| - arch: arm64 | |
| platform: linux/arm64 | |
| steps: | |
| - name: Free up disk space | |
| shell: bash | |
| run: | | |
| echo "Disk space before cleanup:" | |
| df -h | |
| # Remove large directories | |
| sudo rm -rf /usr/share/dotnet \ | |
| /usr/local/lib/android \ | |
| /opt/ghc \ | |
| /usr/local/.ghcup \ | |
| /opt/hostedtoolcache/CodeQL || true | |
| # Remove large packages | |
| sudo apt-get remove -y '^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' \ | |
| '^mongodb-.*' '^mysql-.*' azure-cli google-chrome-stable firefox \ | |
| powershell mono-devel libgl1-mesa-dri google-cloud-sdk google-cloud-cli || true | |
| sudo apt-get autoremove -y | |
| sudo apt-get clean | |
| # Remove Docker images | |
| sudo docker image prune --all --force || true | |
| # Remove swap storage | |
| sudo swapoff -a || true | |
| sudo rm -f /mnt/swapfile || true | |
| echo "Disk space after cleanup:" | |
| df -h | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| with: | |
| platforms: all | |
| - name: Set up Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Log in to Docker Hub | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| username: ${{ secrets._TEMP_DOCKERHUB_USER }} | |
| password: ${{ secrets._TEMP_DOCKERHUB_PASSWORD }} | |
| - name: Compute image tags | |
| id: tags | |
| shell: bash | |
| run: | | |
| if [[ "${{ github.event_name }}" == "release" ]]; then | |
| BASE_TAG="${IMAGE_NAME}:${{ github.event.release.tag_name }}-${{ matrix.arch }}" | |
| SLIM_TAG="${IMAGE_NAME}:${{ github.event.release.tag_name }}-${{ matrix.arch }}-slim" | |
| elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then | |
| BASE_TAG="${IMAGE_NAME}:develop-${{ matrix.arch }}" | |
| SLIM_TAG="${IMAGE_NAME}:develop-${{ matrix.arch }}-slim" | |
| else | |
| BASE_TAG="${IMAGE_NAME}:pr-${{ github.event.pull_request.number || github.run_number }}-${{ matrix.arch }}" | |
| SLIM_TAG="${IMAGE_NAME}:pr-${{ github.event.pull_request.number || github.run_number }}-${{ matrix.arch }}-slim" | |
| fi | |
| echo "base_tag=$BASE_TAG" >> "$GITHUB_OUTPUT" | |
| echo "slim_tag=$SLIM_TAG" >> "$GITHUB_OUTPUT" | |
| - name: Build base image | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.platform }} | |
| load: true | |
| push: false | |
| tags: ${{ steps.tags.outputs.base_tag }} | |
| build-args: | | |
| GIT_COMMIT=${{ github.sha }} | |
| cache-from: type=gha,scope=postgresql-${{ matrix.arch }} | |
| cache-to: type=gha,mode=max,scope=postgresql-${{ matrix.arch }} | |
| no-cache-filters: | | |
| trimmed | |
| trimmed-all | |
| - name: Scan base Docker image | |
| uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # v7.2.2 | |
| id: anchore-scan | |
| with: | |
| image: ${{ steps.tags.outputs.base_tag }} | |
| fail-build: false | |
| severity-cutoff: critical | |
| - name: Upload Anchore scan SARIF report | |
| if: ${{ !cancelled() && github.event_name != 'pull_request' }} | |
| uses: github/codeql-action/upload-sarif@c8e3174949dcd2ceb71718aeaa53fee4dc9052f2 # v4.31.7 | |
| with: | |
| sarif_file: ${{ steps.anchore-scan.outputs.sarif }} | |
| category: grype-${{ matrix.arch }} | |
| - name: Inspect Anchore scan SARIF report | |
| if: ${{ !cancelled() && github.event_name == 'pull_request' }} | |
| run: cat "${{ steps.anchore-scan.outputs.sarif }}" | |
| - name: Install slim toolkit | |
| shell: bash | |
| run: | | |
| curl -sL https://raw.githubusercontent.com/slimtoolkit/slim/master/scripts/install-slim.sh | sudo -E bash - | |
| - name: Slim the image | |
| shell: bash | |
| run: | | |
| chmod +x ./slim-image.sh | |
| ./slim-image.sh "${{ steps.tags.outputs.base_tag }}" "${{ steps.tags.outputs.slim_tag }}" "${{ matrix.arch }}" | |
| - name: Push arch images | |
| if: github.event_name != 'pull_request' | |
| shell: bash | |
| run: | | |
| docker push "${{ steps.tags.outputs.base_tag }}" | |
| docker push "${{ steps.tags.outputs.slim_tag }}" | |
| create_manifests: | |
| name: Create manifests | |
| needs: build_arch_images | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| username: ${{ secrets._TEMP_DOCKERHUB_USER }} | |
| password: ${{ secrets._TEMP_DOCKERHUB_PASSWORD }} | |
| - name: Create manifest tags | |
| shell: bash | |
| run: | | |
| if [[ "${{ github.event_name }}" == "release" ]]; then | |
| TAG="${IMAGE_NAME}:${{ github.event.release.tag_name }}" | |
| TAG_LATEST="${IMAGE_NAME}:latest" | |
| TAG_AMD64="${IMAGE_NAME}:${{ github.event.release.tag_name }}-amd64" | |
| TAG_ARM64="${IMAGE_NAME}:${{ github.event.release.tag_name }}-arm64" | |
| TAG_SLIM="${IMAGE_NAME}:${{ github.event.release.tag_name }}-slim" | |
| TAG_SLIM_LATEST="${IMAGE_NAME}:latest-slim" | |
| TAG_SLIM_AMD64="${IMAGE_NAME}:${{ github.event.release.tag_name }}-amd64-slim" | |
| TAG_SLIM_ARM64="${IMAGE_NAME}:${{ github.event.release.tag_name }}-arm64-slim" | |
| docker buildx imagetools create -t "$TAG" -t "$TAG_LATEST" "$TAG_AMD64" "$TAG_ARM64" | |
| docker buildx imagetools create -t "$TAG_SLIM" -t "$TAG_SLIM_LATEST" "$TAG_SLIM_AMD64" "$TAG_SLIM_ARM64" | |
| else | |
| TAG="${IMAGE_NAME}:develop" | |
| TAG_AMD64="${IMAGE_NAME}:develop-amd64" | |
| TAG_ARM64="${IMAGE_NAME}:develop-arm64" | |
| TAG_SLIM="${IMAGE_NAME}:develop-slim" | |
| TAG_SLIM_AMD64="${IMAGE_NAME}:develop-amd64-slim" | |
| TAG_SLIM_ARM64="${IMAGE_NAME}:develop-arm64-slim" | |
| docker buildx imagetools create -t "$TAG" "$TAG_AMD64" "$TAG_ARM64" | |
| docker buildx imagetools create -t "$TAG_SLIM" "$TAG_SLIM_AMD64" "$TAG_SLIM_ARM64" | |
| fi |