-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: add workflow to build images (#11232)
This commit adds a github workflow that will build v2 images and push them to GHCR. It uses the GITHUB_TOKEN to authenticate and uses docker provisioned github actions to streamline the flow. The workflow also creates attestations for the packages which can be used to verify provenance and integrity. The workflow can be triggered manually or via another workflow call. The latter is to supplement future automation flows. Signed-off-by: Humair Khan <[email protected]>
- Loading branch information
Showing
1 changed file
with
164 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
name: Build images from sources. | ||
run-name: Build images | ||
on: | ||
workflow_call: | ||
inputs: | ||
src_branch: | ||
type: string | ||
default: 'release-X.Y' | ||
description: 'Source branch to build KFP from' | ||
required: true | ||
target_tag: | ||
type: string | ||
default: 'X.Y.Z' | ||
description: 'Target Image Tag' | ||
required: true | ||
fail_fast: | ||
type: string | ||
default: 'true' | ||
description: 'Stop running entire Workflow if a single build fails' | ||
required: true | ||
overwrite_imgs: | ||
type: string | ||
default: 'true' | ||
description: 'Overwrite images in GHCR if they already exist for this tag.' | ||
required: true | ||
set_latest: | ||
type: string | ||
default: 'true' | ||
description: 'Set latest tag on build images.' | ||
required: true | ||
workflow_dispatch: | ||
inputs: | ||
src_branch: | ||
type: string | ||
default: 'release-X.Y' | ||
description: 'Source branch to build KFP from' | ||
required: true | ||
target_tag: | ||
type: string | ||
default: 'X.Y.Z' | ||
description: 'Target Image Tag' | ||
required: true | ||
fail_fast: | ||
type: string | ||
default: 'true' | ||
description: 'Stop running entire Workflow if a single build fails' | ||
required: true | ||
overwrite_imgs: | ||
type: string | ||
default: 'true' | ||
description: 'Overwrite images in GHCR if they already exist for this tag.' | ||
required: true | ||
set_latest: | ||
type: string | ||
default: 'true' | ||
description: 'Set latest tag on build images.' | ||
required: true | ||
env: | ||
SOURCE_BRANCH: ${{ inputs.src_branch }} | ||
TARGET_IMAGE_TAG: ${{ inputs.target_tag }} | ||
OVERWRITE_IMAGES: ${{ inputs.overwrite_imgs }} | ||
IMAGE_REGISTRY: ghcr.io | ||
IMAGE_ORG: ${{ github.repository_owner }} | ||
SET_LATEST: ${{ inputs.set_latest }} | ||
jobs: | ||
build-images-with-tag: | ||
continue-on-error: false | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
attestations: write | ||
id-token: write | ||
strategy: | ||
fail-fast: ${{ inputs.fail_fast == 'true' }} | ||
matrix: | ||
include: | ||
- image: kfp-api-server | ||
dockerfile: backend/Dockerfile | ||
- image: kfp-frontend | ||
dockerfile: frontend/Dockerfile | ||
- image: kfp-persistence-agent | ||
dockerfile: backend/Dockerfile.persistenceagent | ||
- image: kfp-scheduled-workflow-controller | ||
dockerfile: backend/Dockerfile.scheduledworkflow | ||
- image: kfp-viewer-crd-controller | ||
dockerfile: backend/Dockerfile.viewercontroller | ||
- image: kfp-visualization-server | ||
dockerfile: backend/Dockerfile.visualization | ||
- image: kfp-launcher | ||
dockerfile: backend/Dockerfile.driver | ||
- image: kfp-driver | ||
dockerfile: backend/Dockerfile.launcher | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
with: | ||
ref: ${{env.SOURCE_BRANCH}} | ||
- name: Log in to the Container registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ${{ env.IMAGE_REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Check if image tag already exists | ||
id: check_tag | ||
env: | ||
IMAGE: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_ORG }}/${{ matrix.image }}:${{env.TARGET_IMAGE_TAG}} | ||
OVERWRITE: ${{ env.OVERWRITE_IMAGES }} | ||
run: | | ||
if docker manifest inspect ${IMAGE} > /dev/null 2>&1; then | ||
echo "Image tag already exists!" | ||
if [ "$OVERWRITE" == "false" ]; then | ||
echo "Overwrite is set to false, exiting." | ||
exit 1 | ||
else | ||
echo "Overwrite is set to true, proceeding with push." | ||
fi | ||
else | ||
echo "No tag conflict, safe to push." | ||
fi | ||
# This step uses docker/metadata-action to extract tags and labels | ||
# that will be applied to the specified image. The id "meta" allows | ||
# the output of this step to be referenced in a subsequent step. | ||
# The images value provides the base name for the tags and labels. | ||
- name: Extract metadata (tags, labels) for Build | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
if: steps.check_tag.outcome == 'success' | ||
with: | ||
images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_ORG }}/${{ matrix.image }} | ||
tags: | | ||
type=raw,value=${{env.TARGET_IMAGE_TAG}} | ||
type=raw,value=latest,enable=${{ env.SET_LATEST == 'true'}} | ||
type=sha | ||
# Build the image. If the build succeeds, it pushes the image to GitHub | ||
# Packages. It uses the context parameter to define the build's context | ||
# as the set of files located in the specified path. | ||
- name: Build and push Image | ||
id: push | ||
uses: docker/build-push-action@v6 | ||
if: steps.check_tag.outcome == 'success' | ||
with: | ||
context: . | ||
file: ${{ matrix.dockerfile }} | ||
push: true | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
|
||
# This step generates an artifact attestation for the image, | ||
# which is an unforgeable statement about where and how it was built. | ||
# It increases supply chain security for people who consume the | ||
# image. | ||
# Ref: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds | ||
- name: Generate artifact attestation | ||
uses: actions/attest-build-provenance@v1 | ||
if: steps.check_tag.outcome == 'success' | ||
with: | ||
subject-name: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_ORG }}/${{ matrix.image }} | ||
subject-digest: ${{ steps.push.outputs.digest }} | ||
|