workflow to build container images #190
Conversation
|
Is it adapted for Websocat repository or just a template of a workflow that I should customize to be useful for the project? (I haven't used Github Workflows yet) |
|
Should already work as it uses variables that should already exist in all workflows. Unfortunately can't test it in your repo without being merged. If it fails after merging, I will look at fixing it. Also it is possible to add a simple smoke test to make sure image is correct. But didn't want to spend time on it before seeing this merged. It wont be hard to add as I have an example I can adapt. P.S. added some comments to highlight some points in the workflow definition |
| - name: Push To Container Registry | ||
| id: push-to-container-registry | ||
| uses: redhat-actions/push-to-registry@v2 | ||
| if: github.event_name != 'pull_request' |
There was a problem hiding this comment.
will push image to ghcr.io only if the trigger was NOT a pull request
| tags: | | ||
| type=schedule | ||
| type=raw,value=latest,enable=${{ github.ref_name == 'main' }} | ||
| ${{ github.ref_name == 'main' && 'type=raw,value=nightly' || 'type=ref,event=branch' }} |
There was a problem hiding this comment.
nightly and latest tags will be added if we build for the main branch.
Otherwise the branch name will be used. But trigger is configured to only respect the main branch so there should be no other branches that would be built (unless the trigger section is changed).
There was a problem hiding this comment.
There is no "main" branch (as "master" was the default when Websocat was created), so it should probably be edited.
There was a problem hiding this comment.
oh, I missed that, updated
| push: | ||
| branches: [ main ] | ||
| tags: | ||
| - '*' # Push events to every tag not containing / |
There was a problem hiding this comment.
an image will be built and pushed to ghcr.io for all tags that do not contain / in their name
There was a problem hiding this comment.
Will existing, manually pushed images to gchr.io conflict with those?
There was a problem hiding this comment.
If you build from a tag/branch that already has an image pushed in whatever way, the newly image will override the old image.
If you ask about the existing 2 images, unless you change the existing tags or trigger a build manually, then no new builds will automatically be created.
Does this answer your question?
| name: Container Image | ||
|
|
||
| on: | ||
| workflow_dispatch: {} |
There was a problem hiding this comment.
This allows triggering a build manually for any branch/tag if so needed/desired.
| tags: | ||
| - '*' # Push events to every tag not containing / | ||
| pull_request: | ||
| types: [opened, reopened, synchronize] |
There was a problem hiding this comment.
image will be built for all pull requests but will not be pushed to registry, see the push step below
|
|
||
| concurrency: | ||
| group: ci-container-build-${{ github.ref }}-1 | ||
| cancel-in-progress: true |
There was a problem hiding this comment.
if a new image build is triggered for the same reference (e.g. branch) as a build already in progress, then the older build will be canceled
| workflow_call: {} | ||
| schedule: | ||
| # every Wednesday morning | ||
| - cron: 7 7 * * 3 |
There was a problem hiding this comment.
Will it keep building the same version again and again if there are is no activity for weeks?
There was a problem hiding this comment.
Yes, it can be disabled. But I find it useful to build with updated base image potentially fixing security issues.
There was a problem hiding this comment.
And making sure that image sill builds with latest base image.
Do I need to configure credentials or do something else in Github web interface? E.g. back in travis-ci.org days I needed to go to Travis and enable repository there for it to work. |
|
Where Cargo features for building are getting set? In my release script different platforms (and editions e.g. "nossl") sometimes have different compile-time flags. |
No, the
I have zero idea what is cargo and how websocat is being built. How it is built depends on the |
|
Actually the build ran in my fork but failed. Seems like a compilation issue. Seems like |
|
Looks like the first build (for amd64) succeeds, but the second one fails, as target architecture is currently hard coded into the Dockerfile. |
|
Ok, I disabled arm64 for the time being. It can easily be re-enabled. What worries me though is that the image I built locally segfaults. This is same as |
|
Ok, now I disabled arm64 build as it seems the Dockerfile will need some adjustments to support other archs. Can be easily re-enabled once this is done. Now build succeeds: https://github.com/akostadinov/websocat/actions/runs/5500873352 So it can be merged and Dockerfile can be fixed later. |
| uses: redhat-actions/buildah-build@v2 | ||
| with: | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| platforms: linux/amd64 |
There was a problem hiding this comment.
Why not add here 'linux/arm64' platform as well ?
There was a problem hiding this comment.
See my last comment. Some adjustments will need to be done for other archs in the Dockerfile. But there is no point to investigate before the x86 segfault is fixed and this thing merged. Or the other way around:
- merge this
- fix dockerfile to build websocat properly
- enable arm64
I know nothing about websocat though, I just wanted to help with github actions. Somebody else interested has to fix the Dockerfile as I don't have time for investigating the project build system.
There was a problem hiding this comment.
@akostadinov Makes sense to first make it build and then add arm. I was not aware of Dockerfile changes needed. Sorry.
|
Note that I don't know how musl-based images work on non-amd64 though. |
|
@vi , didn't notice. The new Dockerfile does work. You can try out the build from my fork: So this can be merged to have automated builds. I will prepare a couple more PRs afterwards. |
|
I should probably (someday?) educate myself about this whole Github CI thing to understand what does this pull request mean and how to use/verify it. Maybe starting with some small repository. I remember using "travis-ci.org" for checking commits and tags. Maybe it's time to revisit the idea of non-localhost builds. Does this pull request provide some advantage for Websocat users (i.e. they can install or use it in more ways than before or with more convenience) or is it just some development aid? Compared to e.g. just documenting how to use it with Github Workflows. |
|
@vi , this enables automatic builds of websocat container image upon:
It will also push this container image to the ghcr.io container registry so users can just pull image and use it in the case of:
So it is an easy way for the users to just pull an image and use websocat instead of building locally or relying on their software vendor to provide a package for their OS. If you merge this, one of the things I will add would be a simple test to the workflow that the image works. This is to prevent situations like before where websocat in the container image segfaulted. And add arm64 as we spoke previously. |
|
Also image building can be added to the PR checks. This would be useful to avoid PRs that break container image builds. It can be done from project settings. It's not something to add in the workflow body. |
How does it interact with images I push manually, e.g. this one? |
|
It will tag with the git tag name. If you have manually pushed an image with the same tag, it will be overwritten. If you push a manually built image after the workflow has run, apparently you will overwrite the image from the workflow. But this workflow action should make it unnecessary to build and push official images manually. |
|
Is it practical to try to attain reproducible builds, so that local and CI builds would have the same hashes (hence, I suppose, the same container identifiers)? |
|
Reproducible builds is to me something complicated with little to no benefits for an open source project. I don't know how to implement reproducible builds without a dedicated infrastructure to host all dependencies and build within environment without Internet access but only things from the cached dependencies being accessible. Additionally to get exactly the same hash, the build should be void of any non-deterministic operation. And then still you would have different file creation times and layer build times which will still affect the final hash. While I believe everything in this world if possible, I don't think this is feasible or even beneficial. |
builds a multiarch (amd64 and arm64, you can add more if you want) image and pushes to ghcr.io
fixes #154