-
Notifications
You must be signed in to change notification settings - Fork 2
/
.gitlab-ci.yml
145 lines (116 loc) · 6.68 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
variables:
# We opt for the fastest compression, because our artifacts are bzip2-compressed already.
ARTIFACT_COMPRESSION_LEVEL: "fastest"
CONTAINER_IMAGE_NAME: devture/email2matrix
CONTAINER_IMAGE_NAME_DASHED: devture-email2matrix
LATEST_REPOSITORY_BRANCH_NAME: master
LATEST_CONTAINER_IMAGE_TAG_PREFIX: latest
CONTAINER_REGISTRY: 'docker.io'
CONTAINER_REGISTRY_USER: ''
CONTAINER_REGISTRY_PASSWORD: ''
# This pipeline is only triggered for tags, the default branch and the `LATEST_REPOSITORY_BRANCH_NAME` branch (which likely matches the default).
# Publishing may follow different rules.
workflow:
rules:
- if: $CI_COMMIT_TAG
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_BRANCH == $LATEST_REPOSITORY_BRANCH_NAME
stages:
- build-container-images
- publish-container-images
build-container-image-amd64:
extends: .build-container-image
variables:
PLATFORM: linux/amd64
PLATFORM_IDENTIFIER: amd64
build-container-image-arm64v8:
extends: .build-container-image
variables:
PLATFORM: linux/arm64/v8
PLATFORM_IDENTIFIER: arm64v8
build-container-image-arm32v7:
extends: .build-container-image
variables:
PLATFORM: linux/arm/v7
PLATFORM_IDENTIFIER: arm32v7
# This private job spec that we invoke via `build-container-image-*` jobs:
# - builds the container image for the given platform (`PLATFORM`, `PLATFORM_IDENTIFIER`)
# - tags it as `CONTAINER_IMAGE_NAME:CONTAINER_IMAGE_TAG` (`CONTAINER_IMAGE_TAG` is dynamically built below)
# - exports it as an artifact to a file (`${CONTAINER_IMAGE_NAME_DASHED}-${CI_COMMIT_SHORT_SHA}-${PLATFORM_IDENTIFIER}-container-image.tbz2`)
#
# This build job is inspired by: https://medium.com/prgcont/using-buildah-in-gitlab-ci-9b529af19e42
.build-container-image:
stage: build-container-images
needs: []
image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/tomkukral/buildah:0.30
before_script:
# Log in to the Gitlab Dependency Proxy container regsitry, so we can use it below.
- podman login ${CI_DEPENDENCY_PROXY_SERVER} -u ${CI_DEPENDENCY_PROXY_USER} -p ${CI_DEPENDENCY_PROXY_PASSWORD}
# Log in to Docker Hub regardless of whether we'll be pushing images or not, because rate limits for logged in users are higher.
- podman login ${CONTAINER_REGISTRY} -u ${CONTAINER_REGISTRY_USER} -p ${CONTAINER_REGISTRY_PASSWORD}
- podman run --rm --network=none --privileged ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/multiarch/qemu-user-static --reset -p yes
- CONTAINER_IMAGE_TAG="${CI_COMMIT_SHORT_SHA}-${PLATFORM_IDENTIFIER}"
# We might potentially modify the Dockerfile we'll build from (below),
# so we'd like to modify a copy of it, instead of dirtying up the git worktree.
# The reason we care about keeping the git worktree clean is that `govvv` (see the Dockerfile) will say "dirty" if we don't.
- cp etc/docker/Dockerfile /tmp/Dockerfile
# Use the Gitlab Dependency Proxy instead of docker.io to speed things up and avoid rate limits.
#
# Pulling from Dependency Proxy is only enabled on amd64 for now,
# because using it to pull multiarch images (such as the ones we have in the Dockerfile) causes issues.
# See: https://gitlab.com/gitlab-org/gitlab/-/issues/349466
- |
if [ "$PLATFORM_IDENTIFIER" == "amd64" ]; then
sed --in-place 's|docker.io|'${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}'|g' /tmp/Dockerfile
fi
script:
- echo Building for ${PLATFORM} and tagging as ${CONTAINER_IMAGE_NAME}:${CONTAINER_IMAGE_TAG}
- buildah bud -f /tmp/Dockerfile --format=docker --platform=${PLATFORM} -t ${CONTAINER_IMAGE_NAME}:${CONTAINER_IMAGE_TAG} .
- podman save ${CONTAINER_IMAGE_NAME}:${CONTAINER_IMAGE_TAG} | bzip2 > ${CONTAINER_IMAGE_NAME_DASHED}-${CI_COMMIT_SHORT_SHA}-${PLATFORM_IDENTIFIER}-container-image.tbz2
artifacts:
name: ${CONTAINER_IMAGE_NAME_DASHED}-${CI_COMMIT_SHORT_SHA}-${PLATFORM_IDENTIFIER}-container-image.tbz2
paths:
- ${CONTAINER_IMAGE_NAME_DASHED}-${CI_COMMIT_SHORT_SHA}-${PLATFORM_IDENTIFIER}-container-image.tbz2
# This publishing job:
# - takes all platform-specific images from artifact files
# - imports them all locally
# - re-tags them and publishes to Docker Hub
publish-container-images:
stage: publish-container-images
needs:
- build-container-image-amd64
- build-container-image-arm64v8
- build-container-image-arm32v7
dependencies:
- build-container-image-amd64
- build-container-image-arm64v8
- build-container-image-arm32v7
image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/tomkukral/buildah:0.30
before_script:
- |
for platform_identifier in amd64 arm64v8 arm32v7; do
podman load -i "${CONTAINER_IMAGE_NAME_DASHED}-${CI_COMMIT_SHORT_SHA}-${platform_identifier}-container-image.tbz2"
done
# Repository pushes to `LATEST_REPOSITORY_BRANCH_NAME` will trigger an image push for `image:LATEST` and `image:LATEST-PLATFORM_IDENTIFIER`.
# Repository pushes to a tag (e.g. `VERSION_TAG`) will trigger an image push for `image:VERSION_TAG` and `image:VERSION_TAG-PLATFORM_IDENTIFIER`
- |
container_image_published_tag_prefix=""
if [ "$CI_COMMIT_BRANCH" == "$LATEST_REPOSITORY_BRANCH_NAME" ]; then
container_image_published_tag_prefix=${LATEST_CONTAINER_IMAGE_TAG_PREFIX}
fi
if [ "$CI_COMMIT_TAG" ]; then
container_image_published_tag_prefix=${CI_COMMIT_TAG}
fi
# We push a manifest in the v2s2 format, instead of the default (oci). Otherwise Docker Hub's UI does not render it correctly.
script:
- |
if [ "$container_image_published_tag_prefix" ]; then
podman login ${CONTAINER_REGISTRY} -u ${CONTAINER_REGISTRY_USER} -p ${CONTAINER_REGISTRY_PASSWORD}
set -x
for platform_identifier in amd64 arm64v8 arm32v7; do
podman tag ${CONTAINER_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${platform_identifier} ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix}-${platform_identifier}
podman push ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix}-${platform_identifier}
done
podman manifest create ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix} ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix}-amd64 ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix}-arm64v8 ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix}-arm32v7
podman manifest push --format=v2s2 ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix} ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${container_image_published_tag_prefix}
fi