cnts4sci · dependabot · Jun 18, 2024 · Jun 18, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+---
+version: 2
+updates:
+# Maintain dependencies for GitHub Actions
+    - package-ecosystem: github-actions
+      directory: /
+      schedule:
+          interval: monthly
+      groups:
+          gha-dependencies:
+              patterns:
+                  - '*'
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,78 @@
+---
+name: Build images and upload them to ghcr.io
+
+env:
+    BUILDKIT_PROGRESS: plain
+
+on:
+    workflow_call:
+        inputs:
+            runsOn:
+                description: GitHub Actions Runner image
+                required: true
+                type: string
+            platforms:
+                description: Target platforms for the build (linux/amd64 and/or linux/arm64)
+                required: true
+                type: string
+        outputs:
+            images:
+                description: Images identified by digests
+                value: ${{ jobs.build.outputs.images }}
+
+jobs:
+    build:
+        name: ${{ inputs.platforms }}
+        runs-on: ${{ inputs.runsOn }}
+        timeout-minutes: 120
+
+        outputs:
+            image: ${{ steps.bake_metadata.outputs.image }}
+
+        # Make sure we fail if any command in a piped command sequence fails
+        defaults:
+            run:
+                shell: bash -e -o pipefail {0}
+
+        steps:
+
+            - name: Checkout Repo ⚡️
+              uses: actions/checkout@v4
+
+            - name: Set up QEMU
+              if: ${{ inputs.platforms != 'linux/amd64' }}
+              uses: docker/setup-qemu-action@v3
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Login to GitHub Container Registry 🔑
+              uses: docker/login-action@v3
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Build and upload to ghcr.io 📤
+              id: build-upload
+              uses: docker/bake-action@v5
+              with:
+                  push: true
+                  # Using provenance to disable default attestation so it will build only desired images:
+                  # https://github.com/orgs/community/discussions/45969
+                  provenance: false
+                  set: |
+                      *.platform=${{ inputs.platforms }}
+                      *.output=type=registry,push-by-digest=true,name-canonical=true
+                      *.cache-to=type=gha,scope=${{ github.workflow }},mode=max
+                      *.cache-from=type=gha,scope=${{ github.workflow }}
+                  files: |
+                      docker-bake.hcl
+                      build.json
+
+            - name: Set output variables
+              id: bake_metadata
+              run: |
+                  .github/workflows/extract-image-name.sh | tee -a "${GITHUB_OUTPUT}"
+              env:
+                  BAKE_METADATA: ${{ steps.build-upload.outputs.metadata }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/.github/workflows/env.hcl b/.github/workflows/env.hcl
diff --git a/.github/workflows/extract-image-name.sh b/.github/workflows/extract-image-name.sh
@@ -5,24 +5,24 @@
 # The input to this script is a JSON string passed via BAKE_METADATA env variable
 # Here's example input (trimmed to relevant bits):
 # BAKE_METADATA: {
-#    "base": {
+#    "python": {
 #      "containerimage.descriptor": {
 #        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
 #        "digest": "sha256:8e57a52b924b67567314b8ed3c968859cad99ea13521e60bbef40457e16f391d",
 #        "size": 6170,
 #      },
 #      "containerimage.digest": "sha256:8e57a52b924b67567314b8ed3c968859cad99ea13521e60bbef40457e16f391d",
-#      "image.name": "ghcr.io/pspgen/quantum-espresso"
+#      "image.name": "ghcr.io/cnts4sci/python"
 #    }
 #  }
 #
 # Example output (real output is on one line):
 #
-# image="ghcr.io/pspgen/quantum-espresso@sha256:79a0f984b9e03b733304fda809ad3e8eec8416992ff334052d75da00cadb8f12"
+# image="ghcr.io/cnts4sci/python@sha256:79a0f984b9e03b733304fda809ad3e8eec8416992ff334052d75da00cadb8f12"
 # }
 #
 # This json output is later turned to environment variables using fromJson() GHA builtin
-# (e.g. BUILD_MACHINE_IMAGE=ghcr.io/pspgen/quantum-espresso@sha256:8e57a52b...)
+# (e.g. BUILD_MACHINE_IMAGE=ghcr.io/cnts4sci/python@sha256:8e57a52b...)
 # and these are in turn read in the docker-compose.<target>.yml files for tests.
 
 if [[ -z ${BAKE_METADATA-} ]];then

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,94 @@
+---
+name: Docker
+
+on:
+    pull_request:
+        paths-ignore:
+            - "**.md"
+            - ruff.toml
+            - bumpver.toml
+            - .pre-commit-config.yaml
+    push:
+        branches:
+            - main
+        tags:
+            - "v*"
+    workflow_dispatch:
+
+# https://docs.github.com/en/actions/using-jobs/using-concurrency
+concurrency:
+    # only cancel in-progress jobs or runs for the current workflow - matches against branch & tags
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+env:
+    FORCE_COLOR: 1
+
+jobs:
+
+    build-amd64:
+        uses: ./.github/workflows/build.yml
+        with:
+            runsOn: ubuntu-22.04
+            platforms: linux/amd64
+
+    test-amd64:
+        needs: build-amd64
+        strategy:
+            fail-fast: false
+        uses: ./.github/workflows/test.yml
+        with:
+            runsOn: ubuntu-22.04
+            images: ${{ needs.build-amd64.outputs.images }}
+            integration: false
+
+    build:
+        needs: test-amd64
+        uses: ./.github/workflows/build.yml
+        with:
+            runsOn: ubuntu-22.04
+            platforms: linux/amd64,linux/arm64
+
+    # To save arm64 runner resources, we run the tests only on main
+    # and only for full-stack image (same for integration tests below).
+    test-arm64:
+        if: >-
+            github.repository == 'cnts4sci/build-machine'
+            && (github.ref_type == 'tag' || github.ref_name == 'main')
+        needs: build
+        uses: ./.github/workflows/test.yml
+        with:
+            runsOn: buildjet-4vcpu-ubuntu-2204-arm
+            images: ${{ needs.build.outputs.images }}
+            integration: false
+
+    test-integration:
+        name: Integration tests
+        needs: build
+        strategy:
+            fail-fast: false
+            # Trick to exclude arm64 tests from PRs
+            # https://github.com/orgs/community/discussions/26253
+            matrix:
+                runner: [ubuntu-22.04, buildjet-4vcpu-ubuntu-2204-arm]
+                isPR:
+                    - ${{ github.event_name == 'pull_request' }}
+                exclude:
+                    - isPR: true
+                      runner: buildjet-4vcpu-ubuntu-2204-arm
+
+        uses: ./.github/workflows/test.yml
+        with:
+            runsOn: ${{ matrix.runner }}
+            images: ${{ needs.build.outputs.images }}
+            integration: true
+
+    publish-ghcr:
+        needs: [build, test-amd64]
+        uses: ./.github/workflows/publish.yml
+        with:
+            runsOn: ubuntu-22.04
+            images: ${{ needs.build.outputs.images }}
+            registry: ghcr.io
+        secrets: inherit
+