build,workflows: add a workflow to build and push builder image

Release note: None Epic: none
cockroachdb · Oct 4, 2023 · 7bea4cd · 7bea4cd
1 parent 916f096
commit 7bea4cd
Show file tree

Hide file tree

Showing 4 changed files with 183 additions and 0 deletions.
diff --git a/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml b/.github/workflows/gar-workflows-build-push-acceptance-gss-images.yml
@@ -0,0 +1,51 @@
+name: Build and Push acceptance gss compose images
+
+on:
+  pull_request
+
+jobs:
+  tags:
+    runs-on: ubuntu-latest
+    outputs:
+      time_tag: ${{ steps.vars.outputs.TIME_TAG }}
+    steps:
+      -
+        name: Set TAG value
+        id: vars
+        run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
+
+  acceptance-kdc-docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-kdc:${{ needs.tags.outputs.time_tag }}
+      dockerFilePath: pkg/acceptance/compose/gss/kdc/Dockerfile
+      workingDirectory: {{defaultContext}}:pkg/acceptance/compose/gss/kdc
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
+
+  acceptance-psql-docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-psql:${{ needs.tags.outputs.time_tag }}
+      dockerFilePath: pkg/acceptance/compose/gss/psql/Dockerfile
+      workingDirectory: {{defaultContext}}:pkg/acceptance/compose/gss/psql
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
+
+  acceptance-python-docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance-gss-python:${{ needs.tags.outputs.time_tag }}
+      dockerFilePath: pkg/acceptance/compose/gss/python/Dockerfile
+      workingDirectory: {{defaultContext}}:pkg/acceptance/compose/gss/python
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
diff --git a/.github/workflows/gar-workflows-build-push-acceptance-image.yml b/.github/workflows/gar-workflows-build-push-acceptance-image.yml
@@ -0,0 +1,26 @@
+name: Build and Push acceptance image
+
+on:
+  pull_request
+
+jobs:
+  tags:
+    runs-on: ubuntu-latest
+    outputs:
+      time_tag: ${{ steps.vars.outputs.TIME_TAG }}
+    steps:
+      -
+        name: Set TAG value
+        id: vars
+        run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
+  docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/acceptance:${{ needs.tags.outputs.time_tag }}
+      dockerFilePath: pkg/acceptance/testdata/Dockerfile
+      workingDirectory: {{defaultContext}}:pkg/acceptance/testdata
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
diff --git a/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml b/.github/workflows/gar-workflows-build-push-bazel-builder-image.yml
@@ -0,0 +1,26 @@
+name: Build and Push bazel-builder image
+
+on:
+  pull_request
+
+jobs:
+  tags:
+    runs-on: ubuntu-latest
+    outputs:
+      time_tag: ${{ steps.vars.outputs.TIME_TAG }}
+    steps:
+      -
+        name: Set TAG value
+        id: vars
+        run: echo "TIME_TAG=$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
+  docker:
+    needs: tags
+    uses: ./.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
+    with:
+      tags: |
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:latest-do-not-use
+        us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:${{ needs.tags.outputs.time_tag }}
+      dockerFilePath: build/bazelbuilder/Dockerfile
+    secrets:
+      gcp_wif_provider: ${{ secrets.GCP_CRL_CI_IMAGES_WIF_PROVIDER }}
+      gcp_wif_service_account: ${{ secrets.GCP_CRL_CI_IMAGES_SERVICE_ACCOUNT }}
diff --git a/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml b/.github/workflows/gar-workflows-reusable-build-push-multiplatform-images.yml
@@ -0,0 +1,80 @@
+name: Build and Push Multi-Platform Docker Images
+# Note: This workflow is adapted to work with GAR only and specifically `us-east1-docker.pkg.dev` registry.
+# If supporting more registries (within GAR) is needed in the future, we can pass the registry as an input from the
+# calling workflow.
+# To support pushing outside GAR, we will need to support authenticating to other non-google registries.
+
+on:
+  workflow_call:
+    inputs:
+      tags:
+        # Example:
+        # tags: |
+        #   us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:latest-do-not-use
+        #   us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel-builder:${{ needs.tags.outputs.time_tag }}
+        required: true
+        type: string
+      dockerFilePath:
+        # Example: build/bazelbuilder/Dockerfile
+        required: true
+        type: string
+      workingDirectory:
+        type: string
+        default: "."
+    secrets:
+      gcp_wif_provider:
+        required: true
+      gcp_wif_service_account:
+        required: true
+
+jobs:
+  reusable-workflow:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Below we will build without pushing, then authenticate, then build and push. We do this
+      # dance because the token will only be valid for one hour and building + pushing might
+      # take more than one hour. The second build will use the cache so it's not bad.
+      -
+        name: Build (but do not push)
+        uses: docker/build-push-action@v5
+        with:
+          push: false
+          tags: ${{ inputs.tags }}
+          platforms: linux/amd64,linux/arm64
+          file: ${{ inputs.dockerFilePath }}
+          context: ${{ inputs.workingDirectory }}
+      -
+        name: GCP Auth
+        id: auth
+        uses: 'google-github-actions/auth@v1'
+        with:
+          token_format: access_token
+          workload_identity_provider: '${{ secrets.gcp_wif_provider }}'
+          service_account: '${{ secrets.gcp_wif_service_account }}'
+          access_token_lifetime: 600s # 10 minutes
+      -
+        name: Login to Artifact Registry
+        uses: docker/login-action@v1
+        with:
+          registry: us-east1-docker.pkg.dev 
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+      -
+        name: Build (will use cache) and push (using recently generated token above)
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ inputs.tags }}
+          platforms: linux/amd64,linux/arm64
+          file: ${{ inputs.dockerFilePath }}
+          context: ${{ inputs.workingDirectory }}