ci: build and push Docker image based on Chainguard base image #4005
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Victor Martinez <VictorMartinezRubio@gmail.com>
I'll wait until you've updated this PR after 3998 is merged before doing a final review. |
|
I'm not sure of the value of using a matrix for the two Dockerfiles. I think it adds more complexity than it saves in a little duplication. |
Feel free to push back on that if you are using the same pattern in other repos. |
…es-wolfi * upstream/main: ci: use docker/metadata-action to gather tags/labels (elastic#3998) chore(deps): bump @opentelemetry/exporter-prometheus (elastic#4016) chore(deps): bump @opentelemetry/sdk-metrics to 1.24.1 in test fixtures (elastic#4015) chore(deps): bump @opentelemetry/sdk-metrics from 1.24.0 to 1.24.1 (elastic#4014) chore(deps-dev): bump azure-functions-core-tools (elastic#4017) chore(deps-dev): bump undici from 6.15.0 to 6.16.1 (elastic#4013) chore(deps-dev): bump fastify from 4.26.2 to 4.27.0 (elastic#4012) chore(deps): bump pino from 8.17.1 to 8.21.0 (elastic#4011) chore(deps): bump @opentelemetry/core from 1.24.0 to 1.24.1 (elastic#4010) chore(deps-dev): bump mongodb from 6.6.0 to 6.6.1 (elastic#4009) chore(deps-dev): bump eslint-plugin-n in the eslint group (elastic#4008)
|
Do you prefer something like this? diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 942b6e4e..76ddaa37 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,6 +62,7 @@ jobs:
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
context: .
+ file: 'Dockerfile'
push: true
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}
@@ -75,6 +76,39 @@ jobs:
subject-digest: ${{ steps.docker-push.outputs.digest }}
push-to-registry: true
+ - name: Extract metadata (tags, labels) (wolfi)
+ id: docker-meta-wolfi
+ uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ with:
+ images: ${{ env.DOCKER_IMAGE_NAME }}
+ flavor: |
+ latest=auto
+ suffix=-wolfi
+ tags: |
+ # "1.2.3" and "latest" Docker tags on push of git tag "v1.2.3"
+ type=semver,pattern={{version}}
+ # "edge" Docker tag on git push to default branch
+ type=edge
+
+ - name: Build and Push Docker Image (wolfi)
+ id: docker-push-wolfi
+ uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+ with:
+ context: .
+ file: 'Dockerfile.wolfi'
+ push: true
+ tags: ${{ steps.docker-meta-wolfi.outputs.tags }}
+ labels: ${{ steps.docker-meta-wolfi.outputs.labels }}
+ build-args: |
+ AGENT_DIR=/build/dist/nodejs
+
+ - name: Attest Docker image (wolfi)
+ uses: github-early-access/generate-build-provenance@main
+ with:
+ subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+ subject-digest: ${{ steps.docker-push-wolfi.outputs.digest }}
+ push-to-registry: true
+
- name: Read AWS vault secrets
uses: hashicorp/vault-action@v3.0.0
with:
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
new file mode 100644
index 00000000..f0361904
--- /dev/null
+++ b/Dockerfile.wolfi
@@ -0,0 +1,3 @@
+FROM docker.elastic.co/wolfi/chainguard-base@sha256:9f940409f96296ef56140bcc4665c204dd499af4c32c96cc00e792558097c3f1
+ARG AGENT_DIR
+COPY ${AGENT_DIR} /opt/nodejsRather than the matrix approach? |
reakaleek
previously approved these changes
May 14, 2024
Yes. Personally I think that looks clearer. Are you already doing a matrix-based workflow for other APM repos? |
I did it for the APM Agent Python -> elastic/apm-agent-python#2036 But it's not merged yet and we can change it if needed. Each agent has its own idiosyncrasy., I'm happy to change it if makes thing easier to read. I'll apply the new changes now in this PR |
trentm
approved these changes
May 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this pull request do?
Release two flavours of Docker images:
Please note that we are going to preserve the current
Dockerfile, so that users will still be able to build their own custom images based onAlpine: this is needed becausedocker.elastic.co/wolfi/chainguard-baseis not a public base image, so docker build would fail for unauthenticated users.Implementation details
I refactored the release workflow to have three different jobs that run sequentially:
DockerfileandDockerfile.wolfiThen, I created the
Dockerfile.wolfi- the naming convention we agreed upon.Tests
I created a feature branch
test-wolfi:Then I was able to test the release workflow without pushing any changes in production but generating docker images with the prefix
test-and suffix if-wolfi.See https://github.com/elastic/apm-agent-nodejs/actions/runs/9082550246
Docker images
The ones we usually release
See this line
Wolfi docker images
See this line
docker pull docker.elastic.co/observability/apm-agent-nodejs:test-latest-wolfiIssues
Similar to elastic/apm-agent-python#2036
Requires #3998
Checklist