name: Docker run-name: Build docker image from branch ${{ inputs.branch }} with tag ${{ inputs.tag }} on: workflow_call: inputs: branch: description: "The branch or tag to checkout and build" required: true type: string tag: description: "The main docker tag to use (e.g., 'dev' or '16.3.0')" required: true type: string use_test_registry: description: "Use openproject/openproject-test registry instead (for testing)" required: false type: boolean default: false secrets: DOCKER_USERNAME: required: true DOCKER_PASSWORD: required: true DEPLOY_APP_PRIVATE_KEY: required: true OPS_MAIL_SMTP_TOKEN: required: true workflow_dispatch: inputs: branch: description: "The branch or tag to checkout and build" required: true type: string tag: description: "The main docker tag to use (e.g., 'dev' or '16.3.0')" required: true type: string use_test_registry: description: "Use openproject/openproject-test registry instead (for testing)" required: false type: boolean default: false permissions: contents: read # to fetch code (actions/checkout) jobs: build-hocuspocus: uses: ./.github/workflows/hocuspocus-docker.yml with: use_test_registry: ${{ inputs.use_test_registry }} branch: ${{ inputs.branch }} tag: ${{ inputs.tag }} secrets: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} DEPLOY_APP_PRIVATE_KEY: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }} setup: needs: [build-hocuspocus] runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.branch }} persist-credentials: false - name: Set version outputs and convert tags id: extract_version env: INPUT_TAG: ${{ inputs.tag }} INPUT_USE_TEST_REGISTRY: ${{ inputs.use_test_registry }} REGISTRY_IMAGE: ${{ vars.REGISTRY_IMAGE }} run: | set -e echo "Processing tag: $INPUT_TAG" ./script/gh/docker-tags.rb "$INPUT_TAG" --version ./script/gh/docker-tags.rb "$INPUT_TAG" --format-for-docker # Determine registry image based on workflow_dispatch input if [ "$INPUT_USE_TEST_REGISTRY" = "true" ]; then echo "registry_image=openproject/openproject-test" >> "$GITHUB_OUTPUT" else echo "registry_image=$REGISTRY_IMAGE" >> "$GITHUB_OUTPUT" fi - name: Verify outputs run: | if [ -z "${STEPS_EXTRACT_VERSION_OUTPUTS_VERSION}" ]; then echo "Error: version output is empty" exit 1 fi if [ -z "${STEPS_EXTRACT_VERSION_OUTPUTS_DOCKER_TAGS}" ]; then echo "Error: docker_tags output is empty" exit 1 fi if [ -z "${STEPS_EXTRACT_VERSION_OUTPUTS_REGISTRY_IMAGE}" ]; then echo "Error: registry_image output is empty" exit 1 fi echo "✓ version: ${STEPS_EXTRACT_VERSION_OUTPUTS_VERSION}" echo "✓ docker_tags: ${STEPS_EXTRACT_VERSION_OUTPUTS_DOCKER_TAGS}" echo "✓ registry_image: ${STEPS_EXTRACT_VERSION_OUTPUTS_REGISTRY_IMAGE}" env: STEPS_EXTRACT_VERSION_OUTPUTS_VERSION: ${{ steps.extract_version.outputs.version }} STEPS_EXTRACT_VERSION_OUTPUTS_DOCKER_TAGS: ${{ steps.extract_version.outputs.docker_tags }} STEPS_EXTRACT_VERSION_OUTPUTS_REGISTRY_IMAGE: ${{ steps.extract_version.outputs.registry_image }} - name: Cache NPM uses: runs-on/cache@88d90644011a3a9957fd141a106f5a94f9794203 # v5 with: path: | frontend/node_modules node_modules key: nodejs-x64-${{ hashFiles('**/package-lock.json') }} restore-keys: nodejs-x64- - name: Cache angular uses: runs-on/cache@88d90644011a3a9957fd141a106f5a94f9794203 # v5 with: path: frontend/.angular key: angular-${{ github.ref }} restore-keys: angular- - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1 with: bundler-cache: true - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22.22.3 package-manager-cache: false cache: npm cache-dependency-path: | package-lock.json frontend/package-lock.json - name: Precompile assets run: | ./docker/prod/setup/precompile-assets.sh # public/assets will be saved as artifact, so temporarily copying config file there as well cp config/frontend_assets.manifest.json public/assets/frontend_assets.manifest.json - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: public/ name: public-assets-${{ inputs.tag }}-${{ github.sha }} overwrite: true # Since v4.4, hidden files are excluded by default. # We need to include public/assets/.sprockets-manifest-*.json include-hidden-files: true outputs: version: ${{ steps.extract_version.outputs.version }} docker_tags: ${{ steps.extract_version.outputs.docker_tags }} registry_image: ${{ steps.extract_version.outputs.registry_image }} build: if: github.repository_owner == 'opf' needs: - setup runs-on: labels: "runs-on=${{ github.run_id }}/ssh=false/${{ matrix.runner }}/volume=200g" strategy: matrix: include: - platform: linux/amd64 digest: amd64-slim bim_support: false target: slim runner: runner=4cpu-linux-x64 - platform: linux/amd64 digest: amd64-bim bim_support: true target: slim-bim runner: runner=4cpu-linux-x64 - platform: linux/arm64/v8 digest: arm64-slim bim_support: false target: slim runner: runner=4cpu-linux-arm64 - platform: linux/amd64 digest: amd64-aio bim_support: true target: all-in-one runner: runner=4cpu-linux-x64 - platform: linux/arm64/v8 digest: arm64-aio bim_support: false target: all-in-one runner: runner=4cpu-linux-arm64 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.branch }} persist-credentials: false - name: Prepare docker files run: | cp ./docker/prod/Dockerfile ./Dockerfile - name: Download precompiled public assets uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: public-assets-${{ inputs.tag }}-${{ github.sha }} path: public/ - name: Setup precompiled assets run: | ls -al public/ mv public/assets/frontend_assets.manifest.json config/frontend_assets.manifest.json ls -al config/frontend_assets.manifest.json # allow precompiled assets to be injected into docker image echo '' >> .dockerignore echo '!/public/assets' >> .dockerignore echo '!/config/frontend_assets.manifest.json' >> .dockerignore - name: Add build information env: INPUTS_BRANCH: ${{ inputs.branch }} run: | echo "$INPUTS_BRANCH" > PRODUCT_VERSION echo "https://github.com/opf/openproject/commits/$INPUTS_BRANCH" > PRODUCT_URL date -u +"%Y-%m-%dT%H:%M:%SZ" > RELEASE_DATE - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to Docker Hub uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Docker meta id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: context: git labels: | io.artifacthub.package.readme-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/README.md io.artifacthub.package.logo-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/logo.png org.opencontainers.image.source=https://github.com/opf/openproject org.opencontainers.image.documentation=https://www.openproject.org/docs/installation-and-operations/installation/ org.opencontainers.image.vendor=OpenProject GmbH tags: | ${{ needs.setup.outputs.docker_tags }} images: | ${{ needs.setup.outputs.registry_image }} - name: Restore vendor/bundle id: restore-vendor-bundle uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: | vendor/bundle key: ${{ matrix.platform }}-trixie-vendor-bundle-${{ github.ref }} - name: Include vendor/bundle in this build (so we can use it from the cache above) run: | sed -i 's/vendor\/bundle//g' .dockerignore - name: Build image id: build uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: context: . platforms: ${{ matrix.platform }} target: ${{ matrix.target }} build-args: | BIM_SUPPORT=${{ matrix.bim_support }} BUILDKIT_PROGRESS=plain pull: true load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }} cache-to: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }},mode=max - name: Extract vendor/bundle from container env: STEPS_BUILD_OUTPUTS_IMAGEID: ${{ steps.build.outputs.imageid }} run: | docker create --name bundle $STEPS_BUILD_OUTPUTS_IMAGEID if [ -d vendor/bundle ]; then mv vendor/bundle vendor/bundle.bak fi docker cp bundle:/app/vendor/bundle vendor/bundle docker rm bundle - name: Save vendor/bundle id: save-vendor-bundle uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: | vendor/bundle key: ${{ steps.restore-vendor-bundle.outputs.cache-primary-key }} - name: Restore pre-build vendor/bundle to prevent 2nd build from scratch during push run: | rm -rf vendor/bundle if [ -d vendor/bundle.bak ]; then mv vendor/bundle.bak vendor/bundle fi - name: Validate image env: STEPS_BUILD_OUTPUTS_IMAGEID: ${{ steps.build.outputs.imageid }} run: | ./script/ci/docker_validate_image.sh \ --image "$STEPS_BUILD_OUTPUTS_IMAGEID" \ --target "${{ matrix.target }}" \ --platform "${{ matrix.platform }}" - name: Push image id: push uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: context: . platforms: ${{ matrix.platform }} target: ${{ matrix.target }} build-args: | BIM_SUPPORT=${{ matrix.bim_support }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=${{ needs.setup.outputs.registry_image }},push-by-digest=true,name-canonical=true,push=true cache-from: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }} cache-to: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }},mode=max - name: Export digest env: STEPS_PUSH_OUTPUTS_DIGEST: ${{ steps.push.outputs.digest }} run: | mkdir -p /tmp/digests digest="$STEPS_PUSH_OUTPUTS_DIGEST" touch "/tmp/digests/${digest#sha256:}" - name: Upload digest uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: digests-${{ inputs.tag }}-${{ matrix.target }}--${{ matrix.digest }} path: /tmp/digests/* if-no-files-found: error retention-days: 1 merge: runs-on: ubuntu-latest strategy: matrix: target: [slim, slim-bim, all-in-one] needs: - setup - build steps: - name: Merge digests uses: actions/upload-artifact/merge@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: pattern: "digests-${{ inputs.tag }}-${{ matrix.target }}--*" overwrite: true name: "merged-digests-${{ inputs.tag }}-${{ matrix.target }}-${{ github.run_number }}-${{ github.run_attempt }}" - name: Download digests uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "merged-digests-${{ inputs.tag }}-${{ matrix.target }}-${{ github.run_number }}-${{ github.run_attempt }}" path: /tmp/digests - name: Set suffix id: set_suffix run: | suffix="-${{ matrix.target }}" if [ "$suffix" = "-all-in-one" ]; then suffix="" ; fi echo "suffix=$suffix" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Docker meta id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: ${{ needs.setup.outputs.registry_image }} labels: | io.artifacthub.package.readme-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/README.md io.artifacthub.package.logo-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/logo.png org.opencontainers.image.source=https://github.com/opf/openproject org.opencontainers.image.documentation=https://www.openproject.org/docs/installation-and-operations/installation/ org.opencontainers.image.vendor=OpenProject GmbH flavor: | latest=false suffix=${{ steps.set_suffix.outputs.suffix }} tags: | ${{ needs.setup.outputs.docker_tags }} - name: Login to Docker Hub uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Create manifest list and push working-directory: /tmp/digests env: NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE: ${{ needs.setup.outputs.registry_image }} run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf "${NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE}@sha256:%s " *) - name: Inspect image env: NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE: ${{ needs.setup.outputs.registry_image }} STEPS_META_OUTPUTS_VERSION: ${{ steps.meta.outputs.version }} run: | docker buildx imagetools inspect "${NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE}:${STEPS_META_OUTPUTS_VERSION}" notify-failure: needs: [setup, build, merge] if: ${{ always() && contains(needs.*.result, 'failure') }} uses: ./.github/workflows/email-notification.yml secrets: OPS_MAIL_SMTP_TOKEN: ${{ secrets.OPS_MAIL_SMTP_TOKEN }} with: subject: "Docker build failed" body: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}