references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-13 19:20:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8127d71d6a30d0411c34b568019117f6cc52d7a5
openproject/.github/workflows/docker.yml
T
Alexander Brandon Coles d3d1f1e7b2 Merge branch 'dev' into code-maintenance/angular-22
2026-06-08 10:05:24 +01:00

395 lines
16 KiB
YAML
Raw Blame History

name: Docker
run-name: Build docker image from branch ${{ inputs.branch }} with tag ${{ inputs.tag }}
on:
workflow_call:
inputs:
branch:
description: "The branch or tag to checkout and build"
required: true
type: string
tag:
description: "The main docker tag to use (e.g., 'dev' or '16.3.0')"
required: true
type: string
use_test_registry:
description: "Use openproject/openproject-test registry instead (for testing)"
required: false
type: boolean
default: false
secrets:
DOCKER_USERNAME:
required: true
DOCKER_PASSWORD:
required: true
DEPLOY_APP_PRIVATE_KEY:
required: true
OPS_MAIL_SMTP_TOKEN:
required: true
workflow_dispatch:
inputs:
branch:
description: "The branch or tag to checkout and build"
required: true
type: string
tag:
description: "The main docker tag to use (e.g., 'dev' or '16.3.0')"
required: true
type: string
use_test_registry:
description: "Use openproject/openproject-test registry instead (for testing)"
required: false
type: boolean
default: false
permissions:
contents: read # to fetch code (actions/checkout)
jobs:
build-hocuspocus:
uses: ./.github/workflows/hocuspocus-docker.yml
with:
use_test_registry: ${{ inputs.use_test_registry }}
branch: ${{ inputs.branch }}
tag: ${{ inputs.tag }}
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
DEPLOY_APP_PRIVATE_KEY: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }}
setup:
needs: [build-hocuspocus]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ inputs.branch }}
persist-credentials: false
- name: Set version outputs and convert tags
id: extract_version
env:
INPUT_TAG: ${{ inputs.tag }}
INPUT_USE_TEST_REGISTRY: ${{ inputs.use_test_registry }}
REGISTRY_IMAGE: ${{ vars.REGISTRY_IMAGE }}
run: |
set -e
echo "Processing tag: $INPUT_TAG"
./script/gh/docker-tags.rb "$INPUT_TAG" --version
./script/gh/docker-tags.rb "$INPUT_TAG" --format-for-docker
# Determine registry image based on workflow_dispatch input
if [ "$INPUT_USE_TEST_REGISTRY" = "true" ]; then
echo "registry_image=openproject/openproject-test" >> "$GITHUB_OUTPUT"
else
echo "registry_image=$REGISTRY_IMAGE" >> "$GITHUB_OUTPUT"
fi
- name: Verify outputs
run: |
if [ -z "${STEPS_EXTRACT_VERSION_OUTPUTS_VERSION}" ]; then
echo "Error: version output is empty"
exit 1
fi
if [ -z "${STEPS_EXTRACT_VERSION_OUTPUTS_DOCKER_TAGS}" ]; then
echo "Error: docker_tags output is empty"
exit 1
fi
if [ -z "${STEPS_EXTRACT_VERSION_OUTPUTS_REGISTRY_IMAGE}" ]; then
echo "Error: registry_image output is empty"
exit 1
fi
echo "✓ version: ${STEPS_EXTRACT_VERSION_OUTPUTS_VERSION}"
echo "✓ docker_tags: ${STEPS_EXTRACT_VERSION_OUTPUTS_DOCKER_TAGS}"
echo "✓ registry_image: ${STEPS_EXTRACT_VERSION_OUTPUTS_REGISTRY_IMAGE}"
env:
STEPS_EXTRACT_VERSION_OUTPUTS_VERSION: ${{ steps.extract_version.outputs.version }}
STEPS_EXTRACT_VERSION_OUTPUTS_DOCKER_TAGS: ${{ steps.extract_version.outputs.docker_tags }}
STEPS_EXTRACT_VERSION_OUTPUTS_REGISTRY_IMAGE: ${{ steps.extract_version.outputs.registry_image }}
- name: Cache NPM
uses: runs-on/cache@88d90644011a3a9957fd141a106f5a94f9794203 # v5
with:
path: |
frontend/node_modules
node_modules
key: nodejs-x64-${{ hashFiles('**/package-lock.json') }}
restore-keys: nodejs-x64-
- name: Cache angular
uses: runs-on/cache@88d90644011a3a9957fd141a106f5a94f9794203 # v5
with:
path: frontend/.angular
key: angular-${{ github.ref }}
restore-keys: angular-
- uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
with:
bundler-cache: true
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: 22.22.3
package-manager-cache: false
cache: npm
cache-dependency-path: |
package-lock.json
frontend/package-lock.json
- name: Precompile assets
run: |
./docker/prod/setup/precompile-assets.sh
# public/assets will be saved as artifact, so temporarily copying config file there as well
cp config/frontend_assets.manifest.json public/assets/frontend_assets.manifest.json
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
path: public/
name: public-assets-${{ inputs.tag }}-${{ github.sha }}
overwrite: true
# Since v4.4, hidden files are excluded by default.
# We need to include public/assets/.sprockets-manifest-*.json
include-hidden-files: true
outputs:
version: ${{ steps.extract_version.outputs.version }}
docker_tags: ${{ steps.extract_version.outputs.docker_tags }}
registry_image: ${{ steps.extract_version.outputs.registry_image }}
build:
if: github.repository_owner == 'opf'
needs:
- setup
runs-on:
labels: "runs-on=${{ github.run_id }}/ssh=false/${{ matrix.runner }}/volume=200g"
strategy:
matrix:
include:
- platform: linux/amd64
digest: amd64-slim
bim_support: false
target: slim
runner: runner=4cpu-linux-x64
- platform: linux/amd64
digest: amd64-bim
bim_support: true
target: slim-bim
runner: runner=4cpu-linux-x64
- platform: linux/arm64/v8
digest: arm64-slim
bim_support: false
target: slim
runner: runner=4cpu-linux-arm64
- platform: linux/amd64
digest: amd64-aio
bim_support: true
target: all-in-one
runner: runner=4cpu-linux-x64
- platform: linux/arm64/v8
digest: arm64-aio
bim_support: false
target: all-in-one
runner: runner=4cpu-linux-arm64
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ inputs.branch }}
persist-credentials: false
- name: Prepare docker files
run: |
cp ./docker/prod/Dockerfile ./Dockerfile
- name: Download precompiled public assets
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: public-assets-${{ inputs.tag }}-${{ github.sha }}
path: public/
- name: Setup precompiled assets
run: |
ls -al public/
mv public/assets/frontend_assets.manifest.json config/frontend_assets.manifest.json
ls -al config/frontend_assets.manifest.json
# allow precompiled assets to be injected into docker image
echo '' >> .dockerignore
echo '!/public/assets' >> .dockerignore
echo '!/config/frontend_assets.manifest.json' >> .dockerignore
- name: Add build information
env:
INPUTS_BRANCH: ${{ inputs.branch }}
run: |
echo "$INPUTS_BRANCH" > PRODUCT_VERSION
echo "https://github.com/opf/openproject/commits/$INPUTS_BRANCH" > PRODUCT_URL
date -u +"%Y-%m-%dT%H:%M:%SZ" > RELEASE_DATE
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
- name: Login to Docker Hub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
with:
context: git
labels: |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/README.md
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/logo.png
org.opencontainers.image.source=https://github.com/opf/openproject
org.opencontainers.image.documentation=https://www.openproject.org/docs/installation-and-operations/installation/
org.opencontainers.image.vendor=OpenProject GmbH
tags: |
${{ needs.setup.outputs.docker_tags }}
images: |
${{ needs.setup.outputs.registry_image }}
- name: Restore vendor/bundle
id: restore-vendor-bundle
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
vendor/bundle
key: ${{ matrix.platform }}-trixie-vendor-bundle-${{ github.ref }}
- name: Include vendor/bundle in this build (so we can use it from the cache above)
run: |
sed -i 's/vendor\/bundle//g' .dockerignore
- name: Build image
id: build
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
with:
context: .
platforms: ${{ matrix.platform }}
target: ${{ matrix.target }}
build-args: |
BIM_SUPPORT=${{ matrix.bim_support }}
BUILDKIT_PROGRESS=plain
pull: true
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }}
cache-to: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }},mode=max
- name: Extract vendor/bundle from container
env:
STEPS_BUILD_OUTPUTS_IMAGEID: ${{ steps.build.outputs.imageid }}
run: |
docker create --name bundle $STEPS_BUILD_OUTPUTS_IMAGEID
if [ -d vendor/bundle ]; then
mv vendor/bundle vendor/bundle.bak
fi
docker cp bundle:/app/vendor/bundle vendor/bundle
docker rm bundle
- name: Save vendor/bundle
id: save-vendor-bundle
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
vendor/bundle
key: ${{ steps.restore-vendor-bundle.outputs.cache-primary-key }}
- name: Restore pre-build vendor/bundle to prevent 2nd build from scratch during push
run: |
rm -rf vendor/bundle
if [ -d vendor/bundle.bak ]; then
mv vendor/bundle.bak vendor/bundle
fi
- name: Validate image
env:
STEPS_BUILD_OUTPUTS_IMAGEID: ${{ steps.build.outputs.imageid }}
run: |
./script/ci/docker_validate_image.sh \
--image "$STEPS_BUILD_OUTPUTS_IMAGEID" \
--target "${{ matrix.target }}" \
--platform "${{ matrix.platform }}"
- name: Push image
id: push
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
with:
context: .
platforms: ${{ matrix.platform }}
target: ${{ matrix.target }}
build-args: |
BIM_SUPPORT=${{ matrix.bim_support }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,name=${{ needs.setup.outputs.registry_image }},push-by-digest=true,name-canonical=true,push=true
cache-from: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }}
cache-to: type=s3,blobs_prefix=cache/${{ github.repository }}/trixie,manifests_prefix=cache/${{ github.repository }}/trixie,region=${{ env.RUNS_ON_AWS_REGION }},bucket=${{ env.RUNS_ON_S3_BUCKET_CACHE }},mode=max
- name: Export digest
env:
STEPS_PUSH_OUTPUTS_DIGEST: ${{ steps.push.outputs.digest }}
run: |
mkdir -p /tmp/digests
digest="$STEPS_PUSH_OUTPUTS_DIGEST"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: digests-${{ inputs.tag }}-${{ matrix.target }}--${{ matrix.digest }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
strategy:
matrix:
target: [slim, slim-bim, all-in-one]
needs:
- setup
- build
steps:
- name: Merge digests
uses: actions/upload-artifact/merge@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
pattern: "digests-${{ inputs.tag }}-${{ matrix.target }}--*"
overwrite: true
name: "merged-digests-${{ inputs.tag }}-${{ matrix.target }}-${{ github.run_number }}-${{ github.run_attempt }}"
- name: Download digests
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: "merged-digests-${{ inputs.tag }}-${{ matrix.target }}-${{ github.run_number }}-${{ github.run_attempt }}"
path: /tmp/digests
- name: Set suffix
id: set_suffix
run: |
suffix="-${{ matrix.target }}"
if [ "$suffix" = "-all-in-one" ]; then suffix="" ; fi
echo "suffix=$suffix" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
with:
images: ${{ needs.setup.outputs.registry_image }}
labels: |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/README.md
io.artifacthub.package.logo-url=https://raw.githubusercontent.com/opf/openproject/refs/heads/dev/docker/prod/logo.png
org.opencontainers.image.source=https://github.com/opf/openproject
org.opencontainers.image.documentation=https://www.openproject.org/docs/installation-and-operations/installation/
org.opencontainers.image.vendor=OpenProject GmbH
flavor: |
latest=false
suffix=${{ steps.set_suffix.outputs.suffix }}
tags: |
${{ needs.setup.outputs.docker_tags }}
- name: Login to Docker Hub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Create manifest list and push
working-directory: /tmp/digests
env:
NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE: ${{ needs.setup.outputs.registry_image }}
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf "${NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE}@sha256:%s " *)
- name: Inspect image
env:
NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE: ${{ needs.setup.outputs.registry_image }}
STEPS_META_OUTPUTS_VERSION: ${{ steps.meta.outputs.version }}
run: |
docker buildx imagetools inspect "${NEEDS_SETUP_OUTPUTS_REGISTRY_IMAGE}:${STEPS_META_OUTPUTS_VERSION}"
notify-failure:
needs: [setup, build, merge]
if: ${{ always() && contains(needs.*.result, 'failure') }}
uses: ./.github/workflows/email-notification.yml
secrets:
OPS_MAIL_SMTP_TOKEN: ${{ secrets.OPS_MAIL_SMTP_TOKEN }}
with:
subject: "Docker build failed"
body: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
Reference in New Issue View Git Blame Copy Permalink