Skip to content

Commit

Permalink
ci: move healthcheck image to build with distroless
Browse files Browse the repository at this point in the history
  • Loading branch information
metaclips committed Nov 22, 2023
1 parent f5405a8 commit 279fca5
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 24 deletions.
31 changes: 17 additions & 14 deletions .github/workflows/distroless.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,33 +18,36 @@ defaults:

env:
ARCH_TO_BUILD_IMAGES: amd64
REPOSITORY: ${{ github.repository_owner }}
ORGANIZATION: ${{ github.repository_owner }}

jobs:
build_base_image:
name: "Build Ockam Distroless Base Image"
runs-on: ubuntu-20.04
permissions:
packages: write
environment: release
# environment: release

steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.commit_sha }}

- name: Generate Signing Key
run: docker run --rm -v "${PWD}":/work cgr.dev/chainguard/melange keygen

- name: Build Erlang Image
run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/erlang_package.yaml --arch ${{ env.ARCH_TO_BUILD_IMAGES }}
run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/erlang_package.yaml -k melange.rsa.pub --signing-key melange.rsa --arch ${{ env.ARCH_TO_BUILD_IMAGES }}

- name: Build Elixir Image
run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/elixir_package.yaml --arch ${{ env.ARCH_TO_BUILD_IMAGES }}
run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/elixir_package.yaml -k melange.rsa.pub --signing-key melange.rsa --arch ${{ env.ARCH_TO_BUILD_IMAGES }}

- name: Build Builder Image
run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/builder_image.yaml ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest builder_image.tar
run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/builder_image.yaml -k melange.rsa.pub ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest builder_image.tar

- name: Build Base Image
run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/base_image.yaml ghcr.io/${REPOSITORY}/ockam-elixir-base:latest base_image.tar
run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/base_image.yaml -k melange.rsa.pub ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest base_image.tar

- name: Load Images
run: |
Expand All @@ -53,17 +56,17 @@ jobs:
- name: Push Images
run: |
docker tag ghcr.io/${REPOSITORY}/ockam-elixir-base:latest-${$ARCH_TO_BUILD_IMAGES} docker tag ghcr.io/${REPOSITORY}/ockam-elixir-base:latest
docker push ghcr.io/${REPOSITORY}/ockam-elixir-base:latest
docker tag ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest-${$ARCH_TO_BUILD_IMAGES} docker tag ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest
docker push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest
docker tag ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest-${$ARCH_TO_BUILD_IMAGES} docker tag ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest
docker push ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest
docker tag ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest-${$ARCH_TO_BUILD_IMAGES} docker tag ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest
docker push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest
- name: Get Image ref
id: image_ref
run: |
base=$(docker image inspect ghcr.io/${REPOSITORY}/ockam-elixir-base:latest | jq -r .[0].Id)
builder=$(docker image inspect ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest | jq -r .[0].Id)
base=$(docker image inspect ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest | jq -r .[0].Id)
builder=$(docker image inspect ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest | jq -r .[0].Id)
echo "BUILDER=$builder" >> $GITHUB_OUTPUT
echo "BASE=$base" >> $GITHUB_OUTPUT
Expand All @@ -77,12 +80,12 @@ jobs:
with:
cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
image: 'ghcr.io/${REPOSITORY}/ockam-elixir-base:latest'
image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest'
ref: ${{ steps.image_ref.outputs.BASE }}

- uses: build-trust/.github/actions/image_cosign@custom-actions
with:
cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
image: 'ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest'
image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest'
ref: ${{ steps.image_ref.outputs.BUILDER }}
17 changes: 9 additions & 8 deletions tools/docker/healthcheck/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# Stage 1 - Build elixir release of ockam_healthcheck elixir app
FROM cgr.dev/chainguard/wolfi-base AS elixir-app-release-build
FROM ghcr.io/build-trust/ockam-elixir-builder:latest AS elixir-app-release-build

RUN set -xe; \
apk add curl xz bash elixir erlang-dev git openssl ca-certificates ncurses gcc gcc-12 glibc-dev libstdc++-12 glibc gcc llvm-libcxx-16
COPY --from=cgr.dev/chainguard/wolfi-base /bin /bin
COPY --from=cgr.dev/chainguard/wolfi-base /usr/bin /usr/bin

ENV PATH=/root/.cargo/bin:$PATH
COPY . /work
RUN set -xe; \
RUN set -ex; \
cd work; \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain none -y; \
rustup-init --no-update-default-toolchain -y; \
rustup show; \
cargo --version; \
cd implementations/elixir/ockam/ockam_healthcheck; \
Expand All @@ -19,14 +19,15 @@ RUN set -xe; \


# Stage 2 - Create container and copy executables in above step
FROM cgr.dev/chainguard/wolfi-base AS app
FROM ghcr.io/build-trust/ockam-elixir-base:latest AS app

COPY --from=cgr.dev/chainguard/wolfi-base /bin /bin
COPY --from=cgr.dev/chainguard/wolfi-base /usr/bin /usr/bin

COPY --from=elixir-app-release-build /work/implementations/elixir/ockam/ockam_healthcheck/_build/prod/rel/ockam_healthcheck /opt/ockam_healthcheck

ENV LANG=C.UTF-8

RUN apk add ncurses gcc

EXPOSE 4000

ENTRYPOINT ["/opt/ockam_healthcheck/bin/ockam_healthcheck"]
Expand Down
2 changes: 1 addition & 1 deletion tools/docker/wolfi/builder_image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ contents:
- rustup
- zlib
- zlib-dev
- elixir-1_15
- elixir-1_14
- erlang-24
- erlang-24-dev
- openssl
Expand Down
1 change: 0 additions & 1 deletion tools/docker/wolfi/elixir_package.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
# docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build elixir_package.yaml --arch amd64 -k melange.rsa.pub --signing-key melange.rsa
# Builds a pinned version of the elixir package
package:
name: elixir-1_14
Expand Down

0 comments on commit 279fca5

Please sign in to comment.