Skip to content
Rust MUSL

Rust MUSL #1846

Sign in to view logs

Rust MUSL

Rust MUSL #1846

Workflow file for this run

.github/workflows/rust-musl.yml at 98ae8de
name: Rust MUSL
permissions: {}
on:
push:
paths:
- ".github/workflows/rust-musl.yml"
- "Dockerfile.musl-base"
- "test/multicrate/**"
branches:
- main
workflow_dispatch:
inputs:
nightly_date_override:
description: "Nightly date to build"
required: false
default: ""
fresh_stable:
description: "Trigger new stable build"
required: false
default: ""
schedule:
- cron: '30 9 * * *' # everyday at 09:30 UTC
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
## ##
## To trigger this workflow using `act` (https://github.com/nektos/act) you can do the following.
## Full run no/different rustc_hash: (This triggers a fresh stable, since the rustc_hash is not available)
## act push -j musl_base
##
## Run per architecutre
## # amd64
## act push -j musl_base --matrix os:ubuntu-24.04 --matrix image_tag:x86_64-musl
## # armv7
## act push -j musl_base --matrix os:ubuntu-24.04 --matrix image_tag:armv7-musleabihf
## # arm64
## act push -j musl_base --matrix os:ubuntu-24.04 --matrix image_tag:aarch64-musl
## # armv6
## act push -j musl_base --matrix os:ubuntu-24.04 --matrix image_tag:arm-musleabi
##
## If you want to build both amd64 and arm64 of a specific architecture, remove the os:ubuntu-24.04 matrix
## act push -j musl_base --matrix image_tag:x86_64-musl
##
## Or, if you want to build only arm64 of a specific architecture add os:ubuntu-24.04-arm
## act push -j musl_base --matrix os:ubuntu-24.04-arm --matrix image_tag:x86_64-musl
##
## Use a local build toolchain container amd64 only
## act push --env TOOLCHAIN_REG=localhost:5000 -j musl_base --matrix os:ubuntu-24.04
##
## Both amd64 and arm64
## act push --env TOOLCHAIN_REG=localhost:5000 -j musl_base
##
## Full run with same rustc_hash: (Get the current rustc_hash either from the output of the rust_stable step, or running rustc -vV your self)
## act push --env RUSTC_STABLE_HASH_ACT=f1edd0429 -j musl_base
##
## Nightly dispatch:
## act workflow_dispatch -j musl_base
##
## Nightly dispatch specific date:
## act workflow_dispatch -e <(echo '{"act": true, "inputs":{"nightly_date_override":"2025-05-16","fresh_stable":""}}') -j musl_base
##
## Stable and Nightly dispatch:
## act workflow_dispatch -e <(echo '{"act": true, "inputs":{"nightly_date_override":"","fresh_stable":"true"}}') -j musl_base
##
## To only see the outputs from the mbuild_vars to see what is getting triggered, use the same commands as above but replace `musl_base` with `mbuild_vars`
##
## ##
jobs:
mbuild_vars:
if: ${{ github.repository == 'BlackDex/rust-musl' }}
name: Generate Build Variables
runs-on: ubuntu-24.04
env:
HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_ENABLED == 'true' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
HAVE_GHCR_LOGIN: ${{ vars.GHCR_ENABLED == 'true' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
HAVE_QUAY_LOGIN: ${{ vars.QUAY_ENABLED == 'true' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
HAVE_LOCAL_REGISTRY: ${{ secrets.LOCAL_REGISTRY != '' }}
HAVE_BUILDKIT_SSH: ${{ secrets.BUILDKIT_SSH != '' && secrets.BUILDKIT_ARM64_HOST != '' && secrets.BUILDKIT_ARM64_USER != '' }}
outputs:
have_dockerhub_login: ${{ env.HAVE_DOCKERHUB_LOGIN }}
have_ghcr_login: ${{ env.HAVE_GHCR_LOGIN }}
have_quay_login: ${{ env.HAVE_QUAY_LOGIN }}
have_local_registry: ${{ env.HAVE_LOCAL_REGISTRY }}
have_buildkit_ssh: ${{ env.HAVE_BUILDKIT_SSH }}
current_date: ${{ steps.build_vars.outputs.current_date }}
nightly_date: ${{ steps.build_vars.outputs.nightly_date }}
nightly_tag_postfix: ${{ steps.build_vars.outputs.nightly_tag_postfix }}
nightly_trigger: ${{ steps.build_vars.outputs.nightly_trigger }}
stable_trigger: ${{ steps.build_vars.outputs.stable_trigger }}
#
# Set versions extacted during the rust_versions step
stable_version: ${{ steps.rust_versions.outputs.stable_version }}
stable_semver: ${{ steps.rust_versions.outputs.stable_semver }}
# We also append the value of workflow input fresh_stable here.
# This will ensure we do trigger a fresh rustup.
stable_hash: "${{ steps.rust_versions.outputs.stable_hash }}${{ github.event.inputs.fresh_stable }}"
#
# Nightly version
nightly_version: ${{ steps.rust_versions.outputs.nightly_version }}
nightly_semver: ${{ steps.rust_versions.outputs.nightly_semver }}
#
# Special version to match the vaultwarden stable version currently used in master
vaultwarden_version: ${{ steps.rust_versions.outputs.vaultwarden_version }}
vaultwarden_semver: ${{ steps.rust_versions.outputs.vaultwarden_semver }}
#
# An array of container registries
registry_list: ${{ steps.registry.outputs.registry_list }}
# Which container repo to use for the toolchain container
toolchain_reg: ${{ steps.registry.outputs.toolchain_reg }}
# Use a remote docker for arm64 container testing, mainly used for local testing via act
docker_host_arm64: ${{ steps.registry.outputs.docker_host_arm64 }}
steps:
- name: Determine Container Registries
id: registry
env:
HAVE_DOCKERHUB_LOGIN: ${{ env.HAVE_DOCKERHUB_LOGIN }}
HAVE_GHCR_LOGIN: ${{ env.HAVE_GHCR_LOGIN }}
HAVE_QUAY_LOGIN: ${{ env.HAVE_QUAY_LOGIN }}
HAVE_LOCAL_REGISTRY: ${{ env.HAVE_LOCAL_REGISTRY }}
LOCAL_REGISTRY: ${{ secrets.LOCAL_REGISTRY }}
HAVE_BUILDKIT_SSH: ${{ env.HAVE_BUILDKIT_SSH }}
BUILDKIT_ARM64_USER: ${{ secrets.BUILDKIT_ARM64_USER }}
BUILDKIT_ARM64_HOST: ${{ secrets.BUILDKIT_ARM64_HOST }}
shell: bash
run: |
# Generate a list of registries to where to push too
registries=""
if [[ "${HAVE_DOCKERHUB_LOGIN}" = true ]]; then
registries="${registries:+${registries} }docker.io"
fi
if [[ "${HAVE_GHCR_LOGIN}" = true ]]; then
registries="${registries:+${registries} }ghcr.io"
fi
if [[ "${HAVE_QUAY_LOGIN}" = true ]]; then
registries="${registries:+${registries} }quay.io"
fi
if [[ "${HAVE_LOCAL_REGISTRY}" = true ]]; then
registries="${registries:+${registries} }${LOCAL_REGISTRY}"
fi
echo "registry_list=${registries}" | tee -a "${GITHUB_OUTPUT}"
# Determine which registry to use for the toolchain container
# When testing via `act` and `$TOOLCHAIN_REG` is set use that else ghcr.io
if [[ "${HAVE_LOCAL_REGISTRY}" = true ]] && [[ -n "${TOOLCHAIN_REG}" ]]; then
echo "toolchain_reg=${TOOLCHAIN_REG}" | tee -a "${GITHUB_OUTPUT}"
else
echo "toolchain_reg=ghcr.io" | tee -a "${GITHUB_OUTPUT}"
fi
# When testing via `act` and there is a special BuildKit host for arm64, generate the ssh:// host
if [[ "${HAVE_BUILDKIT_SSH}" = true ]] && [[ -n "${BUILDKIT_ARM64_HOST}" ]]; then
echo "docker_host_arm64=ssh://${BUILDKIT_ARM64_USER}@${BUILDKIT_ARM64_HOST}" | tee -a "${GITHUB_OUTPUT}"
else
echo "docker_host_arm64=" | tee -a "${GITHUB_OUTPUT}"
fi
- name: Get Rust version info
id: rust_versions
env:
RUNNER_TEMP: ${{ runner.temp }}
shell: bash
run: |
#
function github_output () {
echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}"
}
# Fetch the rustup channel files for stable and nightly
curl -sSL --retry 5 --retry-all-errors -o "${RUNNER_TEMP}/channel-rust-stable.toml" "https://static.rust-lang.org/dist/channel-rust-stable.toml"
curl -sSL --retry 5 --retry-all-errors -o "${RUNNER_TEMP}/channel-rust-nightly.toml" "https://static.rust-lang.org/dist/channel-rust-nightly.toml"
# Get the Rust stable version info from the toml file
# Prefix the fetched version with `rustc` to mimic `rustc -V` output
STABLE_VERSION_STRING="rustc $(awk '/^\[pkg.rust\]/{flag=1; next} flag && /version = /{gsub(/version = |"/, "", $0); print; exit}' "${RUNNER_TEMP}/channel-rust-stable.toml")"
STABLE_VERSION=$(echo "${STABLE_VERSION_STRING}" | grep -oP '\S+\s(\K\S+)(?=\s)')
github_output "stable_version" "${STABLE_VERSION}"
STABLE_HASH=$(echo "${STABLE_VERSION_STRING}" | grep -oP '\s\((\K\S+)(?=\s)')
github_output "stable_hash" "${STABLE_HASH}"
STABLE_SEMVER=${STABLE_VERSION//.}
github_output "stable_semver" "${STABLE_SEMVER}"
# Get the Rust nightly version info from the toml file
# Prefix the fetched version with `rustc` to mimic `rustc -V` output
NIGHTLY_VERSION_STRING="rustc $(awk '/^\[pkg.rust\]/{flag=1; next} flag && /version = /{gsub(/version = |"/, "", $0); print; exit}' "${RUNNER_TEMP}/channel-rust-nightly.toml")"
NIGHTLY_VERSION=$(echo "${NIGHTLY_VERSION_STRING}" | grep -oP '\S+\s(\K\S+)(?=\s)')
github_output "nightly_version" "${NIGHTLY_VERSION}"
NIGHTLY_HASH=$(echo "${NIGHTLY_VERSION_STRING}" | grep -oP '\s\((\K\S+)(?=\s)')
github_output "nightly_hash" "${NIGHTLY_HASH}"
NIGHTLY_SEMVER=$(echo "${NIGHTLY_VERSION//.}" | grep -oP '(\K\d{4})')
github_output "nightly_semver" "${NIGHTLY_SEMVER}"
# Extract the nightly date from the toml to ensure we only build an existing version
NIGHTLY_DATE_TOML="$(awk '/^date = /{gsub(/date = |"/, "", $0); print; exit}' "${RUNNER_TEMP}/channel-rust-nightly.toml")"
github_output "nightly_date_toml" "${NIGHTLY_DATE_TOML}"
# Get the Vaultwarden Rust version from the `rust-toolchain` or `rust-toolchain.toml` file.
VW_RUST_VER="UNKNOWN"
CODE="$(curl -sSL --retry 5 --retry-all-errors -w '%{http_code}' -o /tmp/rust-toolchain.toml https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/rust-toolchain.toml)"
if [[ "$CODE" =~ ^2 ]]; then
VW_RUST_VER="$(grep -oP 'channel.*"(\K.*?)(?=")' /tmp/rust-toolchain.toml)"
fi
# Check if the version matches X.YY.Z, if not use the STABLE_VERSION instead
if [[ "${VW_RUST_VER}" =~ ^[0-9]{1}\.[0-9]{2}\.[0-9]{1}$ ]]; then
github_output "vaultwarden_version" "${VW_RUST_VER}"
VAULTWARDEN_SEMVER=${VW_RUST_VER//.}
github_output "vaultwarden_semver" "${VAULTWARDEN_SEMVER}"
else
github_output "vaultwarden_version" "${STABLE_VERSION}"
github_output "vaultwarden_semver" "${STABLE_SEMVER}"
fi
- name: Cache previous rustc stable hash
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
if: ${{ !github.event.act }}
with:
path: ~/rustc-stable.hash
key: build-vars-rustc-stable-${{ steps.rust_versions.outputs.stable_hash }}
restore-keys: |
build-vars-rustc-stable-
# Check if this is a scheduled job, if so, set to nightly
- name: Get build variables
id: build_vars
shell: bash
env:
FRESH_STABLE: ${{ github.event.inputs.fresh_stable }}
STABLE_HASH: ${{ steps.rust_versions.outputs.stable_hash }}
NIGHTLY_DATE_TOML: ${{ steps.rust_versions.outputs.nightly_date_toml }}
NIGHTLY_DATE_OVERRIDE: ${{ github.event.inputs.nightly_date_override }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_SCHEDULE: ${{ github.event.schedule }}
run: |
#
function github_output () {
echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}"
}
#
# Date
export DATE=$(date +'%Y-%m-%d')
github_output "current_date" "${DATE}"
#
# Since `act` doesn't support actions/cache (yet) we check some env vars here.
# With this we can fake the cache if we want to so we can test the flow.
if [[ -n "${RUSTC_STABLE_HASH_ACT}" ]]; then
echo "Found RUSTC_STABLE_HASH_ACT"
echo "${RUSTC_STABLE_HASH_ACT}" | tee ~/rustc-stable.hash
fi
#
# Determine if we need to update the stable version
export RUSTC_STABLE_HASH_CACHED="$( cat ~/rustc-stable.hash 2>/dev/null )"
if [[ -n "${FRESH_STABLE}" ]]; then
github_output "stable_trigger" "true"
elif [[ "${RUSTC_STABLE_HASH_CACHED}" != ${STABLE_HASH} ]]; then
echo "Cached: '${RUSTC_STABLE_HASH_CACHED}' - Current: '${STABLE_HASH}'"
github_output "stable_trigger" "true"
else
github_output "stable_trigger" ""
fi
# Store the current stable hash in GHA Cache
echo "${STABLE_HASH}" | tee ~/rustc-stable.hash
#
# Determine nightly date
# If this is triggered by a workflow dispatch and a date is filled use that, else use the date extracted from the nightly.toml
if [[ -z "${NIGHTLY_DATE_OVERRIDE}" ]]; then
github_output "nightly_date" "${NIGHTLY_DATE_TOML}"
# Set an empty nightly_tag_postfix because we are building the current nightly
github_output "nightly_tag_postfix" ""
# When there is a custom nightly_date set, lets first validate it.
elif [[ "${NIGHTLY_DATE_OVERRIDE}" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]] \
&& date +'%Y-%m-%d' -d"${NIGHTLY_DATE_OVERRIDE}" >/dev/null 2>&1 \
&& [[ $(date +%s -d "00:00:00") -ge $(date +%s -d"${NIGHTLY_DATE_OVERRIDE}") ]] ; then
github_output "nightly_date" "${NIGHTLY_DATE_OVERRIDE}"
# To prevent tagging an older nightly version, we set a postfix here which is used by the nightly build/push action
github_output "nightly_tag_postfix" "-${NIGHTLY_DATE_OVERRIDE}"
# If there was a workflow run, and it had an invalid date, stop the whole workflow
else
echo "error::Invalid nightly_date"
echo "::error::Invalid nightly_date"
exit 1
fi
#
# Check if we want to build a nightly only.
# We want this either when the cron is triggered
# Or if we trigger a manual workflow
if [[ "${GITHUB_EVENT_NAME}" == 'workflow_dispatch' ]] || [[ "${GITHUB_SCHEDULE}" == '30 9 * * *' ]]; then
github_output "nightly_trigger" "true"
else
github_output "nightly_trigger" ""
fi
# ###
# Building the Ubuntu base for all targets which are the same
ubuntu_base:
if: ${{ github.repository == 'BlackDex/rust-musl' }}
name: Cache Ubuntu Base Image - ${{ matrix.os }}
needs:
- mbuild_vars
runs-on: ${{ matrix.os }}
permissions:
packages: write # Allow pushing images to ghcr.io
contents: read
strategy:
fail-fast: false
matrix:
os:
- ubuntu-24.04
- ubuntu-24.04-arm
outputs:
cache_from: ${{ steps.docker_cache.outputs.cache_from }}
steps:
- name: Arch Tag
id: arch
shell: bash
env:
MATRIX_OS: ${{ matrix.os }}
run: |
if [[ "${MATRIX_OS}" == *-arm ]]; then
echo "type=arm64" | tee -a "${GITHUB_OUTPUT}"
else
echo "type=amd64" | tee -a "${GITHUB_OUTPUT}"
fi
- name: Determine Docker Build Cache
id: docker_cache
shell: bash
env:
HAVE_GHCR_LOGIN: ${{ needs.mbuild_vars.outputs.have_ghcr_login }}
HAVE_LOCAL_REGISTRY: ${{ needs.mbuild_vars.outputs.have_local_registry }}
LOCAL_REGISTRY: ${{ secrets.LOCAL_REGISTRY }}
ARCH_TYPE: ${{ steps.arch.outputs.type }}
run: |
#
function github_output () {
echo -e "${1}=${2}" | tee -a "${GITHUB_OUTPUT}"
}
#
# Check if we are running this via act or not and determine the caching method
if [[ "${HAVE_GHCR_LOGIN}" = true ]]; then
github_output "cache_from" "type=registry,ref=ghcr.io/blackdex/rust-musl-buildcache:${ARCH_TYPE}-ubuntu-base"
github_output "cache_to" "type=registry,ref=ghcr.io/blackdex/rust-musl-buildcache:${ARCH_TYPE}-ubuntu-base,compression=zstd,compression-level=9,force-compression=true,mode=max"
elif [[ "${HAVE_LOCAL_REGISTRY}" = true ]]; then
github_output "cache_from" "type=registry,ref=${LOCAL_REGISTRY}/blackdex/rust-musl-buildcache:${ARCH_TYPE}-ubuntu-base"
github_output "cache_to" "type=registry,ref=${LOCAL_REGISTRY}/blackdex/rust-musl-buildcache:${ARCH_TYPE}-ubuntu-base,compression=zstd,compression-level=9,force-compression=true,mode=max"
else
github_output "cache_from" ""
github_output "cache_to" ""
fi
#
- name: Create known_hosts file
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
shell: bash
env:
BUILDKIT_KNOWN_HOSTS: ${{ secrets.BUILDKIT_KNOWN_HOSTS }}
run: |
mkdir -p ~/.ssh
echo "${BUILDKIT_KNOWN_HOSTS}" > ~/.ssh/known_hosts
- name: Load ssh-agent for Remote BuildKit
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
with:
ssh-private-key: ${{ secrets.BUILDKIT_SSH }}
# Special Docker BuildKit setup when using `act` to provide local amd64 and remote arm64 builds
# This uses SSH to connect to the remote/local BuildKit tooling
- name: Setup Docker Buildx (act)
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
use: true
name: act-multiarch
driver: docker-container
cache-binary: false
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
driver-opts: |
network=host
platforms: linux/amd64
append: |
- endpoint: ${{ needs.mbuild_vars.outputs.docker_host_arm64 }}
platforms: linux/arm64
driver-opts:
- network=host
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
- name: Setup Docker Buildx
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'false' }}
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
driver: docker-container
cache-binary: false
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
driver-opts: |
network=host
- name: Login to ghcr.io
if: ${{ needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout Repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Docker Build - Rust Current Stable
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
context: .
push: false
# Only build the Ubuntu Base target for caching
target: base
file: ./Dockerfile.musl-base
cache-from: ${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
# ###
# Building the final MUSL Based images including the rust toolchain.
musl_base:
if: ${{ github.repository == 'BlackDex/rust-musl' }}
name: Build MUSL Base Image - ${{ matrix.image_tag }} - ${{ matrix.os }}
needs:
- mbuild_vars
- ubuntu_base
runs-on: ${{ matrix.os }}
permissions:
packages: write # Allow pushing images to ghcr.io
contents: read
attestations: write # Allow generating attestations on the container images
id-token: write # Allow generating attestations on the container images
strategy:
fail-fast: false
matrix:
os:
- ubuntu-24.04
- ubuntu-24.04-arm
image_tag:
- x86_64-musl
- aarch64-musl
- armv7-musleabihf
- arm-musleabi
steps:
- name: "[act] Debug Matrix"
if: ${{ github.event.act }}
shell: bash
env:
EVENT_NAME: ${{ github.event_name }}
MATRIX_JSON: ${{ toJson(matrix) }}
NEEDS_JSON: ${{ toJson(needs)}}
# GITHUB_JSON: ${{ toJson(github) }}
run: |
echo "event_name = ${EVENT_NAME}"
echo ; echo "matrix = ${MATRIX_JSON}"
echo ; echo "needs = ${NEEDS_JSON}"
# echo ; echo "github = ${GITHUB_JSON}"
- name: Arch Tag
id: arch
shell: bash
env:
MATRIX_OS: ${{ matrix.os }}
run: |
if [[ "${MATRIX_OS}" == *-arm ]]; then
echo "type=arm64" | tee -a "${GITHUB_OUTPUT}"
else
echo "type=amd64" | tee -a "${GITHUB_OUTPUT}"
fi
- name: Load ssh-agent for Remote BuildKit
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
with:
ssh-private-key: ${{ secrets.BUILDKIT_SSH }}
- name: Create known_hosts file
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
shell: bash
env:
BUILDKIT_KNOWN_HOSTS: ${{ secrets.BUILDKIT_KNOWN_HOSTS }}
run: |
mkdir -p ~/.ssh
echo "${BUILDKIT_KNOWN_HOSTS}" > ~/.ssh/known_hosts
# Special Docker BuildKit setup when using `act` to provide local amd64 and remote arm64 builds
# This uses SSH to connect to the remote/local BuildKit tooling
- name: Setup Docker Buildx (act)
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
use: true
name: act-multiarch
driver: docker-container
cache-binary: false
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
driver-opts: |
network=host
default-load=true
platforms: linux/amd64
append: |
- endpoint: ${{ needs.mbuild_vars.outputs.docker_host_arm64 }}
platforms: linux/arm64
driver-opts:
- network=host
- default-load=true
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
- name: Setup Docker Buildx
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'false' }}
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
driver: docker-container
cache-binary: false
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
driver-opts: |
network=host
default-load=true
- name: Login to DockerHub
if: ${{ needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ghcr.io
if: ${{ needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to quay.io
if: ${{ needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Determine Docker Build Cache
id: docker_cache
shell: bash
env:
HAVE_GHCR_LOGIN: ${{ needs.mbuild_vars.outputs.have_ghcr_login }}
HAVE_LOCAL_REGISTRY: ${{ needs.mbuild_vars.outputs.have_local_registry }}
LOCAL_REGISTRY: ${{ secrets.LOCAL_REGISTRY }}
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
run: |
#
function github_output () {
echo -e "${1}=${2}" | tee -a "${GITHUB_OUTPUT}"
}
#
# Check if we are running this via act or not and determine the caching method
if [[ "${HAVE_GHCR_LOGIN}" = true ]]; then
github_output "cache_from" "type=registry,ref=ghcr.io/blackdex/rust-musl-buildcache:${ARCH_TYPE}-${IMAGE_TAG}"
github_output "cache_to" "type=registry,ref=ghcr.io/blackdex/rust-musl-buildcache:${ARCH_TYPE}-${IMAGE_TAG},compression=zstd,compression-level=9,force-compression=true,mode=max"
elif [[ "${HAVE_LOCAL_REGISTRY}" = true ]]; then
github_output "cache_from" "type=registry,ref=${LOCAL_REGISTRY}/blackdex/rust-musl-buildcache:${ARCH_TYPE}-${IMAGE_TAG}"
github_output "cache_to" "type=registry,ref=${LOCAL_REGISTRY}/blackdex/rust-musl-buildcache:${ARCH_TYPE}-${IMAGE_TAG},compression=zstd,compression-level=9,force-compression=true,mode=max"
else
github_output "cache_from" ""
github_output "cache_to" ""
fi
#
- name: Generate arch container tags
id: arch_tags
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_VERSION: ${{ needs.mbuild_vars.outputs.stable_version }}
VW_VERSION: ${{ needs.mbuild_vars.outputs.vaultwarden_version }}
NIGHTLY_DATE: ${{ needs.mbuild_vars.outputs.nightly_date }}
IMAGE_TAG: ${{ matrix.image_tag }}
shell: bash
run: |
arch_tags_stable=""
arch_tags_stable_vw=""
arch_tags_nightly=""
for registry in ${REGISTRIES}; do
#
# Stable
arch_tags_stable+="${registry}/blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-stable-${STABLE_VERSION},"
#
# Vaultwarden Stable
arch_tags_stable_vw+="${registry}/blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-stable-${VW_VERSION},"
#
# Nightly
arch_tags_nightly+="${registry}/blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-nightly-${NIGHTLY_DATE},"
done
echo ""
echo "Arch Tags"
echo "stable=${arch_tags_stable%,}" | tee -a "${GITHUB_OUTPUT}"
echo "stable_vw=${arch_tags_stable_vw%,}" | tee -a "${GITHUB_OUTPUT}"
echo "nightly=${arch_tags_nightly%,}" | tee -a "${GITHUB_OUTPUT}"
- name: Checkout Repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# ###
# Rust Current Stable
- name: Docker Build - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3
context: .
# Set load to true so that we can test the builded image in the next step (default with docker driver)
load: true
# Do not push the image just yet, we first want to test it
push: false
file: ./Dockerfile.musl-base
build-args: |
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
IMAGE_TAG=${{ matrix.image_tag }}
RUST_CHANNEL=stable
RUSTC_HASH=${{ needs.mbuild_vars.outputs.stable_hash }}
tags: blackdex/rust-musl:${{ steps.arch.outputs.type }}-${{ matrix.image_tag }}-test
cache-from: |
${{ needs.ubuntu_base.outputs.cache_from }}
${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Test Docker Image (PQ18) - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
QEMU_CPU: ${{ (github.event.act && endsWith(matrix.os, '-arm')) && 'max,pauth-impdef=on' || '' }}
run: |
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache-${IMAGE_TAG}:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU="${QEMU_CPU}" \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq18/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ17) - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache-${IMAGE_TAG}:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq17/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ16) - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache-${IMAGE_TAG}:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq16/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ15) - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache-${IMAGE_TAG}:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq15/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Docker Push - Rust Current Stable
id: push_stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3
context: .
load: ${{ github.event.act && 'true' || 'false' }}
push: true
file: ./Dockerfile.musl-base
build-args: |
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
IMAGE_TAG=${{ matrix.image_tag }}
RUST_CHANNEL=stable
RUSTC_HASH=${{ needs.mbuild_vars.outputs.stable_hash }}
tags: ${{ steps.arch_tags.outputs.stable }}
cache-from: |
${{ needs.ubuntu_base.outputs.cache_from }}
${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Export Digest - Rust Current Stable
if: ${{ steps.push_stable.outputs.digest != '' }}
env:
DIGEST: ${{ steps.push_stable.outputs.digest }}
IMAGE_TAG: ${{ matrix.image_tag }}
RUNNER_TEMP: ${{ runner.temp }}
shell: bash
run: |
mkdir -pv "${RUNNER_TEMP}/digests-stable-${IMAGE_TAG}"
touch "${RUNNER_TEMP}/digests-stable-${IMAGE_TAG}/${DIGEST#sha256:}"
- name: Upload digest - Rust Current Stable
if: ${{ steps.push_stable.outputs.digest != '' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: digests-stable-${{ matrix.image_tag }}-${{ steps.arch.outputs.type }}
path: ${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}/*
if-no-files-found: error
retention-days: 1
- name: Attest - Stable - docker.io
if: ${{ !github.event.act && steps.push_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.push_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Stable - ghcr.io
if: ${{ !github.event.act && steps.push_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.push_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Stable - quay.io
if: ${{ !github.event.act && steps.push_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.push_stable.outputs.digest }}
push-to-registry: true
# ###
# Rust Vaultwarden Stable
- name: Docker Build - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3
context: .
# Set load to true so that we can test the builded image in the next step (default with docker driver)
load: true
# Do not push the image just yet, we first want to test it
push: false
file: ./Dockerfile.musl-base
build-args: |
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
IMAGE_TAG=${{ matrix.image_tag }}
RUST_CHANNEL=${{ needs.mbuild_vars.outputs.vaultwarden_version }}
tags: blackdex/rust-musl:${{ steps.arch.outputs.type }}-${{ matrix.image_tag }}-vw-test
cache-from: |
${{ needs.ubuntu_base.outputs.cache_from }}
${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Test Docker Image (PQ18) - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
QEMU_CPU: ${{ (github.event.act && endsWith(matrix.os, '-arm')) && 'max,pauth-impdef=on' || '' }}
run: |
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU="${QEMU_CPU}" \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq18/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-vw-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ17) - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq17/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-vw-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ16) - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq16/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-vw-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ15) - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq15/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-vw-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Docker Push - Rust Vaultwarden Stable
id: push_vw_stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3
context: .
load: ${{ github.event.act && 'true' || 'false' }}
push: true
file: ./Dockerfile.musl-base
build-args: |
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
IMAGE_TAG=${{ matrix.image_tag }}
RUST_CHANNEL=${{ needs.mbuild_vars.outputs.vaultwarden_version }}
tags: ${{ steps.arch_tags.outputs.stable_vw }}
cache-from: |
${{ needs.ubuntu_base.outputs.cache_from }}
${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Export Digest - Rust Vaultwarden Stable
if: ${{ steps.push_vw_stable.outputs.digest != '' }}
env:
DIGEST: ${{ steps.push_vw_stable.outputs.digest }}
IMAGE_TAG: ${{ matrix.image_tag }}
RUNNER_TEMP: ${{ runner.temp }}
shell: bash
run: |
mkdir -pv "${RUNNER_TEMP}/digests-vw-${IMAGE_TAG}"
touch "${RUNNER_TEMP}/digests-vw-${IMAGE_TAG}/${DIGEST#sha256:}"
- name: Upload digest - Rust Vaultwarden Stable
if: ${{ steps.push_vw_stable.outputs.digest != '' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: digests-vw-${{ matrix.image_tag }}-${{ steps.arch.outputs.type }}
path: ${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}/*
if-no-files-found: error
retention-days: 1
- name: Attest - VW Stable - docker.io
if: ${{ !github.event.act && steps.push_vw_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.push_vw_stable.outputs.digest }}
push-to-registry: true
- name: Attest - VW Stable - ghcr.io
if: ${{ !github.event.act && steps.push_vw_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.push_vw_stable.outputs.digest }}
push-to-registry: true
- name: Attest - VW Stable - quay.io
if: ${{ !github.event.act && steps.push_vw_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.push_vw_stable.outputs.digest }}
push-to-registry: true
# ###
# Rust Nightly
- name: Docker Build - Rust Nightly
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3
context: .
# Set load to true so that we can test the builded image in the next step (default with docker driver)
load: true
# Do not push the image just yet, we first want to test it
push: false
file: ./Dockerfile.musl-base
build-args: |
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
IMAGE_TAG=${{ matrix.image_tag }}
RUST_CHANNEL=nightly-${{ needs.mbuild_vars.outputs.nightly_date }}
tags: blackdex/rust-musl:${{ steps.arch.outputs.type }}-${{ matrix.image_tag }}-nightly-test
cache-from: |
${{ needs.ubuntu_base.outputs.cache_from }}
${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Test Docker Image (PQ18) - Rust Nightly
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
QEMU_CPU: ${{ (github.event.act && endsWith(matrix.os, '-arm')) && 'max,pauth-impdef=on' || '' }}
run: |
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU="${QEMU_CPU}" \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq18/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-nightly-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ17) - Rust Nightly
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq17/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-nightly-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ16) - Rust Nightly
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq16/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-nightly-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ15) - Rust Nightly
shell: bash
env:
ARCH_TYPE: ${{ steps.arch.outputs.type }}
IMAGE_TAG: ${{ matrix.image_tag }}
XTRA_RUSTFLAGS: ${{ matrix.xtra_rustflags }}
PLATFORM: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
run: |
# Skip Docker run tests for arm64 based images via act to speedup testing
if [[ "${ACT}" = true ]] && [[ "${PLATFORM}" = "linux/arm64" ]]; then exit 0; fi
# Run the test
docker run --rm \
--platform "${PLATFORM}" \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e RUST_BACKTRACE=full \
-e PQ_LIB_DIR="/usr/local/musl/pq15/lib" \
-e RUSTFLAGS="${XTRA_RUSTFLAGS}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}-${IMAGE_TAG}-nightly-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Docker Push - Rust Nightly
id: push_nightly
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ endsWith(matrix.os, '-arm') && 'linux/arm64' || 'linux/amd64'}}
outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3
context: .
load: ${{ github.event.act && 'true' || 'false' }}
push: true
file: ./Dockerfile.musl-base
build-args: |
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
IMAGE_TAG=${{ matrix.image_tag }}
RUST_CHANNEL=nightly-${{ needs.mbuild_vars.outputs.nightly_date }}
tags: ${{ steps.arch_tags.outputs.nightly }}
cache-from: |
${{ needs.ubuntu_base.outputs.cache_from }}
${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Export Digest - Rust Nightly
if: ${{ steps.push_nightly.outputs.digest != '' }}
env:
DIGEST: ${{ steps.push_nightly.outputs.digest }}
IMAGE_TAG: ${{ matrix.image_tag }}
RUNNER_TEMP: ${{ runner.temp }}
shell: bash
run: |
mkdir -p ${RUNNER_TEMP}/digests-nightly-${IMAGE_TAG}
touch "${RUNNER_TEMP}/digests-nightly-${IMAGE_TAG}/${DIGEST#sha256:}"
- name: Upload digest - Rust Nightly
if: ${{ steps.push_nightly.outputs.digest != '' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: digests-nightly-${{ matrix.image_tag }}-${{ steps.arch.outputs.type }}
path: ${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}/*
if-no-files-found: error
retention-days: 1
- name: Attest - Nightly - docker.io
if: ${{ !github.event.act && steps.push_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.push_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Nightly - ghcr.io
if: ${{ !github.event.act && steps.push_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.push_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Nightly - quay.io
if: ${{ !github.event.act && steps.push_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.push_nightly.outputs.digest }}
push-to-registry: true
# Merge the separate build amd64 and arm64 builds into one
# https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
musl_base_merge:
if: ${{ github.repository == 'BlackDex/rust-musl' }}
name: Merge Toolchain Container - ${{ matrix.image_tag }}
runs-on: ubuntu-24.04
permissions:
packages: write # Allow pushing images to ghcr.io
contents: read
attestations: write # Allow generating attestations on the container images
id-token: write # Allow generating attestations on the container images
needs:
- mbuild_vars
- musl_base
strategy:
matrix:
image_tag:
- x86_64-musl
- aarch64-musl
- armv7-musleabihf
- arm-musleabi
steps:
- name: "[act] Debug Matrix"
if: ${{ github.event.act }}
shell: bash
env:
BUILD_JSON: ${{ toJson(needs.mbuild_vars) }}
NEEDS_JSON: ${{ toJson(needs.musl_base) }}
EVENT_NAME: ${{ github.event_name }}
MATRIX_JSON: ${{ toJson(matrix) }}
# GITHUB_JSON: ${{ toJson(github) }}
run: |
echo ""
echo "# ##################### DEBUGGING #######################"
echo ""
echo "event_name = ${EVENT_NAME}"
echo "build_json = ${BUILD_JSON}"
echo "needs_json = ${NEEDS_JSON}"
echo ; echo "matrix = ${MATRIX_JSON}"
# echo ; echo "github = ${GITHUB_JSON}"
echo ""
echo "# #######################################################"
echo ""
- name: Generate merged container tags
id: base_tags
env:
STABLE_VERSION: ${{ needs.mbuild_vars.outputs.stable_version }}
VW_VERSION: ${{ needs.mbuild_vars.outputs.vaultwarden_version }}
NIGHTLY_TAG_POSTFIX: ${{ needs.mbuild_vars.outputs.nightly_tag_postfix }}
NIGHTLY_DATE: ${{ needs.mbuild_vars.outputs.nightly_date }}
IMAGE_TAG: ${{ matrix.image_tag }}
shell: bash
run: |
#
# Stable
base_tags_stable=""
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG},"
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG}-${STABLE_VERSION},"
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG}-stable,"
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG}-stable-${STABLE_VERSION},"
#
# Vaultwarden Stable
base_tags_stable_vw=""
base_tags_stable_vw+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG}-${VW_VERSION},"
base_tags_stable_vw+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG}-stable-${VW_VERSION},"
#
# Nightly
base_tags_nightly=""
base_tags_nightly+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG}-nightly${NIGHTLY_TAG_POSTFIX},"
base_tags_nightly+="@RGSTRY@/blackdex/rust-musl:${IMAGE_TAG}-nightly-${NIGHTLY_DATE},"
echo ""
echo "stable=${base_tags_stable%,}" | tee -a "${GITHUB_OUTPUT}"
echo "stable_vw=${base_tags_stable_vw%,}" | tee -a "${GITHUB_OUTPUT}"
echo "nightly=${base_tags_nightly%,}" | tee -a "${GITHUB_OUTPUT}"
- name: Load ssh-agent for Remote BuildKit
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
with:
ssh-private-key: ${{ secrets.BUILDKIT_SSH }}
- name: Create known_hosts file
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
shell: bash
env:
BUILDKIT_KNOWN_HOSTS: ${{ secrets.BUILDKIT_KNOWN_HOSTS }}
run: |
mkdir -p ~/.ssh
echo "${BUILDKIT_KNOWN_HOSTS}" > ~/.ssh/known_hosts
# Special Docker BuildKit setup when using `act` to provide local amd64 and remote arm64 builds
# This uses SSH to connect to the remote/local BuildKit tooling
- name: Setup Docker Buildx (act)
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'true' }}
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
use: true
name: act-multiarch
driver: docker-container
cache-binary: false
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
driver-opts: |
network=host
default-load=true
platforms: linux/amd64
append: |
- endpoint: ${{ needs.mbuild_vars.outputs.docker_host_arm64 }}
platforms: linux/arm64
driver-opts:
- network=host
- default-load=true
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
- name: Setup Docker Buildx
if: ${{ needs.mbuild_vars.outputs.have_buildkit_ssh == 'false' }}
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
driver: docker-container
cache-binary: false
buildkitd-config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
[worker.oci]
max-parallelism = 3
driver-opts: |
network=host
default-load=true
- name: Login to DockerHub
if: ${{ needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ghcr.io
if: ${{ needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to quay.io
if: ${{ needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
#
# Generate stable combined manifest
- name: Download Digests - Stable
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: ${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}
pattern: digests-stable-${{ matrix.image_tag }}*
merge-multiple: true
- name: Create combined manifests - Stable
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_TAGS: ${{ steps.base_tags.outputs.stable }}
working-directory: ${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}
shell: bash
run: |
for registry in ${REGISTRIES}; do
echo "Generating manifest for ${registry}:"
# Modify the base tag to convert `,` to a space and replace `@RGSTRY@` with the actual registry needed here
# The first `printf` converts the `REG_TAGS` to the `--tag` parameter for each tag
# The second `printf` is expanded to the sha256 digests uploaded from the previous job for the specific image_tag
REG_TAGS=$(echo "${STABLE_TAGS//,/ }" | sed "s#@RGSTRY@#${registry}#g")
docker buildx imagetools create \
$(printf -- " --tag %s" ${REG_TAGS}) \
$(printf "${registry}/blackdex/rust-musl@sha256:%s " *)
done
- name: Inspect combined manifests - Stable
id: comb_stable
shell: bash
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_VERSION: ${{ needs.mbuild_vars.outputs.stable_version }}
IMAGE_TAG: ${{ matrix.image_tag }}
run: |
for registry in ${REGISTRIES}; do
echo "Inspecting manifest for ${registry}:"
docker buildx imagetools inspect ${registry}/blackdex/rust-musl:${IMAGE_TAG}-stable-${STABLE_VERSION}
# Extract the combined digest to run attest on this too
if [[ "${registry}" = "ghcr.io" ]]; then
combined_digest=$(docker buildx imagetools inspect --format "{{json .Manifest.Digest}}" ghcr.io/blackdex/rust-musl:${IMAGE_TAG}-stable-${STABLE_VERSION})
echo "digest=${combined_digest//\"/}" | tee -a "${GITHUB_OUTPUT}"
fi
done
- name: Attest - Combined Stable - docker.io
if: ${{ !github.event.act && steps.comb_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Stable - ghcr.io
if: ${{ !github.event.act && steps.comb_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Stable - quay.io
if: ${{ !github.event.act && steps.comb_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_stable.outputs.digest }}
push-to-registry: true
#
# Generate Vaultwarden stable combined manifest
- name: Download Digests - Vaultwarden Stable
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: ${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}
pattern: digests-vw-${{ matrix.image_tag }}*
merge-multiple: true
- name: Create combined manifests - Vaultwarden Stable
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_VW_TAGS: ${{ steps.base_tags.outputs.stable_vw }}
working-directory: ${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}
shell: bash
run: |
for registry in ${REGISTRIES}; do
echo "Generating manifest for ${registry}:"
# Modify the base tag to convert `,` to a space and replace `@RGSTRY@` with the actual registry needed here
# The first `printf` converts the `REG_TAGS` to the `--tag` parameter for each tag
# The second `printf` is expanded to the sha256 digests uploaded from the previous job for the specific image_tag
REG_TAGS=$(echo "${STABLE_VW_TAGS//,/ }" | sed "s#@RGSTRY@#${registry}#g")
docker buildx imagetools create \
$(printf -- " --tag %s" ${REG_TAGS}) \
$(printf "${registry}/blackdex/rust-musl@sha256:%s " *)
done
- name: Inspect combined manifests - Vaultwarden Stable
id: comb_vw
shell: bash
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
VW_VERSION: ${{ needs.mbuild_vars.outputs.vaultwarden_version }}
IMAGE_TAG: ${{ matrix.image_tag }}
run: |
for registry in ${REGISTRIES}; do
echo "Inspecting manifest for ${registry}:"
docker buildx imagetools inspect ${registry}/blackdex/rust-musl:${IMAGE_TAG}-stable-${VW_VERSION}
# Extract the combined digest to run attest on this too
if [[ "${registry}" = "ghcr.io" ]]; then
combined_digest=$(docker buildx imagetools inspect --format "{{json .Manifest.Digest}}" ghcr.io/blackdex/rust-musl:${IMAGE_TAG}-stable-${VW_VERSION})
echo "digest=${combined_digest//\"/}" | tee -a "${GITHUB_OUTPUT}"
fi
done
- name: Attest - Combined VW Stable - docker.io
if: ${{ !github.event.act && steps.comb_vw.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_vw.outputs.digest }}
push-to-registry: true
- name: Attest - Combined VW Stable - ghcr.io
if: ${{ !github.event.act && steps.comb_vw.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_vw.outputs.digest }}
push-to-registry: true
- name: Attest - Combined VW Stable - quay.io
if: ${{ !github.event.act && steps.comb_vw.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_vw.outputs.digest }}
push-to-registry: true
#
# Generate nightly combined manifest
- name: Download Digests - Nightly
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: ${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}
pattern: digests-nightly-${{ matrix.image_tag }}*
merge-multiple: true
- name: Create combined manifests - Nightly
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
NIGHTLY_TAGS: ${{ steps.base_tags.outputs.nightly }}
working-directory: ${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}
shell: bash
run: |
for registry in ${REGISTRIES}; do
echo "Generating manifest for ${registry}:"
REG_TAGS=$(echo "${NIGHTLY_TAGS//,/ }" | sed "s#@RGSTRY@#${registry}#g")
# Modify the base tag to convert `,` to a space and replace `@RGSTRY@` with the actual registry needed here
# The first `printf` converts the `REG_TAGS` to the `--tag` parameter for each tag
# The second `printf` is expanded to the sha256 digests uploaded from the previous job for the specific image_tag
docker buildx imagetools create \
$(printf -- " --tag %s" ${REG_TAGS}) \
$(printf "${registry}/blackdex/rust-musl@sha256:%s " *)
done
- name: Inspect combined manifests - Nightly
id: comb_nightly
shell: bash
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
NIGHTLY_DATE: ${{ needs.mbuild_vars.outputs.nightly_date }}
IMAGE_TAG: ${{ matrix.image_tag }}
run: |
for registry in ${REGISTRIES}; do
echo "Inspecting manifest for ${registry}:"
docker buildx imagetools inspect ${registry}/blackdex/rust-musl:${IMAGE_TAG}-nightly-${NIGHTLY_DATE}
# Extract the combined digest to run attest on this too
if [[ "${registry}" = "ghcr.io" ]]; then
combined_digest=$(docker buildx imagetools inspect --format "{{json .Manifest.Digest}}" ghcr.io/blackdex/rust-musl:${IMAGE_TAG}-nightly-${NIGHTLY_DATE})
echo "digest=${combined_digest//\"/}" | tee -a "${GITHUB_OUTPUT}"
fi
done
- name: Attest - Combined Nightly - docker.io
if: ${{ !github.event.act && steps.comb_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Nightly - ghcr.io
if: ${{ !github.event.act && steps.comb_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Nightly - quay.io
if: ${{ !github.event.act && steps.comb_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_nightly.outputs.digest }}
push-to-registry: true