Skip to content
Build Docker Images

Drop dockerize to mitigate writes to filesystem. #5541

Sign in to view logs

Drop dockerize to mitigate writes to filesystem.

Drop dockerize to mitigate writes to filesystem. #5541

Workflow file for this run

.github/workflows/docker.yml at c6d8182
name: Build Docker Images
permissions:
contents: read
packages: read
security-events: write
on:
push:
branches:
# NOTE: We only publish Docker images for the main branch and branches that are used for release validation.
- main
- cloud/*
- feature/*
- release/*
pull_request:
branches:
- main
workflow_dispatch:
inputs:
commit:
description: "Commit sha"
required: true
jobs:
build-push-images:
runs-on: ubuntu-latest-16-cores
# Usually, a successful job takes ~17 mins.
# Anything more than 30 mins is a sign that job is stuck.
# This is a workaround until we find the root cause.
timeout-minutes: 30
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: "true"
ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.commit || '' }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: ${{ !env.ACT }}
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PAT }}
- name: Set SHA when dispatched
run: |
SHA=$([ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ] && echo "${{ github.event.inputs.commit }}" || echo "${GITHUB_SHA}")
echo "SHA=${SHA}" >> $GITHUB_ENV
- name: Prepare build args
id: build_args
run: |
# Generate SHA image tag
github_sha_short=${GITHUB_SHA:0:7}
echo "IMAGE_SHA_TAG=sha-${github_sha_short}" >> $GITHUB_ENV
# Generate branch image tag
branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
echo "IMAGE_BRANCH_TAG=branch-${branch_name}" >> $GITHUB_ENV
# Get submodule commit hashes
TEMPORAL_SHA=$(git submodule status -- temporal | awk '{print $1}')
echo "TEMPORAL_SHA=${TEMPORAL_SHA}" >> $GITHUB_ENV
TCTL_SHA=$(git submodule status -- tctl | awk '{print $1}')
echo "TCTL_SHA=${TCTL_SHA}" >> $GITHUB_ENV
# Determine if we should tag as `latest`
TAG_LATEST=${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && 'true' || 'false' }}
echo "TAG_LATEST=${TAG_LATEST}" >> $GITHUB_ENV
- uses: actions/setup-go@v5
with:
cache-dependency-path: "**/*.sum"
go-version-file: 'temporal/go.mod'
# You can't use `load` when building a multiarch image, so we build and load the
# native image and build multiarch images later
- name: Bake native images for security scanning
run: BAKE_OUTPUT=docker make build-native
- name: 🐳 Bake and push multiarch images
if: ${{ github.event_name == 'push' && !env.ACT }}
run: |
BAKE_OUTPUT=registry make build
IMAGES=$(docker images --format "• {{.Repository}}:{{.Tag}}" | grep temporaliotest | tr '\n' ' ')
echo "::notice title=🐳 Docker images::${IMAGES}"
# TODO: can we loop this somehow?
- name: Run Trivy vulnerability scanner on Server image
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/server:${{ env.IMAGE_SHA_TAG }}
image-name: server
- name: Run Trivy vulnerability scanner on Admin Tools image
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/admin-tools:${{ env.IMAGE_SHA_TAG }}
image-name: admin-tools
- name: Run Trivy vulnerability scanner on Auto Setup image
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/auto-setup:${{ env.IMAGE_SHA_TAG }}
image-name: auto-setup
- name: Ensure images work
run: make IMAGE_SHA_TAG=${{env.IMAGE_SHA_TAG}} test
- name: Upload compose logs
if: always()
continue-on-error: true
uses: actions/upload-artifact@v4
with:
name: docker-compose-logs
path: docker-compose.log