Commit Graph

115 Commits

Author SHA1 Message Date
innovaker
bc822a193a feat: rewrite release system to support multiple images per commit
A critical limitation of the first design was the assumption that there would only be one Docker build per commit.  As such, software packages were often only refreshed when Zephyr was upgraded.

This new design opens the door to better CI practices.  It allows regular rebuilds of the Docker images irrespective of version control.  This is critical for incorporating the latest security fixes and bug patches as soon as possible.

Maintainers are still required to trigger stable releases (via tags), but this can be revisited in the future if further automation is necessary.

PR: #50
2021-06-12 18:56:05 +01:00
innovaker
69df2553ed refactor: replace latest tag
`latest` can be ambiguous and misunderstood.

See: #62
PR: #67
2021-06-12 16:35:28 +01:00
innovaker
56e01d70cb feat: schedule nightly rebuild at 02:00 UTC
Rebuilds the default branch from scratch every night.  This ensures that the latest security patches are available for testers.

PR: #66
2021-06-12 16:06:57 +01:00
innovaker
2a830a7633 feat: add no-cache support
`no-cache` rebuilds everything from scratch.  This is critical for integrating security patches and bug fixes as soon as possible.

PR: #65
2021-06-12 14:26:39 +01:00
innovaker
93b6eedd33 docs: add examples to tags
Illustrates the form of the tags.

PR: #68
2021-06-12 11:54:29 +01:00
innovaker
88620c678e feat: add cache-from major-minor-branch
Lets any branch utilize its corresponding major-minor-branch cache.

See: #62
PR: #68
2021-06-12 11:54:29 +01:00
innovaker
b551a568f5 feat: add cache-from upstream
Provides a quick start for new forks.

PR: #64
2021-06-10 10:42:27 +01:00
innovaker
f531452a17 feat: add cache-from dev-generic (GitHub Actions cache)
Pre-builds the dev-generic stage and provides it to all subsequent jobs.  This improves the integrity between the jobs within a particular workflow run, especially in the absence of registry credentials.  It also reduces the workflow run duration when building multiple architectures in parallel.

PR: #61
2021-06-09 19:59:33 +01:00
innovaker
fa56205570 feat: add cache-from base
Lets PRs utilize their base (branch) cache.

PR: #63
2021-06-09 14:23:47 +01:00
innovaker
27b9ac19f3 refactor: combine build and dev jobs
Bringing `build` and `dev` into the same job lets `dev` use `build` as a cache-from source without requiring registry credentials.

PR: #60
2021-06-08 10:15:40 -04:00
innovaker
910fcf7a8a refactor: describe "registry.io/namespace/image:tag" as paths
Improves the readability and makes it easier to extend.

PR: #59
2021-05-25 19:18:02 +01:00
innovaker
0042254202 feat: replace registry cache with inline cache(s)
A simpler, leaner and more scalable approach to the cache.  Scopes the cache by architecture as well as branch.

PR: #56
2021-05-23 10:36:28 +01:00
innovaker
3a6b0f0d23 feat: restrict workflow concurrency per branch
Protects the cache from competing workflow runs on a per branch basis.

PR: #53
2021-05-22 15:01:34 +01:00
innovaker
2eb634739f refactor: drop dev from cache tag
`dev` is longer necessary because the branch name was added.

PR: #53
2021-05-22 15:01:34 +01:00
innovaker
768a24ad9d feat: scope cache by branch
Lets each branch manage its own cache.

PR: #53
2021-05-22 15:01:34 +01:00
innovaker
935b111322 refactor: remove git-tag job's guard conditions
These guard conditions are now superfluous because the `git-tag` job depends on the `releases` job.

PR: #43
2021-05-20 15:27:45 +01:00
innovaker
30b4589480 refactor: simplify release step with local env variables
Improves the readability and makes it easier to debug.

PR: #42
2021-05-20 15:26:32 +01:00
innovaker
70e225f229 feat: add integration tests
Runs a set of tests before the candidate image can be pushed.  The tests aim to cover all common use cases.

It was not possible to run the tests as a separate set of jobs because `actions/upload-artifact` and `actions/download-artifact` are too slow.  Moreover, a separate set of jobs would create a bottleneck because some architectures complete their docker builds faster than others.

The custom docker shell may require maintenance if GitHub change the underlying runner environment in the future.  It doesn't (yet?) support multi-line run commands.

PR: #46
2021-05-20 14:31:37 +01:00
innovaker
11a99e0826 refactor: move credentials checks into workflow env
This is a simpler and cleaner approach than previous implementations.

PR: #49
See: 7b71139613
See: 40f6d7bf50
2021-05-20 13:59:38 +01:00
innovaker
8e1ab724e4 refactor: move namespaces into workflow env
This is a simpler and cleaner approach than any of the previous implementations.

PR: #48
See: 7426042429
2021-05-19 21:14:12 +01:00
innovaker
7426042429 fix: refactor namespaces back into steps
Further testing has suggested that GitHub Actions sanitizes any secrets in job outputs.  The namespace definitions must therefore be duplicated across each job that needs them.

PR: #47
See: b65d7974a2
See: 7cf9196c14
2021-05-19 13:52:00 +01:00
innovaker
2f991a1709 refactor: split docker job into candidates and releases
This design approach has improved separation of concerns with minimal repetition.  It's also easier to refactor.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
5b98c4d20c refactor: move repository-name into a dedicated step
Completes laying the groundwork for splitting the `docker` job into `candidates` and `releases`.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
82f80a41f6 refactor: move tags into its own job
Lays the groundwork for splitting the `docker` job into `candidates` and `releases`.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
7cf9196c14 refactor: move ghcr namespace to the namespaces job
Lays the groundwork for splitting the `docker` job into `candidates` and `releases`.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
b65d7974a2 refactor: move docker-hub-namespace into a namespaces job
Lays the groundwork for splitting the `docker` job into `candidates` and `releases`.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
40f6d7bf50 refactor: move credentials checks into their own job
Lays the groundwork for splitting the `docker` job into `candidates` and `releases`.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
0df3be0b73 refactor: remove repository-name from tags
Prerequisite for splitting the `docker` job into `candidates` and `releases`.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
79d41ac9e5 refactor: extract archtectures to yml
Opens the door to running the same matrix across multiple jobs.

PR: #41
2021-05-18 20:04:04 +01:00
innovaker
dcdbf26dc6 refactor: rename name to repository-name
`name` is too ambiguous.

PR: #39
2021-05-17 20:13:39 +01:00
innovaker
45e2982c07 feat: add OCI image.revision label
`image.revision` helps trace the image.

PR: #34
2021-05-17 20:12:56 +01:00
innovaker
1f005cd108 refactor: reorder git-tag job's if statement
Improves the readability and consistency.

PR: #36
2021-05-17 20:12:14 +01:00
innovaker
30e68c8be2 refactor: change git-tag job's needs syntax to list
List syntax is better for version control.

PR: #36
2021-05-17 20:12:14 +01:00
innovaker
18a92c3f0a refactor: rename git job to git-tag
`git-tag` is more meaningful than `git`.

PR: #36
2021-05-17 20:12:14 +01:00
innovaker
57a8ac1373 refactor: replace types with jobs
`jobs` is more accurate and understandable.

PR: #40
2021-05-17 20:08:40 +01:00
innovaker
f5bf7843a0 refactor: change tag-trigger-ref into release-trigger-tag
Improves the readability of the workflow.

PR: #37
2021-05-17 20:08:05 +01:00
innovaker
ae59587197 refactor: remove image digest step
The digest is already available within the `build-push` step.

PR: #33
2021-05-17 20:07:16 +01:00
innovaker
bb5f036706 refactor: swap Docker Hub steps with GHCR steps
Aligns with the ordering elsewhere.

PR: #32
2021-05-17 20:04:52 +01:00
innovaker
5e0400cd2f refactor: remove build registry cache
`build` is a subset of `dev`, so there's no need to save both to the registry with `mode=max`.

PR: #35
2021-05-17 20:04:07 +01:00
innovaker
955a1757a1 feat: restrict concurrency of containers workflow
Protects the cache by queuing workflow runs.

PR: #38
2021-05-17 20:02:21 +01:00
dependabot[bot]
0053ccff95 build(deps): bump debian
Bumps debian from stable-20201117-slim to stable-20210511-slim.

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-17 19:36:24 +01:00
innovaker
7b71139613 feat: add guards for absent registry credentials
The original design assumed that every user would configure login credentials with appropriate write permissions for the Docker Hub repository.  Consequently, forks or pull requests fail on the first step.

This change allows the build to complete without login credentials.  It skips pushing the cache or pushing the candidate image.

The release (docker tag) step still requires login credentials and fails if they are absent.  This guarantees that git tagging is only possible once all images have been pushed out to all container registries.

PR: #24
2021-05-17 19:19:23 +01:00
innovaker
560e9163d5 feat: add fallback for Docker Hub namespace (GitHub repository owner)
Lets the workflow run without specifying the `DOCKER_HUB_NAMESPACE` secret.  It uses `github.repository_owner` as the default value for the Docker Hub namespace.

PR: #23
2021-05-17 19:19:23 +01:00
innovaker
f57ad048fa refactor: rename Tag step to Release
Improves the readability of the workflow.

PR: #22
2021-05-17 19:19:23 +01:00
innovaker
bca57f3ef0 refactor: rename DockerHub to Docker Hub
Aligns with Docker's official documentation.

PR: #21
2021-05-17 19:19:23 +01:00
innovaker
3f5e23723c refactor: remove CACHE_FROM and CACHE_TO
Having these in the `vars` step provides little benefit going forward.  Moving them to the `build-push` step improves the readability.

PR: #20
2021-05-17 19:19:23 +01:00
innovaker
a8cc84717b refactor: move zmk-docker-cache to env
Simplifies future refactoring.

PR: #20
2021-05-17 19:19:23 +01:00
innovaker
58b8d8ab6d refactor: remove matrix.cache-to
`matrix.cache-to` is superfluous because it's always the same as the target.  This was probably a hangover from an earlier design.

PR: #20
2021-05-17 19:19:23 +01:00
innovaker
5ef22c1759 refactor: remove push from cache-from and cache-to
`push` has no meaning in the context of `cache-from` or `cache-to`.

PR: #20
2021-05-17 19:19:23 +01:00
innovaker
7f4cdc99ef refactor: move OCI image.source LABEL out of Dockerfile
Defining the LABEL via an ARG at the top of the Dockerfile prevents other GitHub repositories (or local Docker users) from leveraging otherwise identical cache layers.

PR: #18
2021-05-17 19:19:23 +01:00