refactor: use Buildkit rootless for fully containerized builds
This commit is contained in:
@@ -15,14 +15,20 @@ env:
|
|||||||
REGISTRY: gitea.arnodo.fr
|
REGISTRY: gitea.arnodo.fr
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
# ============================================================================
|
||||||
|
# Job 1 : Détection des images modifiées
|
||||||
|
# ============================================================================
|
||||||
detect-changes:
|
detect-changes:
|
||||||
runs-on: docker
|
runs-on: docker
|
||||||
container:
|
container:
|
||||||
image: alpine/git:latest
|
image: alpine:3.20
|
||||||
outputs:
|
outputs:
|
||||||
matrix: ${{ steps.changes.outputs.matrix }}
|
matrix: ${{ steps.changes.outputs.matrix }}
|
||||||
has_changes: ${{ steps.changes.outputs.has_changes }}
|
has_changes: ${{ steps.changes.outputs.has_changes }}
|
||||||
steps:
|
steps:
|
||||||
|
- name: Install dependencies
|
||||||
|
run: apk add --no-cache git jq
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
@@ -30,56 +36,73 @@ jobs:
|
|||||||
- name: Detect changed images
|
- name: Detect changed images
|
||||||
id: changes
|
id: changes
|
||||||
run: |
|
run: |
|
||||||
if [ -n "${{ github.event.inputs.image }}" ]; then
|
if [ -n "${{ inputs.image }}" ]; then
|
||||||
# Manual trigger - build specific image
|
# Manual trigger - build specific image
|
||||||
echo "matrix=[\"${{ github.event.inputs.image }}\"]" >> $GITHUB_OUTPUT
|
echo "matrix=[\"${{ inputs.image }}\"]" >> $GITHUB_OUTPUT
|
||||||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||||||
else
|
else
|
||||||
# Auto-detect changed images
|
# Auto-detect changed images
|
||||||
CHANGED=$(git diff --name-only HEAD~1 HEAD -- images/ | cut -d'/' -f2 | sort -u | grep -v '^$' || true)
|
CHANGED=$(git diff --name-only HEAD~1 HEAD -- images/ 2>/dev/null | cut -d'/' -f2 | sort -u | grep -v '^$' || true)
|
||||||
if [ -z "$CHANGED" ]; then
|
if [ -z "$CHANGED" ]; then
|
||||||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||||||
echo "matrix=[]" >> $GITHUB_OUTPUT
|
echo "matrix=[]" >> $GITHUB_OUTPUT
|
||||||
else
|
else
|
||||||
# Convert to JSON array
|
|
||||||
JSON=$(echo "$CHANGED" | jq -R -s -c 'split("\n") | map(select(length > 0))')
|
JSON=$(echo "$CHANGED" | jq -R -s -c 'split("\n") | map(select(length > 0))')
|
||||||
echo "matrix=$JSON" >> $GITHUB_OUTPUT
|
echo "matrix=$JSON" >> $GITHUB_OUTPUT
|
||||||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
- name: Show detected changes
|
||||||
|
run: |
|
||||||
|
echo "Matrix: ${{ steps.changes.outputs.matrix }}"
|
||||||
|
echo "Has changes: ${{ steps.changes.outputs.has_changes }}"
|
||||||
|
|
||||||
|
# ============================================================================
|
||||||
|
# Job 2 : Build avec Buildkit rootless (100% containerisé)
|
||||||
|
# ============================================================================
|
||||||
build:
|
build:
|
||||||
needs: detect-changes
|
needs: detect-changes
|
||||||
if: needs.detect-changes.outputs.has_changes == 'true'
|
if: needs.detect-changes.outputs.has_changes == 'true'
|
||||||
runs-on: docker
|
runs-on: docker
|
||||||
|
container:
|
||||||
|
image: moby/buildkit:rootless
|
||||||
|
options: --privileged
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
image: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
|
image: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Build and push with Buildkit
|
||||||
run: |
|
env:
|
||||||
docker buildx create --use --name gitea-builder || docker buildx use gitea-builder
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
|
REGISTRY_USER: ${{ gitea.actor }}
|
||||||
- name: Login to Gitea Registry
|
|
||||||
run: |
|
|
||||||
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ gitea.actor }} --password-stdin
|
|
||||||
|
|
||||||
- name: Build and push
|
|
||||||
run: |
|
run: |
|
||||||
IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
|
IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
|
||||||
|
SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
|
||||||
|
|
||||||
docker buildx build \
|
# Create auth config for registry
|
||||||
--platform linux/amd64 \
|
mkdir -p ~/.docker
|
||||||
--tag "${IMAGE_NAME}:latest" \
|
AUTH=$(echo -n "${REGISTRY_USER}:${REGISTRY_TOKEN}" | base64)
|
||||||
--tag "${IMAGE_NAME}:${{ gitea.sha }}" \
|
cat > ~/.docker/config.json <<EOF
|
||||||
--push \
|
{
|
||||||
./images/${{ matrix.image }}
|
"auths": {
|
||||||
|
"${{ env.REGISTRY }}": {
|
||||||
- name: Summary
|
"auth": "${AUTH}"
|
||||||
run: |
|
}
|
||||||
echo "### ✅ Image built and pushed" >> $GITHUB_STEP_SUMMARY
|
}
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
}
|
||||||
echo "- **Image**: ${{ env.REGISTRY }}/damien/${{ matrix.image }}" >> $GITHUB_STEP_SUMMARY
|
EOF
|
||||||
echo "- **Tags**: latest, ${{ gitea.sha }}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
# Build and push with buildctl
|
||||||
|
buildctl-daemonless.sh build \
|
||||||
|
--frontend dockerfile.v0 \
|
||||||
|
--local context=./images/${{ matrix.image }} \
|
||||||
|
--local dockerfile=./images/${{ matrix.image }} \
|
||||||
|
--output type=image,name=${IMAGE_NAME}:latest,push=true \
|
||||||
|
--output type=image,name=${IMAGE_NAME}:${SHORT_SHA},push=true \
|
||||||
|
--opt build-arg:BUILDKIT_INLINE_CACHE=1
|
||||||
|
|
||||||
|
echo "✅ Pushed ${IMAGE_NAME}:latest"
|
||||||
|
echo "✅ Pushed ${IMAGE_NAME}:${SHORT_SHA}"
|
||||||
|
|||||||
Reference in New Issue
Block a user