Build neurodesktop #789
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build neurodesktop | |
# Scheduled production builds at 17:00 UTC every day. | |
# Build manually from here: https://github.com/NeuroDesk/neurodesktop/actions/workflows/build-neurodesktop.yml | |
# DockerHub: https://hub.docker.com/r/vnmd/neurodesktop | |
# Github Packages: https://github.com/NeuroDesk/neurodesktop/pkgs/container/neurodesktop%2Fneurodesktop | |
on: | |
workflow_dispatch: | |
inputs: | |
force_push: | |
description: 'Force push?' | |
type: boolean | |
required: true | |
default: false | |
schedule: | |
- cron: '0 17 * * *' | |
env: | |
DOCKERHUB_ORG: ${{ vars.DOCKERHUB_ORG }} | |
OCIR_REPO: ${{ vars.OCIR_REPO }} | |
jobs: | |
build-image: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Fetch github api rate limit | |
run: | | |
GITHUB_RATE_REMAINING=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/rate_limit | jq '.rate.remaining') | |
echo "GITHUB_RATE_REMAINING=${GITHUB_RATE_REMAINING}" | |
echo "GITHUB_RATE_REMAINING=$GITHUB_RATE_REMAINING" >> $GITHUB_ENV | |
- name: Checkout repository | |
if: ${{ env.GITHUB_RATE_REMAINING > 0 }} | |
uses: actions/checkout@v3 | |
with: | |
ref: ${{ github.ref }} | |
- name: Set environment variables | |
if: ${{ env.GITHUB_RATE_REMAINING > 0 }} | |
run: | | |
IMAGENAME="neurodesktop" | |
BUILDDATE=`date +%Y%m%d` | |
SHORT_SHA=$(git rev-parse --short $GITHUB_SHA) | |
IMAGEID=ghcr.io/$GITHUB_REPOSITORY/$IMAGENAME | |
IMAGEID=$(echo $IMAGEID | tr '[A-Z]' '[a-z]') | |
echo "BUILDDATE=$BUILDDATE" >> $GITHUB_ENV | |
echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV | |
echo "IMAGEID=$IMAGEID" >> $GITHUB_ENV | |
echo "IMAGENAME=$IMAGENAME" >> $GITHUB_ENV | |
- name: Pull latest image from GitHub packages | |
if: ${{ env.GITHUB_RATE_REMAINING > 0 }} | |
run: | | |
echo ${GITHUB_REF} | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin | |
{ | |
docker pull $IMAGEID:latest \ | |
&& ROOTFS_CACHE=$(docker inspect --format='{{.RootFS}}' $IMAGEID:latest) \ | |
&& echo "ROOTFS_CACHE=$ROOTFS_CACHE" >> $GITHUB_ENV | |
} || echo "$IMAGEID not found. Resuming build..." | |
# - name: Modify Dockerfile for CI build | |
# if: ${{ env.GITHUB_RATE_REMAINING > 0 }} | |
# run: | | |
# sed -i 's/# ADD --keep-git-dir=true/ADD --keep-git-dir=true/g' Dockerfile | |
# sed -i 's/ADD "https:\/\/api.github.com/# ADD "https:\/\/api.github.com/g' Dockerfile | |
# sed -i 's/RUN git clone https:\/\/github.com\/NeuroDesk\/neurocommand.git/# RUN git clone https:\/\/github.com\/NeuroDesk\/neurocommand.git/g' Dockerfile | |
- name: Build new image | |
if: ${{ env.GITHUB_RATE_REMAINING > 0 }} | |
run: | | |
docker build . --file Dockerfile --tag $IMAGEID:$SHORT_SHA --cache-from $IMAGEID --label "GITHUB_REPOSITORY=$GITHUB_REPOSITORY" --label "GITHUB_SHA=$GITHUB_SHA" | |
ROOTFS_NEW=$(docker inspect --format='{{.RootFS}}' $IMAGEID:$SHORT_SHA) | |
echo "ROOTFS_NEW=$ROOTFS_NEW" >> $GITHUB_ENV | |
- name: Push image to GitHub packages (if changes found) | |
if: ${{ github.event.inputs.force_push == 'true' || (env.GITHUB_RATE_REMAINING > 0 && env.ROOTFS_NEW != env.ROOTFS_CACHE && env.DOCKERHUB_ORG != '') }} | |
run: | | |
# Push to GH Packages | |
docker tag $IMAGEID:$SHORT_SHA $IMAGEID:$BUILDDATE | |
docker tag $IMAGEID:$SHORT_SHA $IMAGEID:latest | |
docker push $IMAGEID:$BUILDDATE | |
docker push $IMAGEID:latest | |
- name: Push image to Docker Hub (if enabled & changes found) | |
if: ${{ github.event.inputs.force_push == 'true' || (env.GITHUB_RATE_REMAINING > 0 && env.ROOTFS_NEW != env.ROOTFS_CACHE && env.DOCKERHUB_ORG != '') }} | |
run: | | |
echo "${{ secrets.DOCKERHUB_PASSWORD }}" | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin | |
# Push to GH Packages | |
docker tag $IMAGEID:$SHORT_SHA $DOCKERHUB_ORG/$IMAGENAME:$BUILDDATE | |
docker tag $IMAGEID:$SHORT_SHA $DOCKERHUB_ORG/$IMAGENAME:latest | |
docker push $DOCKERHUB_ORG/$IMAGENAME:$BUILDDATE | |
docker push $DOCKERHUB_ORG/$IMAGENAME:latest | |
- name: Push image to Oracle Container Registry (if enabled & changes found) | |
if: ${{ github.event.inputs.force_push == 'true' || (env.GITHUB_RATE_REMAINING > 0 && env.ROOTFS_NEW != env.ROOTFS_CACHE && env.OCIR_REPO != '') }} | |
run: | | |
echo "${{ secrets.OCIR_PASSWORD }}" | docker login syd.ocir.io -u ${{ secrets.OCIR_USERNAME }} --password-stdin | |
# Push to GH Packages | |
echo ${OCIR_REPO} | |
docker tag $IMAGEID:$SHORT_SHA "${OCIR_REPO}/${IMAGENAME}:${BUILDDATE}" | |
docker tag $IMAGEID:$SHORT_SHA "${OCIR_REPO}/${IMAGENAME}:latest" | |
docker push "${OCIR_REPO}/${IMAGENAME}:${BUILDDATE}" | |
docker push "${OCIR_REPO}/${IMAGENAME}:latest" | |
- name: Container image scan | |
if: ${{ env.GITHUB_RATE_REMAINING > 0 }} | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ env.IMAGEID }} | |
format: table | |
exit-code: '1' | |
severity: CRITICAL | |
timeout: 25m0s | |
skip-files: /opt/rclone-v1.60.1-linux-amd64/README.txt, /opt/rclone-v1.60.1-linux-amd64/README.html, /opt/rclone-v1.60.1-linux-amd64/rclone.1 | |
- name: Generate issue on job failure | |
if: always() && failure() | |
uses: JasonEtco/create-an-issue@v2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GITHUB_WORKFLOW: ${{ env.GITHUB_WORKFLOW }} | |
GITHUB_SERVER_URL: ${{ env.GITHUB_SERVER_URL }} | |
GITHUB_REPOSITORY: ${{ env.GITHUB_REPOSITORY }} | |
GITHUB_RUN_ID: ${{ env.GITHUB_RUN_ID }} | |
with: | |
filename: .github/job_failure_issue_template.md | |
update_existing: true | |
search_existing: open |