Add workflows to publish docker container on release (#451)

* Add workflow to build docker image * Add release workflow * Apply suggestions from code review Co-authored-by: gabalafou <gabriel@fouasnon.com> * Add some notes --------- Co-authored-by: gabalafou <gabriel@fouasnon.com>
conda-incubator · Jan 9, 2025 · b202f4f · b202f4f
1 parent 9fbbc8e
commit b202f4f
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 0 deletions.
diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml
@@ -0,0 +1,26 @@
+name: Docker
+# This workflow builds the conda-store-ui docker image for each
+# pull request. This will ensure that no PR is breaking the docker
+# image, which will be built and pushed to GHCR when a new release
+# is cut.
+
+on:
+  pull_request:
+
+jobs:
+  build_docker_image:
+    name: "Build Docker Image 🛠"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository 🛎"
+        uses: actions/checkout@v4
+
+      - name: "Set up Docker Buildx 🏗"
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Build image 🚀"
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: "prod"
+          push: false
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,8 @@ on:
 env:
   FORCE_COLOR: "1"
   PACKAGE_FILE: "conda-store-ui.tgz"
+  GH_CONTAINER_REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
   # always build and verify
@@ -145,3 +147,64 @@ jobs:
           npm publish --verbose --access public ${{ env.PACKAGE_FILE }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  build_and_push_docker_image:
+    name: "Push Docker Images 🛠"
+    if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    needs: release-to-npmjs
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+      contents: read
+      packages: write
+      attestations: write
+    steps:
+      - name: "Checkout Repository 🛎"
+        uses: actions/checkout@v4
+
+      - name: "Set up Docker Buildx 🏗"
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Login to GH Container Registry 🐳"
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GH_CONTAINER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Add Docker metadata 📝"
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.GH_CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}
+          # ref: https://github.com/docker/metadata-action?tab=readme-ov-file#typeref
+          # create tags for:
+          #  * the GH tag (eg. 2025.1.8)
+          #  * the branch (eg. main)
+          #  * the commit sha (eg. sha-860c190)
+          tags: |
+            type=ref,event=tag
+            type=ref,event=branch
+            type=sha
+
+      - name: "Publish Docker image 🚀"
+        id: push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: "prod"
+          tags: |
+            ${{ steps.meta.outputs.tags }}
+          push: true
+          labels: ${{ steps.meta.outputs.labels }}
+          # ref https://docs.docker.com/build/ci/github-actions/cache/
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.GH_CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/RELEASE.md b/RELEASE.md
@@ -4,6 +4,8 @@
 1. Create a new branch for the release `git checkout -b release-2024.9.1`
 1. Clean the branch `git clean -fxdq`
 1. Increment the version in `package.json` following our [version specification](https://conda.store/community/maintenance/release/#calver-details)
+
+## Part 1: Build and release the npm package
 1. Build the package locally:
 
    ```bash
@@ -35,6 +37,21 @@
 
 If the dry run looks good, continue with the release checklist items.
 
+## Part 2: Build and release the docker image
+
+1. Build the docker image:
+
+  ```bash
+  docker build -t conda-incubator/conda-store-ui:<release version - eg. 2024.11.1> --target prod . 
+  ```
+
+2. Push the image to [GitHub's container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#pushing-container-images)
+
+  ```bash
+  # ensure you are authenticated with github
+  docker push ghcr.io/conda-incubator/conda-store-ui:<release version - eg. 2024.11.1>
+  ```
+
 ## Troubleshooting notes
 
 - If there are issues with the [GitHub Release UI](https://github.com/conda-incubator/conda-store-ui/releases/new), ensure that whatever code you published is checked into git, then tag and push both the commit and the tag: