-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: docker build and tag from ci #6949
Conversation
- build in docker in ci so we can see failures. - tag and push to dockerhub from ci so we have more control and visibility on the process. Note, docker workflows run on all branches and no tags by default. You need to opt in to having builds trigger when a git tag is pushed. The filter definition to opt in to tags needs to be present on your job and all dependendent jobs, which is dull. See https://circleci.com/docs/2.0/workflows/#executing-workflows-for-a-git-tag I've recreated the dockerhub autobuild rules we have currently, but it is worthing taking a moment to review them. License: MIT Signed-off-by: Oli Evans <[email protected]>
License: MIT Signed-off-by: Oli Evans <[email protected]>
License: MIT Signed-off-by: Oli Evans <[email protected]>
This PR was based on ipfs-inactive/ci-websites#10 which was inspired by the handy article on exactly this topic https://circleci.com/blog/using-circleci-workflows-to-replicate-docker-hub-automated-builds/ |
License: MIT Signed-off-by: Oli Evans <[email protected]>
License: MIT Signed-off-by: Oli Evans <[email protected]>
License: MIT Signed-off-by: Oli Evans <[email protected]>
License: MIT Signed-off-by: Oli Evans <[email protected]>
- run: | ||
name: Publish Docker Image to Docker Hub | ||
command: | | ||
echo "$DOCKERHUB_PASS" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When are these credentials provided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Every branch, it looks like? That's not a good idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I keep running into this same wall. 🤦♂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolution: only users in a specific group will get this token. That will also be the group with release permissions.
@hsanjuan is the |
I've discovered docker hub supports in repo hooks that allow us to add extra tags for a given auto build, and drafting a PR to try it out. https://docs.docker.com/docker-hub/builds/advanced/#override-build-test-or-push-commands |
No |
Dockerhub allows us to add scripts to a hooks directory in our repo, that allow us to alter the steps of an autobuild! This PR adds a post_push dockerhub hook that adds additional tags for the stabilize-dht and master branch in the form `<branch>-<short date>-<short commit sha>`, e.g `bifrost-2020-02-26-a44c610` or `master-2020-03-01-18ca5ab` This is an alternative to ipfs#6949 that requires no credentials in CI, but does not ensure our published docker tags are tested. See ipfs#6949 for details License: MIT Signed-off-by: Oli Evans <[email protected]>
Thanks to @Mr0grog Co-Authored-By: Rob Brackett <[email protected]>
- use a circleci context to provide dockerhub credentials - use a yaml alias to reduce repetition for branch filters (thanks @Mr0grog) - limit docker-push step from test workflow to only run on relevant branches License: MIT Signed-off-by: Oli Evans <[email protected]>
Ok. I'm going to drag this version over the line. I'm going with date stamps rather than using circleci build numbers as a datestamp does the same job of telling you that a given image was created before or after another, and isn't tied to circleci...if we move ci in the future it would be dull to have the build number reset. I'm going to test it out with my personal docker account, and the credentails will be added to a circle context with access limted to a specific admin github team https://github.com/orgs/ipfs/teams/admin/members |
@Stebalien ...sanity check on our current docker builds in dockerhub, whatever gets pushed to the How do you handle releases, in terms of git branches and git tags? do you merge to the ...the I could fix it in this PR so that we have docker tags just for:
|
License: MIT Signed-off-by: Oli Evans <[email protected]>
License: MIT Signed-off-by: Oli Evans <[email protected]>
License: MIT Signed-off-by: Oli Evans <[email protected]>
Can we restrict this to some docker-release team? Or even a go-ipfs-release team? |
To release, we currently:
Same for patch releases. For the next major release, we're probably going to have to perform some git magic to clobber the patch release changes.
I'm not actually sure why we do this. Possibly because "latest" isn't reliable? Latest also includes RCs, IIRC. @whyrusleeping says "no reason really" |
I'm fine with that as long as latest actually points to the latest release. But is there any way to make release an alias for latest? |
With the current dockerhub autobuilds, the docker tags The proposal is to have the docker tag |
@Stebalien in it's current form, the circleci config requires that all tests pass on master or the stabilize-dht branch for use to push a new This may seem a little backwards... we may well want bleeding edge docker tags fo branches that dont always pass all tests, but we dont want to publish a semver release until all the tests are green... in its current form, it's left up to the releaser to decide when a commit is good enough to tag, and as long as it builds, there will be a corresponding docker tag, regardless of tests, which may be fine. Do you have preferences here? I'm thinking we could reduce the requirement for branch builds. Where should we set the bar for those? I'm inclined to leave the tag builds as they are, at the discression of the releaser, on the assumption the are tagging from a branch that has passing tests already. If you decide to tag a release in spite of a failing test, it would be annoying to not automatically get a docker tag for that because of ci. |
License: MIT Signed-off-by: Oli Evans <[email protected]>
Branch tagging also works! Tagging ********/test-go-ipfs:bifrost-2020-03-13-a527a7a and pushing to dockerhub
The push refers to repository [docker.io/********/test-go-ipfs]
b3a71461: Preparing
120503b3: Preparing
5cbec343: Preparing
c9d8d2e3: Preparing
34e54786: Preparing
83601870: Preparing
b220ea20: Preparing
04fb0a52: Preparing
63bdbaf4: Preparing
9e45ad9e: Preparing
eaf85be0: Preparing
335f47a8: Preparing
c115622f: Preparing
bifrost-2020-03-13-a527a7a: digest: sha256:722b1f290829c45cd5a437ceece44fc38fb281984c34b09c7298fe62cf14eb34 size: 3241
Tagging ********/test-go-ipfs:bifrost-latest and pushing to dockerhub
The push refers to repository [docker.io/********/test-go-ipfs]
b3a71461: Preparing
120503b3: Preparing
5cbec343: Preparing
c9d8d2e3: Preparing
34e54786: Preparing
83601870: Preparing
b220ea20: Preparing
04fb0a52: Preparing
63bdbaf4: Preparing
9e45ad9e: Preparing
eaf85be0: Preparing
335f47a8: Preparing
c115622f: Preparing
bifrost-latest: digest: sha256:722b1f290829c45cd5a437ceece44fc38fb281984c34b09c7298fe62cf14eb34 size: 3241
CircleCI received exit code 0 a wild |
License: MIT Signed-off-by: Oli Evans <[email protected]>
The dockerhub context is set up on circleci and limited to the To land this we just need to verify that we're happy with branch builds requiring all the tests to pass, while tags require none, but assume the tagger will make the call... then remove all the autobuilds from dockerhub and merge it. |
I'd say everything must always pass. If this becomes an issue, we can reduce the requirements (or just fix the issue). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
master-${BUILD_NUM}-${GIT_SHA1_SHORT}
is extremely useful to have, thank you! 👍
Adds script and ci config to push to docker hub when - the master or main branch changes - semver like tags are pushed to the repo Pushing a semver like tag pushes a docker image with the same tag. The docker latest tag points to the last semver version tag Pushing changes to main or master gets you a docker tag of the form <branch name>-<date>-<truncated commit sha> e.g main-2020-f435621. a <branch>-latest docker tag is provided as a convenince if you really want the bleeding edge. The branch name is included in the docker tag name to make that clearer. This is a tweak on what I set up for go-ipfs in ipfs/kubo#6949 License: MIT Signed-off-by: Oli Evans <[email protected]>
Adds script and ci config to push to docker hub when - the master or main branch changes - semver like tags are pushed to the repo Pushing a semver like tag pushes a docker image with the same tag. The docker latest tag points to the last semver version tag Pushing changes to main or master gets you a docker tag of the form <branch name>-<date>-<truncated commit sha> e.g main-2020-f435621. a <branch>-latest docker tag is provided as a convenince if you really want the bleeding edge. The branch name is included in the docker tag name to make that clearer. This is a tweak on what I set up for go-ipfs in ipfs/kubo#6949 License: MIT Signed-off-by: Oli Evans <[email protected]>
bifrost-1-a44c610c
bifrost-2-78347be9
bifrost-<build number>-<short git sha>
I've recreated the rest of the dockerhub autobuild rules we have currently, but it is worth taking a moment to review them as we may not want all of them, see:
https://hub.docker.com/repository/docker/ipfs/go-ipfs/builds
Of note the alternative here is to keep using dockerhub for autobuilds, and just have a job to build the docker image in CI to verify it builds, and a job to do the custom bifrost tag... but the dockerhub config is not version controlled, and is a faff to change, so I went the whole hog and ported the lot. Very much up for discussion though.
Also of note, the current set up means the workflow we have called
test
is executed for all branches but not tags (which is how its always been). I've made it so that thedocker-build
step runs in parallel, but thedocker-push
where we tag and publish to dockerhub requires all the tests to pass, which is much stricter than the current dockerhub autobuild, which will run regardless of our test failures.I've created a seperate workflow to trigger the docker steps when the repo is tagged, but it doesn't currently require any test jobs. It probably should, but I wanted to get a sanity check on what's here so far first.
This PR currently has the safety swtiches engaged in that it's currently configured to publish to an image on dockerhub called
olizilla/test-go-ipfs
rather thanipfs/go-ipfs
for now, and the script to do the tag and push to docker is in dry-run mode, so it would just log out the tag and push step rather than do them.TODO:
dockerhub
scoped to thego-ipfs release
github teampush-docker-tags.sh
ipfs/go-ipfs
License: MIT
Signed-off-by: Oli Evans [email protected]