ci(release): Various workflow fixes

stackabletech / docker-images

Apache License 2.0

17 stars 2 forks source link

ci(release): Various workflow fixes #790

Closed NickLarsenNZ closed 1 month ago

NickLarsenNZ commented 1 month ago

[x] Get the container digest from structured output
- [x] New publish action
- [x] Release workflow
[x] Make cargo quiet
[x] fix pre-commit to compare against main (https://github.com/stackabletech/issues/issues/616)

sbernauer commented 1 month ago

@dervoeti will review as well

dervoeti commented 1 month ago

When I build an image locally with bake, push it and then run docker images --digests "$(< bake-target-tags)" --format '{{.Digest}}', it prints <none>. But that might be because my local build was in some way different from what we do in CI. Also, I think .Digest is the local digest and the digest we are interested in is actually in .RepoDigests, which is an array (it should only have one element in our case though). As far as I remember, the "remote" digest in the repo you pushed to is different from the local one.

NickLarsenNZ commented 1 month ago

I would have to look into the Digest meaning. When I ran it, it was the same as the remote, and I never saw arrays of digests, only the final.

Maybe for now, I can keep it the current way, and just print the output of this command (or even compare it), and we can check it over time to see if it matched.

dervoeti commented 1 month ago

Sounds good! Just want to make sure that we use the correct digest, otherwise signings / SBOMs will break for new builds. If it's the same digest then it's fine for me, printing the digests to compare them sounds like a good next step. I just remembered that I saw some differences when I tried it that way, but that was about a year ago, things might have changed.

NickLarsenNZ commented 1 month ago

On second thought @dervoeti, I'd like to keep my change. I took another look, and it appears to be fine (see explanation below).

We are also a while away from the next release, so doing this earlier gives us plenty of time to fix any issues that might appear.

Explanation

The digest used to come from the last line of this output (STDOUT):

Using default tag: latest
The push refers to repository [docker.stackable.tech/sandbox/nick/alpine]
78561cef0761: Preparing
78561cef0761: Pushed
latest: digest: sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78 size: 528

This matches what I get from:

❯ docker images --digests docker.stackable.tech/sandbox/nick/alpine --format '{{.Digest}}'                                         
sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78

This doesn't work at all: docker images --digests docker.stackable.tech/sandbox/nick/alpine --format '{{.RepoDigests}}'.

dervoeti commented 1 month ago

Yep okay, fine with me. Maybe we can run the build once with the new workflow for one of the images? For example: https://github.com/stackabletech/docker-images/actions/workflows/dev_opa.yaml?query=branch%3Afixes-for-the-jilted-generation

NickLarsenNZ commented 1 month ago

@dervoeti we can test it on https://github.com/stackabletech/docker-images/pull/797