ci(docker): images should have independent major minor tags (#3406)

bosbaber · web-flow · commit 3e6d5c9f4e49 · 2025-06-04T10:08:23.000+02:00
This PR refactors the image building, tagging and pushing github actions so that an appropriate hierarchy of tags are created.

These changes was extensively tested on a fork under my personal github account. You can view the actions logs here.

Changes proposed in this pull request
Tag independent minor and major docker images on releases
Refactoring of CI workflow
Performance test CI job modified to skip automatic commenting if PR is from a fork like this one
On releasing of new version v1.1.1

images created and pushed for the following tags
package_name v1.1.1
package_name v1.1
package_name v1
On releasing of new version v1.1.1-beta

images created and pushed for the following tags

package_name v1.1.1-beta
package_name v1.1-beta
package_name v1-beta
If any of the of the minor or major tags already exist we will simply override them.
diff --git a/.github/actions/image-push/action.yml b/.github/actions/image-push/action.yml
@@ -0,0 +1,68 @@
+name: "Version hierarchy image pusher"
+description: "Will re-tag the docker image to create images for parent versions. For example, if the image is tagged 1.2.3, it will create a tag for 1.2 and 1.0 as well."
+
+inputs:
+  app_name:
+    description: "The name of the application."
+    required: true
+  package:
+    required: true
+    description: "Package we are building, for example, 'rafiki-auth' or 'rafiki-backend'."
+  platform_name:
+    required: true
+    description: "Platform we are building for, for example, 'amd64' or 'arm64'."
+  gh_token:
+    description: "GitHub token to use for authentication."
+    required: true
+  version:
+    required: true
+    description: "Version we are tagging as, for example v1.2.3 or v1.2.3-rc1"
+  
+  
+runs:
+  using: "composite"
+  steps:
+    - name: Calculate version hierarchy
+      id: hierarchy
+      uses: ./.github/actions/parent-versions
+      with:
+        version: ${{ inputs.version }}
+    - name: Fetch docker image from cache
+      uses: actions/cache/restore@v4
+      with:
+        path: /tmp/${{ github.sha }}-${{ inputs.package }}-${{ inputs.platform_name }}-${{ inputs.version }}.tar
+        key: ${{ github.sha }}-${{ inputs.package }}-${{ inputs.platform_name }}-${{ inputs.version }}
+        fail-on-cache-miss: true
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Login to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ inputs.gh_token }}
+    - name: Load image into Docker
+      shell: bash
+      run: |
+        docker load --input /tmp/${{ github.sha }}-${{ inputs.package }}-${{ inputs.platform_name }}-${{ inputs.version }}.tar
+    - name: List docker images
+      shell: bash
+      run: docker images
+    - name: Push to registry
+      shell: bash
+      run: |
+        echo "Pushing image to registry"
+        docker push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ inputs.version }}
+    - name: Tag and push parent versions
+      shell: bash
+      if: ${{ steps.hierarchy.outputs.has_hierarchy == 'true' }}
+      run: |
+        echo "Tagging parent versions with ${{ inputs.version }}, ${{ steps.hierarchy.outputs.minor_parent }} and ${{ steps.hierarchy.outputs.major_parent }}"
+        docker tag ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ inputs.version }} ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name}}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.major_parent }}
+        docker tag ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ inputs.version }} ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name}}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.minor_parent }}
+
+        echo "Pushing parent tagged images to registry"
+        docker push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.major_parent }}
+        docker push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.minor_parent }}
diff --git a/.github/actions/manifest-push/action.yml b/.github/actions/manifest-push/action.yml
@@ -0,0 +1,62 @@
+name: "Push manifest list for arm64 and amd64"  
+
+inputs:
+  app_name:
+    description: "The name of the application."
+    required: true
+  package:
+    required: true
+  gh_token:
+    description: "GitHub token to use for authentication."
+    required: true
+  version:
+    required: true
+    description: "Version we are tagging as, for example v1.2.3 or v1.2.3-rc1"
+  
+runs:
+  using: "composite"
+  steps:
+    - name: Calculate version hierarchy
+      id: hierarchy
+      uses: ./.github/actions/parent-versions
+      with:
+        version: ${{ inputs.version }}
+
+    - name: Login to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ inputs.gh_token }}
+    - name: Create manifest list with parent versions
+      if: steps.hierarchy.outputs.has_hierarchy == 'true'
+      shell: bash
+      run: |
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ inputs.version }}
+
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.minor_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ steps.hierarchy.outputs.minor_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ steps.hierarchy.outputs.minor_parent }}
+        
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.major_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ steps.hierarchy.outputs.major_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ steps.hierarchy.outputs.major_parent }}
+    - name: Create manifest list without parent versions
+      if: steps.hierarchy.outputs.has_hierarchy != 'true'
+      shell: bash
+      run: |
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ inputs.version }}
+    - name: Push manifest list
+      shell: bash
+      run: |
+        docker manifest push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ inputs.version }}
+    - name: Push manifests of parent versions
+      if: steps.hierarchy.outputs.has_hierarchy == 'true'
+      shell: bash
+      run: |
+        docker manifest push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.minor_parent }}
+        docker manifest push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.major_parent }}
diff --git a/.github/actions/parent-versions/action.yml b/.github/actions/parent-versions/action.yml
@@ -0,0 +1,56 @@
+name: Version hierarchy calculator
+
+inputs:
+  version:
+    description: "Version we are tagging as, for example v1.2.3 or v1.2.3-rc1, but it can also be 'nightly' in which case no hierarchy will be generated"
+    required: true
+
+outputs:
+  has_hierarchy:
+    description: "Whether this version has a parent hierarchy"
+    value: ${{ steps.calc.outputs.has_hierarchy }}
+  version:
+    description: "Same version string as provided as input, here for convenience"
+    value: ${{ inputs.version }}
+  major_parent:
+    description: "The major parent tag (e.g. v1 or v1-rc1), empty string if no hierarchy"
+    value: ${{ steps.calc.outputs.major_parent }}
+  minor_parent:
+    description: "The minor parent tag (e.g. v1.2 or v1.2-rc1), empty string if no hierarchy"
+    value: ${{ steps.calc.outputs.minor_parent }}
+runs:
+  using: "composite"
+  steps:
+    - name: Calculate version hierarchy
+      id: calc
+      shell: bash
+      run: |
+        # If the version is 'nightly' or some other unstructured string, we don't want to create a hierarchy
+        if ! [[ ${{ inputs.version }} =~ ^v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+ ]];
+        then
+          echo "has_hierarchy=false"     >> $GITHUB_OUTPUT
+          echo "major_parent=" >> $GITHUB_OUTPUT
+          echo "minor_parent=" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        # strip leading 'v'
+        version="${{ inputs.version }}"
+        raw="${version#v}"
+        # extract parts
+        major_num="${raw%%.*}"
+        minor_num="$(echo "$raw" | cut -d'.' -f2)"
+        pre_release="$(echo "$raw" | grep -oP '(?<=-).*' || echo "")"
+
+        # build parents
+        minor_label="v${major_num}.${minor_num}"
+        major_label="v${major_num}"
+        if [[ -n "$pre_release" ]]; then
+          minor_label+="-$pre_release"
+          major_label+="-$pre_release"
+        fi
+
+        # emit outputs
+        echo "has_hierarchy=true"     >> $GITHUB_OUTPUT
+        echo "major_parent=$major_label" >> $GITHUB_OUTPUT
+        echo "minor_parent=$minor_label" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/node-build.yml b/.github/workflows/node-build.yml
@@ -206,11 +206,25 @@ jobs:
           pnpm --filter performance run-tests:testenv -k -q --vus 4 --duration 1m | tee performance.log
 
       - name: Post/Update Performance Test Results as PR Comment
-        if: always()
+        if: ${{ github.event_name == 'pull_request' }}
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const pr = context.payload.pull_request;
+            if (!pr) {
+              console.log("No PR detected, skipping comment.");
+              return;
+            }
+
+            const sourceOwner = pr.head.repo.owner.login;
+            const targetOwner = pr.base.repo.owner.login;
+
+            if (sourceOwner !== targetOwner) {
+              console.log("PR is from a fork, skipping automatic comment for security reasons.");
+              return;
+            }
+
             const fs = require('fs');
             const summaryPath = './test/performance/k6-test-summary.txt';
             const logPath = './performance.log';
@@ -236,7 +250,6 @@ jobs:
             const maxLogSize = 60000;
             const truncatedLogs = logContent.length > maxLogSize ? `...(truncated)...\n${logContent.slice(-maxLogSize)}` : logContent;
 
-
             const commentBody = `
             ### 🚀 Performance Test Results  
 
@@ -466,10 +479,10 @@ jobs:
         run: |
           docker images
           /tmp/trivy image --db-repository ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db --java-db-repository ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db --ignore-unfixed --format table --vuln-type os,library --exit-code 1 --severity HIGH --input /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
-  
+
   push:
     name: Push to registry
-    needs: [version-generator, docker-grype, docker-trivy, version-generator, node-build]
+    needs: [version-generator, docker-grype, docker-trivy, node-build]
     runs-on: ubuntu-latest
     if: needs.version-generator.outputs.dockerPush == 'true'
     strategy:
@@ -484,34 +497,18 @@ jobs:
           - backend
           - frontend
     steps:
-      - name: Fetch docker image from cache
-        uses: actions/cache/restore@v4
-        with:
-          path: /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
-          key: ${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}
-          fail-on-cache-miss: true
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
-        uses: docker/login-action@v3
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/image-push
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Load image into Docker
-        run: |
-          docker load --input /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
-      - name: List docker images
-        run: docker images
-      - name: Push to registry
-        run: |
-          docker push ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}-${{ matrix.platform.name }}:${{ needs.version-generator.outputs.version }}
+          app_name: rafiki
+          package: ${{ matrix.package }}
+          platform_name: ${{ matrix.platform.name }}
+          version: ${{ needs.version-generator.outputs.version }}
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
   
   push-manifest:
     name: Push multi-arch manifest list
-    needs: [version-generator, push]
+    needs: [version-generator,push]
     runs-on: ubuntu-latest
     if: needs.version-generator.outputs.dockerPush == 'true'
     strategy:
@@ -521,20 +518,14 @@ jobs:
           - backend
           - frontend
     steps:
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Create manifest list  
-        run: |
-          docker manifest create ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }} \
-          --amend ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}-amd64:${{ needs.version-generator.outputs.version }} \
-          --amend ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}-arm64:${{ needs.version-generator.outputs.version }}
+      - uses: actions/checkout@v4
       - name: Push manifest list
-        run: |
-          docker manifest push ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }}
+        uses: ./.github/actions/manifest-push
+        with:
+          app_name: rafiki
+          package: ${{ matrix.package }}
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          version: ${{ needs.version-generator.outputs.version }}
   
   generate-release:
     runs-on: ubuntu-latest
@@ -551,7 +542,7 @@ jobs:
           tag: ${{ needs.version-generator.outputs.version }}
           includeRefIssues: false
       - name: Create Release
-        uses: ncipollo/release-action@v1.15.0
+        uses: ncipollo/release-action@v1.16.0
         with:
           allowUpdates: true
           draft: false
