Skip to content

Commit 753ee45

Browse files
authored
Merge pull request #1161 from bahe-msft/copilot/1160-issue-fix
feat: adding ghcr image publish support
2 parents 7780dac + 3584c06 commit 753ee45

10 files changed

Lines changed: 120 additions & 15 deletions

File tree

.github/workflows/kubernetes-nightly-build.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ name: Kubernetes nightly build (Monorepo)
22

33
permissions:
44
contents: read
5+
packages: write
56

67
on:
78
workflow_dispatch:
@@ -155,10 +156,18 @@ jobs:
155156
username: ${{ secrets.ACR_USERNAME }}
156157
password: ${{ secrets.ACR_PASSWORD }}
157158

159+
- name: Login to GHCR
160+
uses: docker/login-action@v3
161+
with:
162+
registry: ghcr.io
163+
username: ${{ github.actor }}
164+
password: ${{ secrets.GITHUB_TOKEN }}
165+
158166
- name: Build and push (TAG=latest)
159167
working-directory: ${{ matrix.workdir }}
160168
run: |
161169
export TAG=latest
170+
export GHCR_REPO="ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/opensandbox"
162171
if [ -n "${{ matrix.k8s_component }}" ]; then
163172
export COMPONENT="${{ matrix.k8s_component }}"
164173
fi

.github/workflows/publish-components.yml

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ permissions:
77
id-token: write
88
attestations: write
99
artifact-metadata: write
10+
packages: write
1011

1112
on:
1213
workflow_dispatch:
@@ -68,6 +69,13 @@ jobs:
6869
username: ${{ secrets.ACR_USERNAME }}
6970
password: ${{ secrets.ACR_PASSWORD }}
7071

72+
- name: Login to GHCR
73+
uses: docker/login-action@v3
74+
with:
75+
registry: ghcr.io
76+
username: ${{ github.actor }}
77+
password: ${{ secrets.GITHUB_TOKEN }}
78+
7179
- name: Parse tag and set variables
7280
id: parse_tag
7381
run: |
@@ -127,6 +135,7 @@ jobs:
127135
128136
export TAG=$IMAGE_TAG
129137
export COMPONENT=$COMPONENT
138+
export GHCR_REPO="ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/opensandbox"
130139
chmod +x build.sh
131140
./build.sh
132141
@@ -140,16 +149,18 @@ jobs:
140149
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
141150
echo "dockerhub_image=docker.io/opensandbox/$COMPONENT" >> "$GITHUB_OUTPUT"
142151
echo "acr_image=sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/$COMPONENT" >> "$GITHUB_OUTPUT"
152+
echo "ghcr_image=$GHCR_REPO/$COMPONENT" >> "$GITHUB_OUTPUT"
143153
144154
- name: Sign release images
145155
if: github.ref_type == 'tag' && steps.parse_tag.outputs.image_tag != 'latest' && steps.parse_tag.outputs.image_tag != ''
146156
env:
147157
DIGEST: ${{ steps.build.outputs.digest }}
148158
DOCKERHUB_IMAGE: ${{ steps.build.outputs.dockerhub_image }}
149159
ACR_IMAGE: ${{ steps.build.outputs.acr_image }}
160+
GHCR_IMAGE: ${{ steps.build.outputs.ghcr_image }}
150161
run: |
151162
set -euo pipefail
152-
cosign sign --yes "${DOCKERHUB_IMAGE}@${DIGEST}" "${ACR_IMAGE}@${DIGEST}"
163+
cosign sign --yes "${DOCKERHUB_IMAGE}@${DIGEST}" "${ACR_IMAGE}@${DIGEST}" "${GHCR_IMAGE}@${DIGEST}"
153164
154165
- name: Attest Docker Hub image
155166
if: github.ref_type == 'tag' && steps.parse_tag.outputs.image_tag != 'latest' && steps.parse_tag.outputs.image_tag != ''
@@ -169,6 +180,15 @@ jobs:
169180
push-to-registry: true
170181
create-storage-record: false
171182

183+
- name: Attest GHCR image
184+
if: github.ref_type == 'tag' && steps.parse_tag.outputs.image_tag != 'latest' && steps.parse_tag.outputs.image_tag != ''
185+
uses: actions/attest@v4
186+
with:
187+
subject-name: ${{ steps.build.outputs.ghcr_image }}
188+
subject-digest: ${{ steps.build.outputs.digest }}
189+
push-to-registry: true
190+
create-storage-record: false
191+
172192
- name: Bump component version in repo
173193
if: steps.parse_tag.outputs.image_tag != 'latest' && steps.parse_tag.outputs.image_tag != ''
174194
env:

.github/workflows/publish-server.yml

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ permissions:
1010
id-token: write
1111
attestations: write
1212
artifact-metadata: write
13+
packages: write
1314

1415
jobs:
1516
publish-pypi:
@@ -76,6 +77,13 @@ jobs:
7677
username: ${{ secrets.ACR_USERNAME }}
7778
password: ${{ secrets.ACR_PASSWORD }}
7879

80+
- name: Login to GHCR
81+
uses: docker/login-action@v3
82+
with:
83+
registry: ghcr.io
84+
username: ${{ github.actor }}
85+
password: ${{ secrets.GITHUB_TOKEN }}
86+
7987
- name: Parse tag and set variables
8088
id: parse_tag
8189
run: |
@@ -103,6 +111,7 @@ jobs:
103111
TAG: ${{ steps.parse_tag.outputs.image_tag }}
104112
BUILD_METADATA_FILE: ${{ runner.temp }}/opensandbox-server-image-metadata.json
105113
run: |
114+
export GHCR_REPO="ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/opensandbox"
106115
chmod +x build.sh
107116
./build.sh
108117
@@ -116,16 +125,18 @@ jobs:
116125
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
117126
echo "dockerhub_image=docker.io/opensandbox/server" >> "$GITHUB_OUTPUT"
118127
echo "acr_image=sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/server" >> "$GITHUB_OUTPUT"
128+
echo "ghcr_image=$GHCR_REPO/server" >> "$GITHUB_OUTPUT"
119129
120130
- name: Sign release images
121131
if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/server/v') && steps.parse_tag.outputs.image_tag != 'latest' && steps.parse_tag.outputs.image_tag != ''
122132
env:
123133
DIGEST: ${{ steps.build.outputs.digest }}
124134
DOCKERHUB_IMAGE: ${{ steps.build.outputs.dockerhub_image }}
125135
ACR_IMAGE: ${{ steps.build.outputs.acr_image }}
136+
GHCR_IMAGE: ${{ steps.build.outputs.ghcr_image }}
126137
run: |
127138
set -euo pipefail
128-
cosign sign --yes "${DOCKERHUB_IMAGE}@${DIGEST}" "${ACR_IMAGE}@${DIGEST}"
139+
cosign sign --yes "${DOCKERHUB_IMAGE}@${DIGEST}" "${ACR_IMAGE}@${DIGEST}" "${GHCR_IMAGE}@${DIGEST}"
129140
130141
- name: Attest Docker Hub image
131142
if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/server/v') && steps.parse_tag.outputs.image_tag != 'latest' && steps.parse_tag.outputs.image_tag != ''
@@ -145,6 +156,15 @@ jobs:
145156
push-to-registry: true
146157
create-storage-record: false
147158

159+
- name: Attest GHCR image
160+
if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/server/v') && steps.parse_tag.outputs.image_tag != 'latest' && steps.parse_tag.outputs.image_tag != ''
161+
uses: actions/attest@v4
162+
with:
163+
subject-name: ${{ steps.build.outputs.ghcr_image }}
164+
subject-digest: ${{ steps.build.outputs.digest }}
165+
push-to-registry: true
166+
create-storage-record: false
167+
148168
bump-server-chart:
149169
if: startsWith(github.ref, 'refs/tags/server/v')
150170
needs: publish-image

components/egress/build.sh

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ build_arg_if_set() {
3232
}
3333

3434
TAG=${TAG:-latest}
35+
GHCR_REPO=${GHCR_REPO:-}
3536
VERSION=${VERSION:-$(git describe --tags --always --dirty 2>/dev/null || echo "dev")}
3637
GIT_COMMIT=${GIT_COMMIT:-$(git rev-parse HEAD 2>/dev/null || echo "unknown")}
3738
BUILD_TIME=${BUILD_TIME:-$(default_build_time)}
@@ -49,14 +50,20 @@ docker buildx create --use --name egress-builder
4950
docker buildx inspect --bootstrap
5051
docker buildx ls
5152

53+
IMAGE_TAGS=(-t opensandbox/egress:${TAG} -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:${TAG})
5254
LATEST_TAGS=()
55+
if [[ -n "${GHCR_REPO}" ]]; then
56+
IMAGE_TAGS+=(-t "${GHCR_REPO}/egress:${TAG}")
57+
fi
5358
if [[ "${TAG}" == v* ]]; then
5459
LATEST_TAGS+=(-t opensandbox/egress:latest -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:latest)
60+
if [[ -n "${GHCR_REPO}" ]]; then
61+
LATEST_TAGS+=(-t "${GHCR_REPO}/egress:latest")
62+
fi
5563
fi
5664

5765
docker buildx build \
58-
-t opensandbox/egress:${TAG} \
59-
-t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:${TAG} \
66+
"${IMAGE_TAGS[@]}" \
6067
"${LATEST_TAGS[@]}" \
6168
-f components/egress/Dockerfile \
6269
"${BUILD_ARGS[@]}" \

components/execd/build.sh

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ build_arg_if_set() {
3232
}
3333

3434
TAG=${TAG:-latest}
35+
GHCR_REPO=${GHCR_REPO:-}
3536
VERSION=${VERSION:-$(git describe --tags --always --dirty 2>/dev/null || echo "dev")}
3637
GIT_COMMIT=${GIT_COMMIT:-$(git rev-parse HEAD 2>/dev/null || echo "unknown")}
3738
BUILD_TIME=${BUILD_TIME:-$(default_build_time)}
@@ -53,14 +54,20 @@ docker buildx inspect --bootstrap
5354

5455
docker buildx ls
5556

57+
IMAGE_TAGS=(-t opensandbox/execd:${TAG} -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:${TAG})
5658
LATEST_TAGS=()
59+
if [[ -n "${GHCR_REPO}" ]]; then
60+
IMAGE_TAGS+=(-t "${GHCR_REPO}/execd:${TAG}")
61+
fi
5762
if [[ "${TAG}" == v* ]]; then
5863
LATEST_TAGS+=(-t opensandbox/execd:latest -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:latest)
64+
if [[ -n "${GHCR_REPO}" ]]; then
65+
LATEST_TAGS+=(-t "${GHCR_REPO}/execd:latest")
66+
fi
5967
fi
6068

6169
docker buildx build \
62-
-t opensandbox/execd:${TAG} \
63-
-t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:${TAG} \
70+
"${IMAGE_TAGS[@]}" \
6471
"${LATEST_TAGS[@]}" \
6572
-f components/execd/Dockerfile \
6673
"${BUILD_ARGS[@]}" \

components/ingress/build.sh

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ build_arg_if_set() {
3232
}
3333

3434
TAG=${TAG:-latest}
35+
GHCR_REPO=${GHCR_REPO:-}
3536
VERSION=${VERSION:-$(git describe --tags --always --dirty 2>/dev/null || echo "dev")}
3637
GIT_COMMIT=${GIT_COMMIT:-$(git rev-parse HEAD 2>/dev/null || echo "unknown")}
3738
BUILD_TIME=${BUILD_TIME:-$(default_build_time)}
@@ -53,14 +54,20 @@ docker buildx inspect --bootstrap
5354

5455
docker buildx ls
5556

57+
IMAGE_TAGS=(-t opensandbox/ingress:${TAG} -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/ingress:${TAG})
5658
LATEST_TAGS=()
59+
if [[ -n "${GHCR_REPO}" ]]; then
60+
IMAGE_TAGS+=(-t "${GHCR_REPO}/ingress:${TAG}")
61+
fi
5762
if [[ "${TAG}" == v* ]]; then
5863
LATEST_TAGS+=(-t opensandbox/ingress:latest -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/ingress:latest)
64+
if [[ -n "${GHCR_REPO}" ]]; then
65+
LATEST_TAGS+=(-t "${GHCR_REPO}/ingress:latest")
66+
fi
5967
fi
6068

6169
docker buildx build \
62-
-t opensandbox/ingress:${TAG} \
63-
-t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/ingress:${TAG} \
70+
"${IMAGE_TAGS[@]}" \
6471
"${LATEST_TAGS[@]}" \
6572
-f components/ingress/Dockerfile \
6673
"${BUILD_ARGS[@]}" \

kubernetes/build.sh

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ build_arg_if_set() {
2626
TAG=${TAG:-latest}
2727
COMPONENT=${COMPONENT:-controller}
2828
PUSH=${PUSH:-true}
29+
GHCR_REPO=${GHCR_REPO:-}
2930
BUILD_METADATA_FILE=${BUILD_METADATA_FILE:-build/${COMPONENT}-image-metadata.json}
3031
BUILD_ARGS=()
3132
for name in GOFLAGS LDFLAGS CGO_ENABLED CC CXX CFLAGS CXXFLAGS CGO_CFLAGS CGO_CXXFLAGS CGO_LDFLAGS; do
@@ -67,13 +68,17 @@ echo "========================================="
6768
PLATFORMS="linux/amd64,linux/arm64"
6869

6970
if [ "$PUSH" == "true" ]; then
71+
IMAGE_TAGS=(-t "${DOCKERHUB_REPO}/${IMAGE_NAME}:${TAG}" -t "${ACR_REPO}/${IMAGE_NAME}:${TAG}")
72+
if [[ -n "${GHCR_REPO}" ]]; then
73+
IMAGE_TAGS+=(-t "${GHCR_REPO}/${IMAGE_NAME}:${TAG}")
74+
fi
75+
7076
# Build and push to registry
7177
docker buildx build \
7278
--platform $PLATFORMS \
7379
$BUILD_ARG \
7480
"${BUILD_ARGS[@]}" \
75-
-t "${DOCKERHUB_REPO}/${IMAGE_NAME}:${TAG}" \
76-
-t "${ACR_REPO}/${IMAGE_NAME}:${TAG}" \
81+
"${IMAGE_TAGS[@]}" \
7782
--metadata-file "${BUILD_METADATA_FILE}" \
7883
--push \
7984
-f "$DOCKERFILE" \
@@ -83,6 +88,9 @@ if [ "$PUSH" == "true" ]; then
8388
echo "Successfully built and pushed:"
8489
echo " ${DOCKERHUB_REPO}/${IMAGE_NAME}:${TAG}"
8590
echo " ${ACR_REPO}/${IMAGE_NAME}:${TAG}"
91+
if [[ -n "${GHCR_REPO}" ]]; then
92+
echo " ${GHCR_REPO}/${IMAGE_NAME}:${TAG}"
93+
fi
8694
echo "========================================="
8795
else
8896
# Build only (for local testing)

kubernetes/docs/BUILD-IMAGES.md

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ COMPONENT=task-executor TAG=v0.1.0 PUSH=false ./build.sh
2222
# Ensure you are logged in to Alibaba Cloud ACR
2323
docker login sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com
2424

25+
# Optional: also push to GitHub Container Registry
26+
docker login ghcr.io
27+
2528
# Build and push controller image
2629
COMPONENT=controller TAG=v0.1.0 ./build.sh
2730

@@ -34,6 +37,7 @@ COMPONENT=task-executor TAG=v0.1.0 ./build.sh
3437
- `COMPONENT`: The component to build. Options: `controller`, `task-executor`
3538
- `TAG`: Image tag, defaults to `latest`
3639
- `PUSH`: Whether to push to remote registry, defaults to `true`
40+
- `GHCR_REPO`: Optional GHCR repository prefix, for example `ghcr.io/opensandbox-group/opensandbox`
3741

3842
## Option 2: Using GitHub Actions
3943

@@ -85,11 +89,22 @@ make docker-push-task-executor TASK_EXECUTOR_IMG=myregistry/opensandbox-task-exe
8589

8690
## Image Registry
8791

88-
Built images are pushed to the following registry:
92+
Built images are pushed to Docker Hub and Alibaba Cloud Container Registry (ACR). When `GHCR_REPO` is set, the same images are also pushed to GitHub Container Registry (GHCR).
93+
94+
### Docker Hub
95+
- Controller: `opensandbox/controller:<tag>`
96+
- Task Executor: `opensandbox/task-executor:<tag>`
97+
- Image Committer: `opensandbox/image-committer:<tag>`
8998

9099
### Alibaba Cloud Container Registry (ACR)
91100
- Controller: `sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/controller:<tag>`
92101
- Task Executor: `sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/task-executor:<tag>`
102+
- Image Committer: `sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/image-committer:<tag>`
103+
104+
### GitHub Container Registry (GHCR)
105+
- Controller: `ghcr.io/<owner>/opensandbox/controller:<tag>`
106+
- Task Executor: `ghcr.io/<owner>/opensandbox/task-executor:<tag>`
107+
- Image Committer: `ghcr.io/<owner>/opensandbox/image-committer:<tag>`
93108

94109
## Multi-Architecture Support
95110

sandboxes/code-interpreter/build.sh

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
set -ex
1717

1818
TAG=${TAG:-latest}
19+
GHCR_REPO=${GHCR_REPO:-}
1920
BUILD_METADATA_FILE=${BUILD_METADATA_FILE:-build/code-interpreter-image-metadata.json}
2021
mkdir -p "$(dirname "${BUILD_METADATA_FILE}")"
2122

@@ -33,9 +34,13 @@ docker buildx ls
3334
# --push \
3435
# .
3536

37+
IMAGE_TAGS=(-t opensandbox/code-interpreter:${TAG} -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/code-interpreter:${TAG})
38+
if [[ -n "${GHCR_REPO}" ]]; then
39+
IMAGE_TAGS+=(-t "${GHCR_REPO}/code-interpreter:${TAG}")
40+
fi
41+
3642
docker buildx build \
37-
-t opensandbox/code-interpreter:${TAG} \
38-
-t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/code-interpreter:${TAG} \
43+
"${IMAGE_TAGS[@]}" \
3944
--platform linux/amd64,linux/arm64 \
4045
--metadata-file "${BUILD_METADATA_FILE}" \
4146
--push \

server/build.sh

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
set -ex
1717

1818
TAG=${TAG:-latest}
19+
GHCR_REPO=${GHCR_REPO:-}
1920
BUILD_METADATA_FILE=${BUILD_METADATA_FILE:-build/server-image-metadata.json}
2021
mkdir -p "$(dirname "${BUILD_METADATA_FILE}")"
2122

@@ -27,14 +28,20 @@ docker buildx inspect --bootstrap
2728

2829
docker buildx ls
2930

31+
IMAGE_TAGS=(-t opensandbox/server:${TAG} -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/server:${TAG})
3032
LATEST_TAGS=()
33+
if [[ -n "${GHCR_REPO}" ]]; then
34+
IMAGE_TAGS+=(-t "${GHCR_REPO}/server:${TAG}")
35+
fi
3136
if [[ "${TAG}" == v* ]]; then
3237
LATEST_TAGS+=(-t opensandbox/server:latest -t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/server:latest)
38+
if [[ -n "${GHCR_REPO}" ]]; then
39+
LATEST_TAGS+=(-t "${GHCR_REPO}/server:latest")
40+
fi
3341
fi
3442

3543
docker buildx build \
36-
-t opensandbox/server:${TAG} \
37-
-t sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/server:${TAG} \
44+
"${IMAGE_TAGS[@]}" \
3845
"${LATEST_TAGS[@]}" \
3946
--platform linux/amd64,linux/arm64 \
4047
--metadata-file "${BUILD_METADATA_FILE}" \

0 commit comments

Comments
 (0)