lifecycle: build binary dependencies which link against SSL directly (#12724)

* lifecycle: install binary dependencies in dockerfile directly Signed-off-by: Jens Langhammer <jens@goauthentik.io> * install ua-parser-builtins manually as its only distributed as binary Signed-off-by: Jens Langhammer <jens@goauthentik.io> * build duo_client from scratch, sigh Signed-off-by: Jens Langhammer <jens@goauthentik.io> * deps for kadmin Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ok fine Signed-off-by: Jens Langhammer <jens@goauthentik.io> * run on arm runner? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix yaml format Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rewrite release pipeline to use re-usable workflows Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix typo Signed-off-by: Jens Langhammer <jens@goauthentik.io> * re-usable multi-arch build? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * also add suffix for amd64 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * parameterise image name Signed-off-by: Jens Langhammer <jens@goauthentik.io> * re-use workflow for CI images...? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix missing checkout Signed-off-by: Jens Langhammer <jens@goauthentik.io> * inherit secrets Signed-off-by: Jens Langhammer <jens@goauthentik.io> * temp build directly Signed-off-by: Jens Langhammer <jens@goauthentik.io> * get cache-to from python script Signed-off-by: Jens Langhammer <jens@goauthentik.io> * better name? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * matrix for merging images? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * re-add build dep Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use multi-image tag Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include arch in buildcache Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-01-21 15:36:25 +01:00
parent 90a85abf9d
commit faab182404
11 changed files with 261 additions and 146 deletions
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -0,0 +1,94 @@
+# Re-usable workflow for a single-architecture build
+name: Single-arch Container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      image_arch:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: false
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs:
+      image-digest:
+        value: ${{ jobs.build.outputs.image-digest }}
+
+jobs:
+  build:
+    name: Build ${{ inputs.image_arch }}
+    runs-on: ${{ inputs.runs-on }}
+    outputs:
+      image-digest: ${{ steps.push.outputs.digest }}
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3.3.0
+      - uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+          image-arch: ${{ inputs.image_arch }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        if: ${{ inputs.release }}
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: generate ts client
+        if: ${{ !inputs.release }}
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-to: ${{ steps.ev.outputs.cacheTo }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true