forked from whoan/docker-build-with-cache-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
docker-build.sh
executable file
·482 lines (410 loc) · 11.5 KB
/
docker-build.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
#!/usr/bin/env bash
set -e
export DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1}
# helper functions
_has_value() {
local var_name=${1}
local var_value=${2}
if [ -z "$var_value" ]; then
echo "INFO: Missing value $var_name" >&2
return 1
fi
}
_is_docker_hub() {
[ -z "$INPUT_REGISTRY" ] || [[ "$INPUT_REGISTRY" =~ \.docker\.(com|io)(/|$) ]]
}
_is_old_github_registry() {
[ "$INPUT_REGISTRY" = docker.pkg.github.com ]
}
_is_new_github_registry() {
[ "$INPUT_REGISTRY" = ghcr.io ]
}
_is_gcloud_registry() {
[[ "$INPUT_REGISTRY" =~ ^(.+\.)?gcr\.io$ ]]
}
_is_aws_ecr() {
_is_aws_ecr_private || _is_aws_ecr_public
}
_is_aws_ecr_private() {
[[ "$INPUT_REGISTRY" =~ ^.+\.dkr\.ecr\.([a-z0-9-]+)\.amazonaws\.com$ ]]
}
_is_aws_ecr_public() {
[[ "$INPUT_REGISTRY" =~ ^public.ecr.aws$ ]]
}
_buildkit_is_enabled() {
[[ "$DOCKER_BUILDKIT" != 0 ]]
}
_get_aws_region() {
_is_aws_ecr_public && echo "us-east-1" && return
# tied to _is_aws_ecr_private implementation
_is_aws_ecr_private && echo "${BASH_REMATCH[1]}" && return
echo "Could not get AWS region" >&2
}
_image_name_contains_namespace() {
[[ "$INPUT_IMAGE_NAME" =~ / ]]
}
_set_namespace() {
if ! _image_name_contains_namespace; then
if _is_docker_hub || _is_new_github_registry; then
NAMESPACE=${INPUT_USERNAME:?A username is needed if no namespace is provided}
elif _is_old_github_registry; then
NAMESPACE=$GITHUB_REPOSITORY
elif _is_gcloud_registry; then
# take project_id from Json Key
NAMESPACE=$(echo "${INPUT_PASSWORD}" | sed -rn 's@.+project_id" *: *"([^"]+).+@\1@p' 2> /dev/null)
[ "$NAMESPACE" ] || return 1
elif _is_aws_ecr_public; then
NAMESPACE=$(_aws_get_public_ecr_registry_name)
fi
# aws-ecr (private) does not need a namespace
fi
# set namespace to all lower, capital letters are not supported
NAMESPACE=${NAMESPACE,,}
}
_get_max_stage_number() {
(( ${#tags[@]} == 0 )) || echo "${tags[-1]}"
}
_get_stages() {
grep -EB1 '^Step [0-9]+/[0-9]+ : FROM' "$BUILD_LOG" |
sed -rn 's/ *-*> (.+)/\1/p'
}
_get_image_namespace() {
echo ${INPUT_REGISTRY:+$INPUT_REGISTRY/}${NAMESPACE:+$NAMESPACE/}
}
_get_full_image_name() {
echo "$(_get_image_namespace)${INPUT_IMAGE_NAME}"
}
_get_stages_image_name() {
echo "${INPUT_STAGES_IMAGE_NAME:-${INPUT_IMAGE_NAME}-stages}"
}
_get_full_stages_image_name() {
echo "$(_get_image_namespace)$(_get_stages_image_name)"
}
_tag() {
local tag
tag="${1:?You must provide a tag}"
echo "Tag: $(_get_full_image_name):$tag"
docker tag "$DUMMY_IMAGE_NAME" "$(_get_full_image_name):$tag"
}
_push() {
local tag
tag="${1:?You must provide a tag}"
docker push "$(_get_full_image_name):$tag"
}
_is_logged_in() {
[ "$not_logged_in" != true ]
}
_must_pull() {
[ "$INPUT_PULL_IMAGE_AND_STAGES" == true ]
}
_can_pull() {
_must_pull && _is_logged_in
}
_must_push() {
if [ "$INPUT_PUSH_IMAGE_AND_STAGES" = on:push ]; then
[ "$GITHUB_EVENT_NAME" = push ]
return
fi
if [ "$INPUT_PUSH_IMAGE_AND_STAGES" = on:pull_request ]; then
[ "$GITHUB_EVENT_NAME" = pull_request ]
return
fi
$INPUT_PUSH_IMAGE_AND_STAGES
}
_can_push() {
_must_push && _is_logged_in
}
_push_git_tag() {
[[ "$GITHUB_REF" =~ /tags/ ]] || return 0
local git_tag=${GITHUB_REF##*/tags/}
echo -e "\nPushing git tag: $git_tag"
_tag "$git_tag"
_push "$git_tag"
}
_push_image_tags() {
local tag
for tag in "${INPUT_IMAGE_TAG[@]}"; do
echo "Pushing: $tag"
_push "$tag"
done
if [ "$INPUT_PUSH_GIT_TAG" = true ]; then
_push_git_tag
fi
}
_push_image_stages() {
local stage_number=1
local stage_image
for stage in $(_get_stages); do
echo -e "\nPushing stage: $stage_number"
stage_image=$(_get_full_stages_image_name):$stage_number
docker tag "$stage" "$stage_image"
docker push "$stage_image"
stage_number=$(( stage_number+1 ))
done
# push the image itself as a stage (the last one)
echo -e "\nPushing stage: $stage_number"
stage_image=$(_get_full_stages_image_name):$stage_number
docker tag "$DUMMY_IMAGE_NAME" "$stage_image"
docker push "$stage_image"
}
_aws() (
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN
aws --region "$(_get_aws_region)" "$@"
)
_aws_get_public_ecr_registry_name() {
_aws ecr-public describe-registries --output=text --query 'registries[0].aliases[0].name'
}
_aws_get_image_tags() {
mapfile -t tags < <(_aws ecr-public describe-image-tags --repository-name "$(_get_stages_image_name)" | jq ".imageTagDetails[].imageTag")
tags=( "${tags[@]#\"}" )
tags=( "${tags[@]%\"}" )
}
_login_to_aws_ecr() {
local array="[]"
if _is_aws_ecr_public; then
array=""
fi
_aws "$(_aws_ecr)" get-authorization-token --output text --query "authorizationData${array}.authorizationToken" |
base64 -d | cut -d: -f2 | docker login --username AWS --password-stdin "$INPUT_REGISTRY"
}
_aws_ecr() {
if _is_aws_ecr_public; then
echo ecr-public
else
echo ecr
fi
}
_aws_repo_exists() {
local repo=$1
: "${repo:?}"
local subcommand # use already-needed permissions to avoid new ones
if _is_aws_ecr_public; then
subcommand=describe-image-tags
else
subcommand=list-images
fi
local error_log
error_log=$(command -p mktemp)
_aws "$(_aws_ecr)" "$subcommand" --repository-name "$repo" > /dev/null 2> "$error_log"
if [ -s "$error_log" ]; then
if ! grep -q RepositoryNotFoundException "$error_log"; then
# unknown error. exit
cat "$error_log"
exit 1
fi
return 1
fi
}
_create_aws_ecr_repos() {
echo -e "\n[Action Step - AWS] Creating repositories (if needed)..."
local main_repo stages_repo
main_repo=$INPUT_IMAGE_NAME stages_repo=$(_get_stages_image_name)
for repo in "$main_repo" "$stages_repo"; do
_aws_repo_exists "$repo" || _aws "$(_aws_ecr)" create-repository --repository-name "$repo" || return 1
done
}
_docker_login() {
if _is_aws_ecr; then
_login_to_aws_ecr || return 1
else
echo "${INPUT_PASSWORD}" | docker login -u "${INPUT_USERNAME}" --password-stdin "${INPUT_REGISTRY}" || return 1
fi
trap logout_from_registry EXIT
}
_parse_extra_args() {
# non-json
if ! [[ $INPUT_BUILD_EXTRA_ARGS =~ ^\{ ]]; then
return
fi
# json
declare -ga extra_args=()
local key
local value
while read -r key; do
while read -r value; do
extra_args+=("$key")
extra_args+=("${value//\\n/
}")
done < <(jq --raw-output "[.\"$key\"] | flatten[]" <<<"${INPUT_BUILD_EXTRA_ARGS}")
done < <(jq --raw-output "keys[]" <<<"${INPUT_BUILD_EXTRA_ARGS}")
INPUT_BUILD_EXTRA_ARGS=""
}
# action steps
init_variables() {
DUMMY_IMAGE_NAME="$INPUT_IMAGE_NAME":tmp_tag_ignore
BUILD_LOG=build-output.log
: "${INPUT_CONTEXT:=.}"
: "${INPUT_DOCKERFILE:=Dockerfile}"
: "${GITHUB_OUTPUT:=/dev/stdout}"
# ! ignore any tag in the custom cache image name
INPUT_STAGES_IMAGE_NAME=${INPUT_STAGES_IMAGE_NAME%:*}
if _is_aws_ecr; then
if [ -z "$INPUT_USERNAME" ]; then
INPUT_USERNAME=$AWS_ACCESS_KEY_ID
INPUT_PASSWORD=$AWS_SECRET_ACCESS_KEY
fi
if [ -z "$INPUT_SESSION" ]; then
INPUT_SESSION=$AWS_SESSION_TOKEN
fi
AWS_ACCESS_KEY_ID=$INPUT_USERNAME
AWS_SECRET_ACCESS_KEY=$INPUT_PASSWORD
AWS_SESSION_TOKEN=$INPUT_SESSION
fi
# split tags (to allow multiple comma-separated tags)
IFS=, read -ra INPUT_IMAGE_TAG <<< "$INPUT_IMAGE_TAG"
if ! _set_namespace; then
echo "Could not set namespace" >&2
exit 1
fi
}
check_aws_cli() {
if _is_aws_ecr; then
_aws --version
fi
}
check_required_input() {
echo -e "\n[Action Step] Checking required input..."
#shellcheck disable=SC2128
_has_value IMAGE_NAME "${INPUT_IMAGE_NAME}" \
&& _has_value IMAGE_TAG "${INPUT_IMAGE_TAG}" \
&& return
exit 1
}
login_to_registry() {
echo -e "\n[Action Step] Log in to registry..."
if _has_value USERNAME "${INPUT_USERNAME}" && _has_value PASSWORD "${INPUT_PASSWORD}"; then
_docker_login && return 0
echo "Could not log in (please check credentials)" >&2
else
echo "No credentials provided" >&2
fi
not_logged_in=true
echo "INFO: Won't be able to pull from private repos, nor to push to public/private repos" >&2
}
create_repos() {
if ! _can_push; then
return
fi
if _is_aws_ecr; then
_create_aws_ecr_repos || return 1
fi
}
pull_cached_stages() {
if ! _can_pull; then
return
fi
# cache importing/exporting is done in build statement when BuildKit is enabled
if _buildkit_is_enabled; then
return
fi
echo -e "\n[Action Step] Pulling image..."
if _is_aws_ecr_public; then
_aws_get_image_tags
local tag
for tag in "${tags[@]}"; do
docker pull "$(_get_full_stages_image_name)":"$tag" || true
done
else
local PULL_STAGES_LOG=pull-stages-output.log
docker pull --all-tags "$(_get_full_stages_image_name)" | tee "$PULL_STAGES_LOG" || true
mapfile -t tags < <(sed -nr 's/^([0-9]+): Pulling from.+/\1/p' "$PULL_STAGES_LOG" | sort -n)
if (( ${#tags[@]} == 0 )); then
echo "Expected error ^ if this is the first time you build the image" >&2
fi
fi
}
_build_image_legacy() {
echo -e "\n[Action Step] Building image..."
max_stage=$(_get_max_stage_number)
# create param to use (multiple) --cache-from options
if [ "$max_stage" ]; then
cache_from=$(eval "echo --cache-from=$(_get_full_stages_image_name):{1..$max_stage}")
fi
_parse_extra_args
set -o pipefail
set -x
# shellcheck disable=SC2086
docker build \
$cache_from \
--tag "$DUMMY_IMAGE_NAME" \
--file "${INPUT_CONTEXT}"/"${INPUT_DOCKERFILE}" \
${INPUT_BUILD_EXTRA_ARGS} \
"${extra_args[@]}" \
"${INPUT_CONTEXT}" | tee "$BUILD_LOG"
set +x
}
_build_image_buildkit() {
echo -e "\n[Action Step] Building image with BuildKit..."
local cache_image
cache_image="$(_get_full_stages_image_name)":latest
local cache_from
if _can_pull; then
cache_from="--cache-from type=registry,ref=$cache_image"
fi
local cache_to
if _can_push; then
cache_to="--cache-to mode=max,image-manifest=true,type=registry,ref=$cache_image"
fi
_parse_extra_args
set -x
docker buildx create --use --name action-builder-instance |& grep -v "existing instance" || true
# shellcheck disable=SC2086
docker buildx build \
--load \
$cache_from \
$cache_to \
--tag "$DUMMY_IMAGE_NAME" \
--file "${INPUT_CONTEXT}"/"${INPUT_DOCKERFILE}" \
${INPUT_BUILD_EXTRA_ARGS} \
"${extra_args[@]}" \
"${INPUT_CONTEXT}"
}
build_image() {
if _buildkit_is_enabled; then
_build_image_buildkit
else
_build_image_legacy
fi
}
tag_image() {
echo -e "\n[Action Step] Tagging image..."
local tag
for tag in "${INPUT_IMAGE_TAG[@]}"; do
_tag "$tag"
done
}
push_image_and_stages() {
echo -e "\n[Action Step] Pushing image..."
if ! _must_push; then
echo "Not pushing" >&2
# only stop the action on errors of custom commands set in the input variable
[ "$INPUT_PUSH_IMAGE_AND_STAGES" = false ] || [[ "$INPUT_PUSH_IMAGE_AND_STAGES" =~ ^on: ]]
return
fi
if ! _is_logged_in; then
echo "ERROR: Can't push when not logged in to registry. Set \"push_image_and_stages: false\" if you don't want to push" >&2
return 1
fi
_push_image_tags
if ! _buildkit_is_enabled; then
_push_image_stages
fi
}
logout_from_registry() {
echo -e "\n[Action Step] Log out from registry..."
docker logout "${INPUT_REGISTRY}"
}
# run the action
check_aws_cli
init_variables
check_required_input
login_to_registry
create_repos
pull_cached_stages
build_image
tag_image
push_image_and_stages
echo "FULL_IMAGE_NAME=$(_get_full_image_name)" >> "$GITHUB_OUTPUT"
echo "End of script"