verifying checksum for resources/_toolbar.html.erb hasn't changed sin… #32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build / Test / Push | |
| on: | |
| push: | |
| branches: | |
| - '**' | |
| workflow_dispatch: | |
| env: | |
| BUILD_SUFFIX: -build-${{ github.run_id }}_${{ github.run_attempt }} | |
| DOCKER_METADATA_SET_OUTPUT_ENV: 'true' | |
| ARCHIVESSPACE_RESOURCE_TOOLBAR_SHA256: 2feb4bf50a103574dc541d36dd237b5d49f6e663439dfe23314b89ccf964b83d | |
| jobs: | |
| verify-upstream: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Verify upstream resource toolbar checksum | |
| run: | | |
| set -euo pipefail | |
| version="$(sed -n 's/^ARG ARCHIVESSPACE_VERSION="\([^"]*\)"/\1/p' Dockerfile)" | |
| repo_dir="$(mktemp -d)" | |
| trap 'rm -rf "$repo_dir"' EXIT | |
| if [[ -z "$version" ]]; then | |
| echo "Could not determine ARCHIVESSPACE_VERSION from .env.example" | |
| exit 1 | |
| fi | |
| git init -q "$repo_dir" | |
| git -C "$repo_dir" remote add origin https://github.com/archivesspace/archivesspace.git | |
| git -C "$repo_dir" fetch --depth 1 origin "refs/tags/${version}:refs/tags/${version}" | |
| actual="$(git -C "$repo_dir" show "${version}:frontend/app/views/resources/_toolbar.html.erb" | shasum -a 256 | awk '{print $1}')" | |
| if [[ "$actual" != "$ARCHIVESSPACE_RESOURCE_TOOLBAR_SHA256" ]]; then | |
| echo "Expected checksum: $ARCHIVESSPACE_RESOURCE_TOOLBAR_SHA256" | |
| echo "Actual checksum: $actual" | |
| echo "Upstream file changed for ArchivesSpace ${version}" | |
| exit 1 | |
| fi | |
| build: | |
| needs: verify-upstream | |
| runs-on: ${{ matrix.runner }} | |
| outputs: | |
| image-arm64: ${{ steps.gen-output.outputs.image-arm64 }} | |
| image-x64: ${{ steps.gen-output.outputs.image-x64 }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runner: | |
| - ubuntu-24.04 | |
| - ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - id: build-meta | |
| name: Docker meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: type=sha,suffix=${{ env.BUILD_SUFFIX }} | |
| # Build cache is shared among all builds of the same architecture | |
| - id: cache-meta | |
| name: Docker meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: type=raw,value=buildcache-${{ runner.arch }} | |
| - id: get-registry | |
| name: Get the sanitized registry name | |
| run: | | |
| echo "registry=$(echo '${{ steps.build-meta.outputs.tags }}' | cut -f1 -d:)" | tee -a "$GITHUB_OUTPUT" | |
| - id: build | |
| name: Build/push the arch-specific image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| cache-from: type=registry,ref=${{ steps.cache-meta.outputs.tags }} | |
| cache-to: type=registry,ref=${{ steps.cache-meta.outputs.tags }},mode=max | |
| labels: ${{ steps.build-meta.outputs.labels }} | |
| provenance: mode=max | |
| sbom: true | |
| tags: ${{ steps.get-registry.outputs.registry }} | |
| outputs: type=image,push-by-digest=true,push=true | |
| - id: gen-output | |
| name: Write arch-specific image digest to outputs | |
| run: | | |
| echo "image-${RUNNER_ARCH,,}=${{ steps.get-registry.outputs.registry }}@${{ steps.build.outputs.digest }}" | tee -a "$GITHUB_OUTPUT" | |
| merge: | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| env: | |
| DOCKER_APP_IMAGE_ARM64: ${{ needs.build.outputs.image-arm64 }} | |
| DOCKER_APP_IMAGE_X64: ${{ needs.build.outputs.image-x64 }} | |
| outputs: | |
| image: ${{ steps.meta.outputs.tags }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - id: meta | |
| name: Generate tag for the app image | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: type=sha,suffix=${{ env.BUILD_SUFFIX }} | |
| - name: Push the multi-platform app image | |
| run: | | |
| docker buildx imagetools create \ | |
| --tag "$DOCKER_METADATA_OUTPUT_TAGS" \ | |
| "$DOCKER_APP_IMAGE_ARM64" "$DOCKER_APP_IMAGE_X64" | |
| test: | |
| runs-on: ubuntu-24.04 | |
| needs: merge | |
| env: | |
| COMPOSE_FILE: compose.yml:compose.ci.yml | |
| DOCKER_APP_IMAGE: ${{ needs.merge.outputs.image }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Compose | |
| uses: docker/setup-compose-action@v1 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup the stack | |
| run: | | |
| cp .env.example .env | |
| docker compose config | |
| docker compose build | |
| docker compose pull | |
| docker compose up --wait | |
| docker compose exec -u root app chown archivesspace:archivesspace artifacts | |
| - name: Query the ASpace home page | |
| run: | | |
| curl --location --fail --retry 30 --retry-all-errors http://localhost:8080/ | |
| - name: Copy out artifacts | |
| if: ${{ always() }} | |
| run: | | |
| docker compose cp app:/opt/app/artifacts ./ || mkdir artifacts | |
| docker compose logs > artifacts/compose-services.log | |
| docker compose config > artifacts/compose.merged.yml | |
| - name: Upload the build report | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ASpace Build Report (${{ github.run_id }}_${{ github.run_attempt }}) | |
| path: artifacts/* | |
| if-no-files-found: error | |
| push: | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - build | |
| - test | |
| env: | |
| DOCKER_APP_IMAGE_ARM64: ${{ needs.build.outputs.image-arm64 }} | |
| DOCKER_APP_IMAGE_X64: ${{ needs.build.outputs.image-x64 }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Produce permanent image tags | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=sha | |
| type=ref,event=branch | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Retag and push the image | |
| run: | | |
| docker buildx imagetools create \ | |
| $(jq -cr '.tags | map("--tag " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") $DOCKER_APP_IMAGE_ARM64 $DOCKER_APP_IMAGE_X64 |