ivydocumentdb/.github/workflows/build_packages.yml at 47389381ec793f1de2c0efc6e1f98e00b2a5571c · IvorySQL/ivydocumentdb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Build deb packages and prebuild images
concurrency:
  group: build-packages-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

on:
  workflow_dispatch:
  push:
    branches:
      - 'main'
    paths-ignore:
      - 'docs/**'
      - '.devcontainer/**'
      - '*.md'
  pull_request:
    types: [opened, reopened, synchronize]
    paths-ignore:
      - 'docs/**'
      - '.devcontainer/**'
      - '*.md'

permissions:
  packages: write
  contents: read
  id-token: write

jobs:
  build-deb-packages:
    runs-on: ${{ matrix.runner }}
    name: ${{ matrix.os }}-${{ matrix.arch }}-pg${{ matrix.pg_version }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu22.04]
        arch: [amd64, arm64]
        include:
          - arch: amd64
            runner: ubuntu-24.04
          - arch: arm64
            runner: ubuntu-24.04-arm
        pg_version:
          - 16
          - 17

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Extract and Format Default Version
        id: extract_version
        run: |
          DOCUMENTDB_VERSION=$(grep -E "^default_version" pg_documentdb_core/documentdb_core.control | sed -E "s/.*'([0-9]+\.[0-9]+-[0-9]+)'.*/\1/")
          DOCUMENTDB_VERSION=$(echo $DOCUMENTDB_VERSION | sed "s/-/./g")
          echo "Extracted Version: $DOCUMENTDB_VERSION"
          echo "DOCUMENTDB_VERSION=$DOCUMENTDB_VERSION" >> $GITHUB_ENV

      - name: Build Debian Package
        run: |
          ./packaging/build_packages.sh --os ${{ matrix.os }} --pg ${{ matrix.pg_version }} --version ${{ env.DOCUMENTDB_VERSION }}

      - name: Upload Debian Package as Artifact
        uses: actions/upload-artifact@v4
        with:
          name: archive-${{ matrix.os }}-${{ matrix.arch }}-pg${{ matrix.pg_version }}-documentdb-${{ env.DOCUMENTDB_VERSION }}
          path: |
            packaging/*.deb
          retention-days: 7
          if-no-files-found: error
          compression-level: 0

      - name: Login to GHCR
        if: startsWith(github.ref, 'refs/tags/')
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
        if: startsWith(github.ref, 'refs/tags/')
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        if: startsWith(github.ref, 'refs/tags/')
        uses: docker/setup-buildx-action@v3

      - name: Extract image build metadata
        if: startsWith(github.ref, 'refs/tags/')
        id: image_metadata
        run: |
          PACKAGE_NAME=$(ls packaging/*.deb | grep -v dbgsym | head -n1)
          echo "PACKAGE NAME: $PACKAGE_NAME"
          echo "PACKAGE_NAME=$PACKAGE_NAME" >> $GITHUB_ENV

          case ${{ matrix.os }} in
              deb11)
                  BASE_IMAGE="debian:bullseye"
                  ;;
              deb12)
                  BASE_IMAGE="debian:bookworm"
                  ;;
              ubuntu22.04)
                  BASE_IMAGE="ubuntu:22.04"
                  ;;
              ubuntu24.04)
                  BASE_IMAGE="ubuntu:24.04"
                  ;;
          esac
          echo "BASE_IMAGE NAME: $BASE_IMAGE"
          echo "BASE_IMAGE=$BASE_IMAGE" >> $GITHUB_ENV

      - name: Build and Push Docker Image
        if: startsWith(github.ref, 'refs/tags/')
        uses: docker/build-push-action@v6.18.0
        env:
          DOCKER_BUILD_SUMMARY: false
        with:
          provenance: false # Disable provenance to avoid unknown/unknown
          sbom: false # Disable provenance to avoid unknown/unknown
          context: .
          push: true
          platforms: linux/${{ matrix.arch }}
          file: .github/containers/Build-Ubuntu/Dockerfile_prebuild
          tags: ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }}
          build-args: |
            BASE_IMAGE=${{ env.BASE_IMAGE }}
            POSTGRES_VERSION=${{ matrix.pg_version }}
            DEB_PACKAGE_REL_PATH=${{ env.PACKAGE_NAME }}
          labels: |
            org.opencontainers.image.source=https://github.com/microsoft/documentdb
            org.opencontainers.image.description=Documentdb prebuild image
            org.opencontainers.image.licenses=MIT

      - name: Install cosign
        if: startsWith(github.ref, 'refs/tags/')
        uses: sigstore/cosign-installer@main

      - name: Sign manifest (keyless)
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          cosign sign ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }} -y

      - name: Verify manifest signature (keyless)
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          run: |
          cosign verify \
            --certificate-identity-regexp "https://github.com/${{ github.repository }}/.github/workflows/build_packages.yml@refs/(heads|tags)/${{ github.ref_name }}" \
            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
            ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }}