From e667eea2d4de4df45ee373869d0ac7e177f4e172 Mon Sep 17 00:00:00 2001 From: Yuri Shkuro Date: Sun, 8 Sep 2024 23:58:16 -0300 Subject: [PATCH] Stop using v1 and v1.x tags for Docker images (#5956) ## Which problem is this PR solving? - We used to publish Docker tags like "1" and "1.60", which were aliases to the most recent fully-qualified version. This is a bad practice, nobody should be depending on those aliases since they can introduce unexpected changes to production ## Description of the changes - Only apply fully qualified vX.Y.Z tag - Do not generate any tags for runs not on main branch and not on numbered release - Rename poorly named internal action `actions/block-pr-not-on-main` to `actions/block-pr-from-main-branch` - Remove `name` from many workflow steps as it's redundant - Add "::group::" boundaries to log output to make it easier to navigate on github ## How was this change tested? - CI --------- Signed-off-by: Yuri Shkuro --- .../action.yml | 0 .github/workflows/ci-crossdock.yml | 9 ++--- .github/workflows/ci-docker-all-in-one.yml | 15 +++----- .github/workflows/ci-docker-build.yml | 15 +++----- .github/workflows/ci-docker-hotrod.yml | 6 +-- .github/workflows/ci-lint-checks.yaml | 38 +++++++------------ .github/workflows/ci-release.yml | 37 ++++++++++++------ Makefile.Docker.mk | 8 ++++ scripts/build-all-in-one-image.sh | 2 +- scripts/build-hotrod-image.sh | 4 +- scripts/build-upload-a-docker-image.sh | 21 ++++++---- scripts/compute-tags.sh | 13 +++---- scripts/compute-tags.test.sh | 22 +++++------ 13 files changed, 92 insertions(+), 98 deletions(-) rename .github/actions/{block-pr-not-on-main => block-pr-from-main-branch}/action.yml (100%) diff --git a/.github/actions/block-pr-not-on-main/action.yml b/.github/actions/block-pr-from-main-branch/action.yml similarity index 100% rename from .github/actions/block-pr-not-on-main/action.yml rename to .github/actions/block-pr-from-main-branch/action.yml diff --git a/.github/workflows/ci-crossdock.yml b/.github/workflows/ci-crossdock.yml index 97fe88f3089..02e84b5a36f 100644 --- a/.github/workflows/ci-crossdock.yml +++ b/.github/workflows/ci-crossdock.yml @@ -20,8 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -37,11 +36,9 @@ jobs: with: go-version: 1.23.x - - name: Export BRANCH variable - uses: ./.github/actions/setup-branch + - uses: ./.github/actions/setup-branch - - name: Install tools - run: make install-ci + - run: make install-ci - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 diff --git a/.github/workflows/ci-docker-all-in-one.yml b/.github/workflows/ci-docker-all-in-one.yml index 57fd058c661..8d7f68b56ec 100644 --- a/.github/workflows/ci-docker-all-in-one.yml +++ b/.github/workflows/ci-docker-all-in-one.yml @@ -27,8 +27,7 @@ jobs: binary: jaeger steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -37,21 +36,17 @@ jobs: submodules: true - name: Fetch git tags - run: | - git fetch --prune --unshallow --tags + run: git fetch --prune --unshallow --tags - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.23.x - - name: Setup Node.js version - uses: ./.github/actions/setup-node.js + - uses: ./.github/actions/setup-node.js - - name: Export BRANCH variable - uses: ./.github/actions/setup-branch + - uses: ./.github/actions/setup-branch - - name: Install tools - run: make install-ci + - run: make install-ci - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 diff --git a/.github/workflows/ci-docker-build.yml b/.github/workflows/ci-docker-build.yml index 8b78e8777d1..51f31303aa4 100644 --- a/.github/workflows/ci-docker-build.yml +++ b/.github/workflows/ci-docker-build.yml @@ -20,8 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -30,21 +29,17 @@ jobs: submodules: true - name: Fetch git tags - run: | - git fetch --prune --unshallow --tags + run: git fetch --prune --unshallow --tags - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.23.x - - name: Setup Node.js version - uses: ./.github/actions/setup-node.js + - uses: ./.github/actions/setup-node.js - - name: Export BRANCH variable - uses: ./.github/actions/setup-branch + - uses: ./.github/actions/setup-branch - - name: Install tools - run: make install-ci + - run: make install-ci - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 diff --git a/.github/workflows/ci-docker-hotrod.yml b/.github/workflows/ci-docker-hotrod.yml index 04f89930281..4433812ccb5 100644 --- a/.github/workflows/ci-docker-hotrod.yml +++ b/.github/workflows/ci-docker-hotrod.yml @@ -19,8 +19,7 @@ jobs: hotrod: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -36,8 +35,7 @@ jobs: with: go-version: 1.23.x - - name: Export BRANCH variable - uses: ./.github/actions/setup-branch + - uses: ./.github/actions/setup-branch - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 diff --git a/.github/workflows/ci-lint-checks.yaml b/.github/workflows/ci-lint-checks.yaml index 4951d4b77cf..55ca56a3e72 100644 --- a/.github/workflows/ci-lint-checks.yaml +++ b/.github/workflows/ci-lint-checks.yaml @@ -19,8 +19,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs @@ -33,33 +32,27 @@ jobs: - name: Print Jaeger version for no reason run: make echo-v1 echo-v2 - - name: Install tools - run: make install-test-tools + - run: make install-test-tools - - name: Lint - run: make lint + - run: make lint pull-request-preconditions: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Ensure PR is not on main branch - uses: ./.github/actions/block-pr-not-on-main + - uses: ./.github/actions/block-pr-from-main-branch - - name: lint-nocommit - run: make lint-nocommit + - run: make lint-nocommit dco-check: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs @@ -78,8 +71,7 @@ jobs: generated-files-check: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -104,21 +96,17 @@ jobs: runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit - - name: Check out code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Install shellcheck - run: sudo apt-get install shellcheck + - run: sudo apt-get install shellcheck - - name: Run shellcheck - run: shellcheck scripts/*.sh + - run: shellcheck scripts/*.sh - - name: Install shunit2 + - name: Install shunit2 for shell unit tests uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: kward/shunit2 diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 414da6ea3c6..168793856b5 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -21,7 +21,12 @@ on: dry_run: required: true type: boolean - description: Pass `true` for a test run. It will only build one platform (for speed) and will not push artifacts. + description: Do a test run. It will only build one platform (for speed) and will not push artifacts. + + overwrite: + required: true + type: boolean + description: Allow overwriting artifacts. # See https://github.com/jaegertracing/jaeger/issues/4017 permissions: @@ -45,8 +50,7 @@ jobs: sudo rm -rf /usr/local/lib/android || true df -h / - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -62,17 +66,18 @@ jobs: with: go-version: 1.23.x - - name: Setup Node.js version - uses: ./.github/actions/setup-node.js + - uses: ./.github/actions/setup-node.js - name: Determine parameters id: params run: | if [[ "${{ inputs.dry_run }}" == "true" ]]; then + echo "local_build=-l" >> $GITHUB_OUTPUT echo "platforms=linux/amd64" >> $GITHUB_OUTPUT echo "linux_platforms=linux/amd64" >> $GITHUB_OUTPUT echo "gpg_key_override=-k skip" >> $GITHUB_OUTPUT else + echo "local_build=" >> $GITHUB_OUTPUT echo "platforms=$(make echo-platforms)" >> $GITHUB_OUTPUT echo "linux_platforms=$(make echo-linux-platforms)" >> $GITHUB_OUTPUT fi @@ -89,8 +94,7 @@ jobs: echo Validate that the latest tag ${BRANCH} is in semver format echo ${BRANCH} | grep -E '^v[0-9]+.[0-9]+.[0-9]+$' - - name: Install tools - run: make install-ci + - run: make install-ci - name: Configure GPG Key if: ${{ inputs.dry_run != true }} @@ -112,7 +116,7 @@ jobs: with: file: '{deploy/*.tar.gz,deploy/*.zip,deploy/*.sha256sum.txt,deploy/*.asc}' file_glob: true - overwrite: true + overwrite: ${{ inputs.overwrite }} tag: ${{ env.BRANCH }} repo_token: ${{ secrets.GITHUB_TOKEN }} @@ -125,19 +129,28 @@ jobs: - name: Build and upload all container images # -B skips building the binaries since we already did that above - run: bash scripts/build-upload-docker-images.sh -B -p ${{ steps.params.outputs.linux_platforms }} + run: | + bash scripts/build-upload-docker-images.sh -B \ + -p ${{ steps.params.outputs.linux_platforms }} \ + ${{ steps.params.outputs.local_build }} env: DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - name: Build, test, and publish all-in-one image - run: bash scripts/build-all-in-one-image.sh -p ${{ steps.params.outputs.linux_platforms }} + run: | + bash scripts/build-all-in-one-image.sh \ + -p ${{ steps.params.outputs.linux_platforms }} \ + ${{ steps.params.outputs.local_build }} env: DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - name: Build, test, and publish hotrod image - run: bash scripts/build-hotrod-image.sh -p ${{ steps.params.outputs.linux_platforms }} + run: | + bash scripts/build-hotrod-image.sh \ + -p ${{ steps.params.outputs.linux_platforms }} \ + ${{ steps.params.outputs.local_build }} env: DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} @@ -157,6 +170,6 @@ jobs: if: ${{ inputs.dry_run != true }} with: file: jaeger-SBOM.spdx.json - overwrite: true + overwrite: ${{ inputs.overwrite }} tag: ${{ env.BRANCH }} repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/Makefile.Docker.mk b/Makefile.Docker.mk index 3c067f03f37..b1d4daa2b11 100644 --- a/Makefile.Docker.mk +++ b/Makefile.Docker.mk @@ -10,24 +10,32 @@ DEBUG_IMAGE ?= $(DOCKER_REGISTRY)/debugimg_alpine:latest create-baseimg-debugimg: create-baseimg create-debugimg create-baseimg: prepare-docker-buildx + @echo "::group:: create-baseimg" docker buildx build -t $(BASE_IMAGE) --push \ --platform=$(LINUX_PLATFORMS) \ docker/base + @echo "::endgroup::" create-debugimg: prepare-docker-buildx + @echo "::group:: create-debugimg" docker buildx build -t $(DEBUG_IMAGE) --push \ --platform=$(LINUX_PLATFORMS) \ docker/debug + @echo "::endgroup::" create-fake-debugimg: prepare-docker-buildx + @echo "::group:: create-fake-debugimg" docker buildx build -t $(DEBUG_IMAGE) --push \ --platform=$(LINUX_PLATFORMS) \ docker/base + @echo "::endgroup::" .PHONY: prepare-docker-buildx prepare-docker-buildx: + @echo "::group:: prepare-docker-buildx" docker buildx inspect jaeger-build > /dev/null || docker buildx create --use --name=jaeger-build --buildkitd-flags="--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host" --driver-opt="network=host" docker inspect registry > /dev/null || docker run --rm -d -p 5000:5000 --name registry registry:2 + @echo "::endgroup::" .PHONY: clean-docker-buildx clean-docker-buildx: diff --git a/scripts/build-all-in-one-image.sh b/scripts/build-all-in-one-image.sh index 5bec81869bb..a8f2cd32df3 100755 --- a/scripts/build-all-in-one-image.sh +++ b/scripts/build-all-in-one-image.sh @@ -6,7 +6,7 @@ set -euf -o pipefail print_help() { - echo "Usage: $0 [-b binary] [-D] [-l] [-p platforms]" + echo "Usage: $0 [-b binary] [-D] [-h] [-l] [-p platforms]" echo "-b: Which binary to build: 'all-in-one' (default) or 'jaeger' (v2)" echo "-D: Disable building of images with debugger" echo "-h: Print help" diff --git a/scripts/build-hotrod-image.sh b/scripts/build-hotrod-image.sh index 0cff5a405fc..7af99798e8d 100755 --- a/scripts/build-hotrod-image.sh +++ b/scripts/build-hotrod-image.sh @@ -6,7 +6,7 @@ set -euxf -o pipefail print_help() { - echo "Usage: $0 [-l] [-D] [-p platforms] [-h]" + echo "Usage: $0 [-h] [-l] [-p platforms]" echo "-h: Print help" echo "-l: Enable local-only mode that only pushes images to local registry" echo "-p: Comma-separated list of platforms to build for (default: all supported)" @@ -19,7 +19,7 @@ current_platform="$(go env GOOS)/$(go env GOARCH)" LOCAL_FLAG='' success="false" -while getopts "lp:h" opt; do +while getopts "hlp:" opt; do case "${opt}" in l) # in the local-only mode the images will only be pushed to local registry diff --git a/scripts/build-upload-a-docker-image.sh b/scripts/build-upload-a-docker-image.sh index 63a0a3f5d4f..fdfbb061384 100755 --- a/scripts/build-upload-a-docker-image.sh +++ b/scripts/build-upload-a-docker-image.sh @@ -17,6 +17,7 @@ print_help() { exit 1 } +BRANCH=${BRANCH:?'expecting BRANCH env var'} base_debug_img_arg="" docker_file_arg="Dockerfile" target_arg="" @@ -62,26 +63,30 @@ fi docker_file_arg="${dir_arg}/${docker_file_arg}" -# shellcheck disable=SC2086 -IFS=" " read -r -a IMAGE_TAGS <<< "$(bash scripts/compute-tags.sh ${namespace}/${component_name})" -upload_flag="" +upload_comment="" if [[ "${local_test_only}" = "Y" ]]; then IMAGE_TAGS=("--tag" "localhost:5000/${namespace}/${component_name}:${GITHUB_SHA}") PUSHTAG="type=image, push=true" else + echo "::group:: compute tags ${component_name}" + # shellcheck disable=SC2086 + IFS=" " read -r -a IMAGE_TAGS <<< "$(bash scripts/compute-tags.sh ${namespace}/${component_name})" + echo "::endgroup::" + # Only push multi-arch images to dockerhub/quay.io for main branch or for release tags vM.N.P if [[ "$BRANCH" == "main" || $BRANCH =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "build docker images and upload to dockerhub/quay.io, BRANCH=$BRANCH" + echo "will build docker images and upload to dockerhub/quay.io, BRANCH=$BRANCH" bash scripts/docker-login.sh PUSHTAG="type=image, push=true" - upload_flag=" and uploading" + upload_comment=" and uploading" else echo 'skipping docker images upload, because not on tagged release or main branch' PUSHTAG="type=image, push=false" fi fi +echo "::group:: docker build ${component_name}" # Some of the variables can be blank and should not produce extra arguments, # so we need to disable the linter checks for quoting. # TODO: collect arguments into an array and add optional once conditionally @@ -92,10 +97,12 @@ docker buildx build --output "${PUSHTAG}" ${target_arg} ${base_debug_img_arg} \ --file "${docker_file_arg}" \ "${IMAGE_TAGS[@]}" \ "${dir_arg}" +echo "::endgroup::" +echo "Finished building${upload_comment} ${component_name} ==============" -echo "Finished building${upload_flag} ${component_name} ==============" - +echo "::group:: docker prune" df -h / docker buildx prune --all --force docker system prune --force df -h / +echo "::endgroup::" diff --git a/scripts/compute-tags.sh b/scripts/compute-tags.sh index 7f0a4fb5a0e..abc812724de 100755 --- a/scripts/compute-tags.sh +++ b/scripts/compute-tags.sh @@ -15,8 +15,8 @@ set -u BASE_BUILD_IMAGE=${1:?'expecting Docker image name as argument, such as jaegertracing/jaeger'} BRANCH=${BRANCH:?'expecting BRANCH env var'} -GITHUB_SHA=${GITHUB_SHA:?'expecting GITHUB_SHA env var'} -# allow substituting for ggrep on Mac, since its default grep doesn't grok -P flag. +GITHUB_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)} +# allow substituting for ggrep, since default grep on MacOS doesn't grok -P flag. GREP=${GREP:-"grep"} # accumulate output in this variable @@ -35,15 +35,12 @@ tags() { ## The other possible values are 'main' or another branch name. if [[ $BRANCH =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then MAJOR_MINOR_PATCH=$(echo "${BRANCH}" | ${GREP} -Po "([\d\.]+)") - MAJOR_MINOR=$(echo "${MAJOR_MINOR_PATCH}" | awk -F. '{print $1"."$2}') - MAJOR=$(echo "${MAJOR_MINOR_PATCH}" | awk -F. '{print $1}') - tags "${BASE_BUILD_IMAGE}:${MAJOR_MINOR_PATCH}" - tags "${BASE_BUILD_IMAGE}:${MAJOR_MINOR}" - tags "${BASE_BUILD_IMAGE}:${MAJOR}" tags "${BASE_BUILD_IMAGE}:latest" elif [[ $BRANCH != "main" ]]; then - tags "${BASE_BUILD_IMAGE}:latest" + # not on release tag nor on main - no tags are needed since we won't publish + echo "" + exit fi tags "${BASE_BUILD_IMAGE}-snapshot:${GITHUB_SHA}" diff --git a/scripts/compute-tags.test.sh b/scripts/compute-tags.test.sh index 01f61ae8b49..64012681b3d 100755 --- a/scripts/compute-tags.test.sh +++ b/scripts/compute-tags.test.sh @@ -31,9 +31,13 @@ testRequireBranch() { assertContains "$err" "$err" 'expecting BRANCH env var' } -testRequireGithubSha() { - err=$(BRANCH=abcd bash "$computeTags" foo/bar 2>&1) - assertContains "$err" "$err" 'expecting GITHUB_SHA env var' +testGithubShaIsDefaulted() { + out=$(BRANCH=main bash "$computeTags" foo/bar) + expected=( + "foo/bar-snapshot:$(git rev-parse HEAD)" + "foo/bar-snapshot:latest" + ) + expect "${expected[@]}" } # out is global var which is populated for every output under test @@ -79,14 +83,8 @@ expect_not() { } testRandomBranch() { - out=$(BRANCH=branch GITHUB_SHA=sha bash "$computeTags" foo/bar) - expected=( - "foo/bar:latest" - "foo/bar-snapshot:sha" - "foo/bar-snapshot:latest" - ) - expect "${expected[@]}" - expect_not "foo/bar" + out=$(BRANCH=random GITHUB_SHA=sha bash "$computeTags" foo/bar) + expect } testMainBranch() { @@ -103,8 +101,6 @@ testSemVerBranch() { out=$(BRANCH=v1.2.3 GITHUB_SHA=sha bash "$computeTags" foo/bar) expected=( "foo/bar:latest" - "foo/bar:1" - "foo/bar:1.2" "foo/bar:1.2.3" "foo/bar-snapshot:sha" "foo/bar-snapshot:latest"