[#4] Create CI environment for building OCI images
Some checks are pending
/ build-dotnet-8.0 (pull_request) Successful in 5m45s
/ build-oci-image-builder-bookworm (pull_request) Successful in 3m20s
/ build-openjdk-11-maven-3.8.6 (pull_request) Successful in 5m40s
/ build-python-3.11 (pull_request) Successful in 1m24s
/ build-python-3.13 (pull_request) Successful in 5m58s
/ build-dotnet-8.0 (push) Successful in 5m30s
/ build-oci-image-builder-bookworm (push) Successful in 4m6s
/ build-openjdk-11-maven-3.8.6 (push) Successful in 1m25s
/ build-python-3.11 (push) Successful in 5m39s
/ build-python-3.13 (push) Has started running

This saves some workflow time previously spent on installing Debian
packages and also allows for easier reuse of Buildah in other repos'
actions.

Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
This commit is contained in:
Vitaliy Potyarkin 2024-12-18 13:07:13 +03:00
parent f36d1e57de
commit f37c89b1fd
7 changed files with 98 additions and 13 deletions

View file

@ -7,16 +7,15 @@ jobs:
build:
name: build-${{matrix.tag}}
runs-on: docker
container: node:22-bullseye
container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
strategy:
matrix:
tag:
- dotnet-8.0
- oci-image-builder-bookworm
- openjdk-11-maven-3.8.6
- python-3.11
- python-3.13
env:
STORAGE_DRIVER: vfs
steps:
- name: Clone git repo
uses: actions/checkout@v3
@ -28,16 +27,6 @@ jobs:
${{matrix.tag}}/**
id: changed
- name: Install Buildah
run: |-
apt update; apt install -y buildah
# STORAGE_DRIVER variable is ignored if this file does not exist
touch /etc/containers/storage.conf
if: >-
github.event_name == 'workflow_dispatch'
|| steps.changed.outputs.any_changed == 'true'
- name: Build OCI image
run: make ${{matrix.tag}}
if: >-

View file

@ -0,0 +1,15 @@
FROM docker.io/node:20-bookworm-slim as node
FROM docker.io/golang:1.23-bookworm
COPY --from=node /usr/local /usr/local
COPY --from=node /opt /opt
RUN apt-get update && \
apt-get install -y buildah && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
COPY docker-wrapper.sh /usr/local/bin/docker
# Configuration for buildah inside rootless podman
COPY containers.conf /etc/containers/containers.conf
COPY registries.conf /etc/containers/registries.conf
COPY storage.conf /etc/containers/storage.conf

View file

@ -0,0 +1,39 @@
# Forgejo Actions environment for building OCI container images
Building OCI container images inside Forgejo Actions is somewhat non-trivial.
We need to execute Buildah inside of a rootless Podman container, which
eventually leads to a podman-in-podman scenario. Thankfully, this is not as
complex as docker-in-docker.
This image contains everything we need for executing `make image` in our
Golang repos:
- Go toolchain (for helper scripts called by Makefile)
- Docker wrapper (for abstracting Buildah away from human Makefile users)
- Podman configuration files
## Usage
Referencing this container from `.forgejo/workflows/workflow.yml`:
```yaml
jobs:
oci-image:
runs-on: docker
container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
```
See full [live
example](https://git.frostfs.info/TrueCloudLab/action-env/src/branch/master/.forgejo/workflows/build.yml)
in action in this repo.
## Initial Forgejo setup
We use this image to build all images in this repo. To avoid chicken-and-egg
situation in case of disaster recovery, the first version of this image must
be pushed from outside of Forgejo Actions, e.g. from sysadmin laptop:
```console
$ make oci-image-builder-bookworm
$ make push-oci-image-builder-bookworm
```

View file

@ -0,0 +1,8 @@
# https://github.com/containers/podman/issues/20453#issuecomment-1912725982
[containers]
cgroupns="host"
ipcns="host"
netns="host"
pidns="host"
userns="host"
utsns="host"

View file

@ -0,0 +1,18 @@
#!/bin/bash
#
# A wrapper that translates `docker build` commands for use with buildah
#
set -euo pipefail
while [[ $# -ne 0 ]]
do
case "$1" in
--rm|--force-rm)
# 'rm' and 'force-rm' can only be set with either 'layers' or 'no-cache'
;;
*)
args+=("$1")
;;
esac
shift
done
buildah "${args[@]}"

View file

@ -0,0 +1,11 @@
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "docker.io"
[[registry.mirror]]
location = "quay.io"
[[registry.mirror]]
location = "docker.io"

View file

@ -0,0 +1,5 @@
# STORAGE_DRIVER variable is ignored if /etc/containers/storage.conf does not exist
[storage]
driver = "vfs"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"