CI(Docker): Docker workflow improvements (#5128)

echoix · web-flow · commit 33f29c1d0e17 · 2025-02-17T17:19:29.000-05:00
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -16,9 +16,16 @@ on:
     branches:
       - main
       - releasebranch_*
-      - '!releasebranch_7_*'
+      - "!releasebranch_7_*"
     # tags: ['*.*.*']
     paths-ignore: [doc/**]
+  pull_request:
+    paths:
+      - .github/workflows/docker.yml
+      - Dockerfile
+      - docker/**
+      - "!docker/**.md"
+  workflow_dispatch:
   release:
     types: [published]
 
@@ -35,10 +42,17 @@ jobs:
   # For a release, e.g. 8.3.0, created tags are:
   #     8.3.0-alpine, 8.3.0-debian, 8.3.0-ubuntu and latest (with ubuntu)
   docker-os-matrix:
-    name: build and push ${{ matrix.os }} for ${{ github.ref }}
-    if: github.repository_owner == 'OSGeo'
+    name: ${{ matrix.os }} for ${{ github.ref }}
     runs-on: ubuntu-latest
-
+    concurrency:
+      group: >-
+        ${{ github.workflow }}-${{ matrix.os }}-${{ github.event_name }}-
+        ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }}
+      # Cancel in progress in pull requests.
+      # Otherwise, limit to one in progress and one queued for each type.
+      # Only the latest queued job per event type will be kept, older will be cancelled.
+      # The already running job will be completed.
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     strategy:
       matrix:
         os:
@@ -49,32 +63,78 @@ jobs:
       fail-fast: false
 
     permissions:
+      attestations: write
       contents: read
+      id-token: write
       packages: write
 
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Get the latest tag and release branches
+        id: tag-branch
+        run: |
+          # Make sure tags are fetched
+          git fetch --tags
+          # Get sorted list of tags, keep the first that has a semver pattern (not RCs)
+          latest_tag="$(git tag --sort=-v:refname \
+            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
+            | head -n 1)"
+          latest_rel_branch="$(git branch --all --list 'origin/*' \
+            --contains "${latest_tag}" --format "%(refname:lstrip=3)")"
+          echo "latest_tag=${latest_tag}" >> "${GITHUB_OUTPUT}"
+          echo "latest_tag is: ${latest_tag}"
+          echo "latest_rel_branch=${latest_rel_branch}" >> "${GITHUB_OUTPUT}"
+          echo "latest_rel_branch is: ${latest_rel_branch}"
+      - name: Get enable values for meta step
+        id: enable
+        run: |
+          latest="${{
+            (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
+              == format('refs/tags/{0}', steps.tag-branch.outputs.latest_tag)
+            && matrix.os == 'ubuntu' }}"
+          current="${{
+            ( contains(fromJSON('["tag", "release"]'), github.event_name)
+              && (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
+                  == format('refs/tags/{0}', steps.tag-branch.outputs.latest_tag)
+            )
+            || github.ref == format('refs/heads/{0}', steps.tag-branch.outputs.latest_rel_branch)
+          }}"
+          echo "latest=${latest}" >> "${GITHUB_OUTPUT}"
+          echo "latest is $latest"
+          echo "current=${current}" >> "${GITHUB_OUTPUT}"
+          echo "current is $current"
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
-          images: osgeo/grass-gis
+          images: |
+            name=docker.io/osgeo/grass-gis,enable=${{ github.repository_owner == 'OSGeo'
+              && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository }}
           tags: |
             type=ref,event=tag
             type=ref,event=branch
-            type=raw,value=current,enable=${{ github.ref == format('refs/heads/{0}', 'releasebranch_8_3') }}
-            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/8.3') && matrix.os == 'ubuntu' }},suffix=
+            type=ref,event=pr
+            type=raw,value=current,enable=${{ steps.enable.outputs.current }}
+            type=raw,value=latest,enable=${{ steps.enable.outputs.latest }},suffix=
           flavor: |
             latest=false
             suffix=-${{ matrix.os }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
-      - name: Login to DockerHub
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
+        if: ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request' }}
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -83,12 +143,39 @@ jobs:
         id: docker_build
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
-          push: true
-          pull: true
+          push: ${{ github.event_name != 'pull_request' }}
           context: .
           tags: ${{ steps.meta.outputs.tags }}
           file: docker/${{ matrix.os }}/Dockerfile
-          cache-from: type=gha,scope=${{ matrix.os }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          provenance: mode=max
+          sbom: true
+          # Don't use cache for releases.
+          no-cache: ${{ contains(fromJSON('["tag", "release"]'), github.event_name) && true }}
+          # Don't use gha cache for releases. Cache is not used if `cache-from:` is empty
+          cache-from: >-
+            ${{ !contains(fromJSON('["tag", "release"]'), github.event_name)
+                && format('type=gha,scope={0}', matrix.os) || '' }}
           cache-to: type=gha,mode=max,scope=${{ matrix.os }}
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
+      - name: Attest docker.io image
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+        # If there isn't a digest, an annotation cannot be added
+        if: >-
+          ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request'
+            && steps.docker_build.outputs.digest }}
+        id: attest
+        with:
+          subject-name: docker.io/osgeo/grass-gis
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request' }}
+      - name: Attest ghcr.io image
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+        # If there isn't a digest, an annotation cannot be added
+        if: ${{ steps.docker_build.outputs.digest }}
+        id: attest-ghcr
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: ${{ github.event_name != 'pull_request' }}
