From 9dacea2143249b6b4e0b7c454d2057ca8cbe85de Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 7 Oct 2024 23:37:36 +0200 Subject: [PATCH 01/12] ci: only run linter on pull request (no push) --- .github/workflows/linter.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index bae54c4..d13af3e 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -18,9 +18,7 @@ permissions: read-all # Start the job on all push # ############################# on: - push: - branches-ignore: [master, main] - # Remove the line above to run when pushing to master + # Only on pull requests (for approval) pull_request: branches: [master, main] From 53a8e895c0062b48a57761d621d981b66f840cb4 Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 7 Oct 2024 23:38:52 +0200 Subject: [PATCH 02/12] ci: job to publish Docker image to registry --- .github/workflows/publish_image.yaml | 47 ++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/publish_image.yaml diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml new file mode 100644 index 0000000..02da6aa --- /dev/null +++ b/.github/workflows/publish_image.yaml @@ -0,0 +1,47 @@ +--- + +name: "Publish Docker Image" + +permissions: + packages: write + contents: read + attestations: write + id-token: write + +env: + OAK_MODULE_DIR: "code/oak-d-lite-module" + REGISTRY: "ghcr.io" + IMAGE_NAME: "${{ github.repository }}:latest" + +on: + push: # Only run after merge to main, when these files change + branches: [master, main] + paths: + - "${{ env.OAK_MODULE_DIR }}/Dockerfile" + - "${{ env.OAK_MODULE_DIR }}/reuqirements.txt" + - "${{ env.OAK_MODULE_DIR }}/vision_webserver.py" + - ".github/workflows/publish_image.yaml" # This file + +jobs: + build: + name: Publish Docker Image + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Log into GHCR + run: docker login ${{ env.REGISTRY }} -u ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }} + + - name: Build Docker Image + run: | + pushd $OAK_MODULE_DIR + docker build -t "${{ env.IMAGE_NAME }}" . + popd + + - name: Push Docker Image + run: docker push ${{ env.IMAGE_NAME }} + +# EOF From 1263b8ce9a31c3c28226dc08f5301a5feb600a05 Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 7 Oct 2024 23:39:06 +0200 Subject: [PATCH 03/12] style: remove whitespace --- code/oak-d-lite-module/create_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/oak-d-lite-module/create_image.sh b/code/oak-d-lite-module/create_image.sh index 51adea7..69d307c 100755 --- a/code/oak-d-lite-module/create_image.sh +++ b/code/oak-d-lite-module/create_image.sh @@ -1,2 +1,2 @@ #!/bin/bash -docker build -t depthai-freisa:latest . \ No newline at end of file +docker build -t depthai-freisa:latest . From fbde4eb7b759cce182287da3186c1c3a8342adeb Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 7 Oct 2024 23:46:10 +0200 Subject: [PATCH 04/12] fix: file name spelling --- .github/workflows/publish_image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index 02da6aa..8d84cc2 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -18,7 +18,7 @@ on: branches: [master, main] paths: - "${{ env.OAK_MODULE_DIR }}/Dockerfile" - - "${{ env.OAK_MODULE_DIR }}/reuqirements.txt" + - "${{ env.OAK_MODULE_DIR }}/requirements.txt" - "${{ env.OAK_MODULE_DIR }}/vision_webserver.py" - ".github/workflows/publish_image.yaml" # This file From 5d17c22f00b5453697d5552ae15c9f5ee2405398 Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 19:40:50 +0200 Subject: [PATCH 05/12] ci: allow job to be ran manually --- .github/workflows/publish_image.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index 8d84cc2..a41c41d 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -1,5 +1,4 @@ --- - name: "Publish Docker Image" permissions: @@ -14,13 +13,14 @@ env: IMAGE_NAME: "${{ github.repository }}:latest" on: - push: # Only run after merge to main, when these files change + push: # Only run after merge to main, when these files change branches: [master, main] paths: - "${{ env.OAK_MODULE_DIR }}/Dockerfile" - "${{ env.OAK_MODULE_DIR }}/requirements.txt" - "${{ env.OAK_MODULE_DIR }}/vision_webserver.py" - - ".github/workflows/publish_image.yaml" # This file + - ".github/workflows/publish_image.yaml" # This file + workflow_dispatch: true jobs: build: @@ -43,5 +43,4 @@ jobs: - name: Push Docker Image run: docker push ${{ env.IMAGE_NAME }} - # EOF From 84d8d539c4463f26886d8a60044034021f8f2ae6 Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 19:46:21 +0200 Subject: [PATCH 06/12] fix: linter issues --- .github/workflows/publish_image.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index a41c41d..4f506c7 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -20,7 +20,7 @@ on: - "${{ env.OAK_MODULE_DIR }}/requirements.txt" - "${{ env.OAK_MODULE_DIR }}/vision_webserver.py" - ".github/workflows/publish_image.yaml" # This file - workflow_dispatch: true + workflow_dispatch: jobs: build: @@ -33,14 +33,14 @@ jobs: fetch-depth: 0 - name: Log into GHCR - run: docker login ${{ env.REGISTRY }} -u ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }} + run: docker login "${{ env.REGISTRY }}" -u "${{ github.repository_owner }}" --password "${{ secrets.GITHUB_TOKEN }}" - name: Build Docker Image run: | - pushd $OAK_MODULE_DIR + pushd "$OAK_MODULE_DIR" docker build -t "${{ env.IMAGE_NAME }}" . popd - name: Push Docker Image - run: docker push ${{ env.IMAGE_NAME }} + run: docker push "${{ env.IMAGE_NAME }}" # EOF From 75ae5b7fb7e952f038329abe331a10d5a3f182c2 Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 20:05:15 +0200 Subject: [PATCH 07/12] fix: remove variables from on.push.paths --- .github/workflows/publish_image.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index 4f506c7..cabdec1 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -16,9 +16,9 @@ on: push: # Only run after merge to main, when these files change branches: [master, main] paths: - - "${{ env.OAK_MODULE_DIR }}/Dockerfile" - - "${{ env.OAK_MODULE_DIR }}/requirements.txt" - - "${{ env.OAK_MODULE_DIR }}/vision_webserver.py" + - "code/oak-d-lite-module/Dockerfile" + - "code/oak-d-lite-module/requirements.txt" + - "code/oak-d-lite-module/vision_webserver.py" - ".github/workflows/publish_image.yaml" # This file workflow_dispatch: From ad2a2ec4b1b7f7217b931a12728df6da6cf37a3c Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 20:20:43 +0200 Subject: [PATCH 08/12] ci: improve docker action --- .github/workflows/publish_image.yaml | 71 +++++++++++++++++++++------- 1 file changed, 54 insertions(+), 17 deletions(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index cabdec1..8b091b3 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -1,46 +1,83 @@ --- name: "Publish Docker Image" -permissions: - packages: write - contents: read - attestations: write - id-token: write - env: - OAK_MODULE_DIR: "code/oak-d-lite-module" REGISTRY: "ghcr.io" IMAGE_NAME: "${{ github.repository }}:latest" on: push: # Only run after merge to main, when these files change - branches: [master, main] + branches: [$default-branch] paths: - "code/oak-d-lite-module/Dockerfile" - "code/oak-d-lite-module/requirements.txt" - "code/oak-d-lite-module/vision_webserver.py" - ".github/workflows/publish_image.yaml" # This file + # Publish semver tags as releases. + tags: ["v*.*.*"] + pull_request: + branches: [$default-branch] workflow_dispatch: jobs: build: name: Publish Docker Image runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + attestations: write + steps: - name: Checkout Code uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Log into GHCR - run: docker login "${{ env.REGISTRY }}" -u "${{ github.repository_owner }}" --password "${{ secrets.GITHUB_TOKEN }}" + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: "v2.2.4" - - name: Build Docker Image - run: | - pushd "$OAK_MODULE_DIR" - docker build -t "${{ env.IMAGE_NAME }}" . - popd + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} # Don't push on PR + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max - - name: Push Docker Image - run: docker push "${{ env.IMAGE_NAME }}" + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} # EOF From 8c49c135780154fca266f39b55846a7fe7ff7bb4 Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 20:25:28 +0200 Subject: [PATCH 09/12] fix: shellcheck --- .github/workflows/publish_image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index 8b091b3..2595cc7 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -79,5 +79,5 @@ jobs: DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@"${DIGEST}" # EOF From 8dd5ea5a8fc71d52c3eb71f5002b651f5aa5b6c2 Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 20:29:00 +0200 Subject: [PATCH 10/12] fix: specify correct context for docker build --- .github/workflows/publish_image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index 2595cc7..50a6f82 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -64,7 +64,7 @@ jobs: id: build-and-push uses: docker/build-push-action@v5.0.0 with: - context: . + context: code/oak-d-lite-module/ push: ${{ github.event_name != 'pull_request' }} # Don't push on PR tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From a772a52bac7a8520799b71b83e480e768bb298be Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 20:30:18 +0200 Subject: [PATCH 11/12] fix: branches name --- .github/workflows/publish_image.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index 50a6f82..e8c23d7 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -7,7 +7,7 @@ env: on: push: # Only run after merge to main, when these files change - branches: [$default-branch] + branches: [master, main] paths: - "code/oak-d-lite-module/Dockerfile" - "code/oak-d-lite-module/requirements.txt" @@ -16,7 +16,7 @@ on: # Publish semver tags as releases. tags: ["v*.*.*"] pull_request: - branches: [$default-branch] + branches: [master, main] workflow_dispatch: jobs: From 3b3ea42cac459916a8efa73f209f3f2465bd79aa Mon Sep 17 00:00:00 2001 From: davmacario Date: Mon, 14 Oct 2024 20:35:43 +0200 Subject: [PATCH 12/12] fix: image name and tag --- .github/workflows/publish_image.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index e8c23d7..e3d08b9 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -3,7 +3,7 @@ name: "Publish Docker Image" env: REGISTRY: "ghcr.io" - IMAGE_NAME: "${{ github.repository }}:latest" + IMAGE_NAME: "${{ github.repository }}" on: push: # Only run after merge to main, when these files change @@ -62,7 +62,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@v5.0.0 + uses: docker/build-push-action@v6 with: context: code/oak-d-lite-module/ push: ${{ github.event_name != 'pull_request' }} # Don't push on PR