Skip to content

Build neurodesktop #1258

Build neurodesktop

Build neurodesktop #1258

name: Build neurodesktop
# Scheduled production builds at 17:00 UTC every day.
# Build manually from here: https://github.com/NeuroDesk/neurodesktop/actions/workflows/build-neurodesktop.yml
# DockerHub: https://hub.docker.com/r/vnmd/neurodesktop
# Github Packages: https://github.com/NeuroDesk/neurodesktop/pkgs/container/neurodesktop%2Fneurodesktop
on:
workflow_dispatch:
inputs:
force_push:
description: 'Force push?'
type: boolean
required: true
default: false
schedule:
- cron: '0 17 * * *'
env:
DOCKERHUB_ORG: ${{ vars.DOCKERHUB_ORG }}
jobs:
build-image:
runs-on: ubuntu-22.04
steps:
- name: Fetch github api rate limit
run: |
GITHUB_RATE_REMAINING=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/rate_limit | jq '.rate.remaining')
echo "GITHUB_RATE_REMAINING=${GITHUB_RATE_REMAINING}"
echo "GITHUB_RATE_REMAINING=$GITHUB_RATE_REMAINING" >> $GITHUB_ENV
# - name: Maximize build space
# uses: easimon/maximize-build-space@master
# with:
# root-reserve-mb: 40000
# swap-size-mb: 1024
# overprovision-lvm: 'true'
# remove-dotnet: 'true'
# remove-android: 'true'
# remove-haskell: 'true'
# remove-codeql: 'true'
# remove-docker-images: 'true'
- name: Checkout repository
if: ${{ env.GITHUB_RATE_REMAINING > 0 }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Set environment variables
if: ${{ env.GITHUB_RATE_REMAINING > 0 }}
run: |
IMAGENAME="neurodesktop"
BUILDDATE=`date +%Y-%m-%d`
IMAGEID=ghcr.io/$GITHUB_REPOSITORY/$IMAGENAME
IMAGEID=$(echo $IMAGEID | tr '[A-Z]' '[a-z]')
echo "BUILDDATE=$BUILDDATE"
echo "IMAGEID=$IMAGEID"
echo "IMAGENAME=$IMAGENAME"
echo "BUILDDATE=$BUILDDATE" >> $GITHUB_ENV
echo "IMAGEID=$IMAGEID" >> $GITHUB_ENV
echo "IMAGENAME=$IMAGENAME" >> $GITHUB_ENV
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get rootfs of cached image
run: |
docker pull $IMAGEID:latest && ROOTFS_CACHE=$(docker inspect --format='{{.RootFS}}' $IMAGEID:latest) && docker rmi $IMAGEID:latest || true
echo "ROOTFS_CACHE=$ROOTFS_CACHE" >> $GITHUB_ENV
- name: Build new image
uses: docker/build-push-action@v5
with:
context: .
load: true
tags: ${{ env.IMAGEID }}:${{ env.BUILDDATE }}
cache-from: type=registry,ref=${{ env.IMAGEID }}:latest
cache-to: type=inline
- name: Get rootfs of new image
run: |
ROOTFS_NEW=$(docker inspect --format='{{.RootFS}}' $IMAGEID:$BUILDDATE)
PUSH_IMAGES="${IMAGEID}"
if [ ! -z "${DOCKERHUB_ORG}" ]; then
PUSH_IMAGES="${PUSH_IMAGES}, ${DOCKERHUB_ORG}/${IMAGENAME}"
fi
echo "PUSH_IMAGES=$PUSH_IMAGES"
echo "ROOTFS_NEW=$ROOTFS_NEW" >> $GITHUB_ENV
echo "PUSH_IMAGES=$PUSH_IMAGES" >> $GITHUB_ENV
- name: Login to DockerHub (if changes found)
if: ${{ env.DOCKERHUB_ORG != '' && (env.ROOTFS_NEW != env.ROOTFS_CACHE || github.event.inputs.force_push == 'true') }}
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Get new image metadata (if changes found)
if: ${{ env.ROOTFS_NEW != env.ROOTFS_CACHE || github.event.inputs.force_push == 'true' }}
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.PUSH_IMAGES }}
tags: |
${{ env.BUILDDATE }}
latest
labels: |
org.opencontainers.image.description=Neurodesktop
- name: Push new image (if changes found)
if: ${{ env.ROOTFS_NEW != env.ROOTFS_CACHE || github.event.inputs.force_push == 'true' }}
uses: docker/build-push-action@v5
with:
context: .
# platforms: linux/amd64
platforms: linux/amd64,linux/arm64
provenance: false # fixes unknown/unknown arch builds
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=registry,ref=${{ env.IMAGEID }}:latest
cache-to: type=inline
- name: Create github tag (if changes found)
if: ${{ env.ROOTFS_NEW != env.ROOTFS_CACHE || github.event.inputs.force_push == 'true' }}
run: |
git tag ${BUILDDATE}
git push origin -f --tags
# echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin
- name: Generate issue on job failure
if: always() && failure()
uses: JasonEtco/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_WORKFLOW: ${{ env.GITHUB_WORKFLOW }}
GITHUB_SERVER_URL: ${{ env.GITHUB_SERVER_URL }}
GITHUB_REPOSITORY: ${{ env.GITHUB_REPOSITORY }}
GITHUB_RUN_ID: ${{ env.GITHUB_RUN_ID }}
with:
filename: .github/job_failure_issue_template.md
update_existing: true
search_existing: open
scan-image:
needs: build-image
runs-on: ubuntu-22.04
steps:
- name: Set environment variables
run: |
IMAGENAME="neurodesktop"
BUILDDATE=`date +%Y-%m-%d`
IMAGEID=ghcr.io/$GITHUB_REPOSITORY/$IMAGENAME
IMAGEID=$(echo $IMAGEID | tr '[A-Z]' '[a-z]')
echo "BUILDDATE=$BUILDDATE"
echo "IMAGEID=$IMAGEID"
echo "IMAGENAME=$IMAGENAME"
echo "BUILDDATE=$BUILDDATE" >> $GITHUB_ENV
echo "IMAGEID=$IMAGEID" >> $GITHUB_ENV
echo "IMAGENAME=$IMAGENAME" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull container image
run: docker pull $IMAGEID:latest
- name: Container image scan
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGEID }}:latest
format: table
exit-code: '1'
severity: CRITICAL
timeout: 25m0s
skip-files: /opt/rclone-v1.60.1-linux-amd64/README.txt, /opt/rclone-v1.60.1-linux-amd64/README.html, /opt/rclone-v1.60.1-linux-amd64/rclone.1