open-notebook/.github/workflows/build-and-release.yml
Luis Novo f2e153b230
Add GitHub Container Registry (GHCR) support (#163)
* Add GHCR support with conditional Docker Hub publishing

This commit enhances the CI/CD pipeline to support both GitHub Container
Registry (GHCR) and Docker Hub, with Docker Hub being optional based on
the presence of credentials.

Changes:
- Add GHCR as the primary container registry
- Make Docker Hub publishing conditional on DOCKER_USERNAME and DOCKER_PASSWORD secrets
- Dynamically determine image names from repository owner/name (e.g., aperim/open-notebook)
- Images are pushed to:
  * GHCR: ghcr.io/{owner}/{repo}:{version|latest}
  * Docker Hub (if credentials available): {owner}/{repo}:{version|latest}
- Update build summary to show which registries were used

Benefits:
- Forks can build and publish to GHCR without Docker Hub credentials
- Original repo can continue publishing to both registries
- Image names automatically match the repository structure
- More flexible deployment options for contributors

Technical Details:
- Added extract-version job outputs: ghcr_image, dockerhub_image, has_dockerhub_secrets
- Added GHCR login step using GITHUB_TOKEN (always runs)
- Made Docker Hub login conditional on has_dockerhub_secrets flag
- Updated image tags to use dynamic repository-based names
- Enhanced build summary to show registry usage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Add GITHUB_TOKEN permissions for GHCR publishing

The workflow needs 'packages: write' permission to push images to GitHub
Container Registry (GHCR).

Permissions added:
- contents: read (required for checkout)
- packages: write (required for GHCR push)

Without these permissions, the docker login and push to ghcr.io would fail
with a 403 Forbidden error.

---------

Co-authored-by: Troy Kelly <troy@aperim.com>
Co-authored-by: Claude <noreply@anthropic.com>
2025-10-18 13:07:15 -03:00

244 lines
No EOL
11 KiB
YAML

name: Build and Release
on:
workflow_dispatch:
inputs:
build_type:
description: 'Build type to create'
required: true
default: 'both'
type: choice
options:
- both
- regular
- single
push_latest:
description: 'Also push latest tags'
required: false
default: true
type: boolean
release:
types: [published]
permissions:
contents: read
packages: write
env:
# Dynamic registry and image configuration based on repository
GHCR_REGISTRY: ghcr.io
DOCKER_HUB_REGISTRY: docker.io
jobs:
extract-version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.version.outputs.version }}
ghcr_image: ${{ steps.image.outputs.ghcr_image }}
dockerhub_image: ${{ steps.image.outputs.dockerhub_image }}
has_dockerhub_secrets: ${{ steps.check.outputs.has_dockerhub_secrets }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Extract version from pyproject.toml
id: version
run: |
VERSION=$(grep -m1 '^version = ' pyproject.toml | cut -d'"' -f2)
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Extracted version: $VERSION"
- name: Determine image names
id: image
run: |
# Extract owner and repo name from GITHUB_REPOSITORY (format: owner/repo)
REPO_OWNER=$(echo "${{ github.repository }}" | cut -d'/' -f1)
REPO_NAME=$(echo "${{ github.repository }}" | cut -d'/' -f2)
# GHCR image: ghcr.io/owner/repo
GHCR_IMAGE="${{ env.GHCR_REGISTRY }}/${REPO_OWNER}/${REPO_NAME}"
echo "ghcr_image=${GHCR_IMAGE}" >> $GITHUB_OUTPUT
echo "GHCR Image: ${GHCR_IMAGE}"
# Docker Hub image: owner/repo (use lowercase for Docker Hub compatibility)
DOCKERHUB_IMAGE="${REPO_OWNER}/${REPO_NAME}"
echo "dockerhub_image=${DOCKERHUB_IMAGE}" >> $GITHUB_OUTPUT
echo "Docker Hub Image: ${DOCKERHUB_IMAGE}"
- name: Check for Docker Hub credentials
id: check
run: |
if [[ -n "${{ secrets.DOCKER_USERNAME }}" && -n "${{ secrets.DOCKER_PASSWORD }}" ]]; then
echo "has_dockerhub_secrets=true" >> $GITHUB_OUTPUT
echo "Docker Hub credentials available"
else
echo "has_dockerhub_secrets=false" >> $GITHUB_OUTPUT
echo "Docker Hub credentials not available - will only push to GHCR"
fi
build-regular:
needs: extract-version
runs-on: ubuntu-latest
if: github.event.inputs.build_type == 'regular' || github.event.inputs.build_type == 'both' || github.event_name == 'release'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
if: needs.extract-version.outputs.has_dockerhub_secrets == 'true'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-regular-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-regular-
- name: Build and push regular image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ needs.extract-version.outputs.ghcr_image }}:${{ needs.extract-version.outputs.version }}
${{ (github.event.inputs.push_latest == 'true' || (github.event_name == 'release' && !github.event.release.prerelease)) && format('{0}:v1-latest', needs.extract-version.outputs.ghcr_image) || '' }}
${{ needs.extract-version.outputs.has_dockerhub_secrets == 'true' && format('{0}:{1}', needs.extract-version.outputs.dockerhub_image, needs.extract-version.outputs.version) || '' }}
${{ (needs.extract-version.outputs.has_dockerhub_secrets == 'true' && (github.event.inputs.push_latest == 'true' || (github.event_name == 'release' && !github.event.release.prerelease))) && format('{0}:v1-latest', needs.extract-version.outputs.dockerhub_image) || '' }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
build-single:
needs: extract-version
runs-on: ubuntu-latest
if: github.event.inputs.build_type == 'single' || github.event.inputs.build_type == 'both' || github.event_name == 'release'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
if: needs.extract-version.outputs.has_dockerhub_secrets == 'true'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache-single
key: ${{ runner.os }}-buildx-single-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-single-
- name: Build and push single-container image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile.single
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ needs.extract-version.outputs.ghcr_image }}:${{ needs.extract-version.outputs.version }}-single
${{ (github.event.inputs.push_latest == 'true' || (github.event_name == 'release' && !github.event.release.prerelease)) && format('{0}:v1-latest-single', needs.extract-version.outputs.ghcr_image) || '' }}
${{ needs.extract-version.outputs.has_dockerhub_secrets == 'true' && format('{0}:{1}-single', needs.extract-version.outputs.dockerhub_image, needs.extract-version.outputs.version) || '' }}
${{ (needs.extract-version.outputs.has_dockerhub_secrets == 'true' && (github.event.inputs.push_latest == 'true' || (github.event_name == 'release' && !github.event.release.prerelease))) && format('{0}:v1-latest-single', needs.extract-version.outputs.dockerhub_image) || '' }}
cache-from: type=local,src=/tmp/.buildx-cache-single
cache-to: type=local,dest=/tmp/.buildx-cache-single-new,mode=max
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache-single
mv /tmp/.buildx-cache-single-new /tmp/.buildx-cache-single
summary:
needs: [extract-version, build-regular, build-single]
runs-on: ubuntu-latest
if: always()
steps:
- name: Build Summary
run: |
echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
echo "**Version:** ${{ needs.extract-version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
echo "**Build Type:** ${{ github.event.inputs.build_type || 'both' }}" >> $GITHUB_STEP_SUMMARY
echo "**Push Latest:** ${{ github.event.inputs.push_latest || 'true' }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Registries:" >> $GITHUB_STEP_SUMMARY
echo "✅ **GHCR:** \`${{ needs.extract-version.outputs.ghcr_image }}\`" >> $GITHUB_STEP_SUMMARY
if [[ "${{ needs.extract-version.outputs.has_dockerhub_secrets }}" == "true" ]]; then
echo "✅ **Docker Hub:** \`${{ needs.extract-version.outputs.dockerhub_image }}\`" >> $GITHUB_STEP_SUMMARY
else
echo "⏭️ **Docker Hub:** Skipped (credentials not configured)" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Images Built:" >> $GITHUB_STEP_SUMMARY
if [[ "${{ needs.build-regular.result }}" == "success" ]]; then
echo "✅ **Regular (GHCR):** \`${{ needs.extract-version.outputs.ghcr_image }}:${{ needs.extract-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
if [[ "${{ github.event.inputs.push_latest }}" == "true" ]]; then
echo "✅ **Regular v1-Latest (GHCR):** \`${{ needs.extract-version.outputs.ghcr_image }}:v1-latest\`" >> $GITHUB_STEP_SUMMARY
fi
if [[ "${{ needs.extract-version.outputs.has_dockerhub_secrets }}" == "true" ]]; then
echo "✅ **Regular (Docker Hub):** \`${{ needs.extract-version.outputs.dockerhub_image }}:${{ needs.extract-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
if [[ "${{ github.event.inputs.push_latest }}" == "true" ]]; then
echo "✅ **Regular v1-Latest (Docker Hub):** \`${{ needs.extract-version.outputs.dockerhub_image }}:v1-latest\`" >> $GITHUB_STEP_SUMMARY
fi
fi
elif [[ "${{ needs.build-regular.result }}" == "skipped" ]]; then
echo "⏭️ **Regular:** Skipped" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Regular:** Failed" >> $GITHUB_STEP_SUMMARY
fi
if [[ "${{ needs.build-single.result }}" == "success" ]]; then
echo "✅ **Single (GHCR):** \`${{ needs.extract-version.outputs.ghcr_image }}:${{ needs.extract-version.outputs.version }}-single\`" >> $GITHUB_STEP_SUMMARY
if [[ "${{ github.event.inputs.push_latest }}" == "true" ]]; then
echo "✅ **Single v1-Latest (GHCR):** \`${{ needs.extract-version.outputs.ghcr_image }}:v1-latest-single\`" >> $GITHUB_STEP_SUMMARY
fi
if [[ "${{ needs.extract-version.outputs.has_dockerhub_secrets }}" == "true" ]]; then
echo "✅ **Single (Docker Hub):** \`${{ needs.extract-version.outputs.dockerhub_image }}:${{ needs.extract-version.outputs.version }}-single\`" >> $GITHUB_STEP_SUMMARY
if [[ "${{ github.event.inputs.push_latest }}" == "true" ]]; then
echo "✅ **Single v1-Latest (Docker Hub):** \`${{ needs.extract-version.outputs.dockerhub_image }}:v1-latest-single\`" >> $GITHUB_STEP_SUMMARY
fi
fi
elif [[ "${{ needs.build-single.result }}" == "skipped" ]]; then
echo "⏭️ **Single:** Skipped" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Single:** Failed" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Platforms:" >> $GITHUB_STEP_SUMMARY
echo "- linux/amd64" >> $GITHUB_STEP_SUMMARY
echo "- linux/arm64" >> $GITHUB_STEP_SUMMARY