ci: Release on multiple distributions & fix Docker multiple-step build

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2023-11-20 18:37:35 +01:00
parent 797eb2334b
commit 262d1fcd4d
4 changed files with 85 additions and 20 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,8 +6,7 @@ stages:
  - build-js
  - sentry
  - test
-  - docker
-  - package
+  - build
  - upload
  - deploy

@@ -125,7 +124,7 @@ deps:
 exunit:
  stage: test
  services:
-    - name: postgis/postgis:14-3.2
+    - name: postgis/postgis:16-3.4
      alias: postgres
  variables:
    MIX_ENV: test
@@ -164,7 +163,7 @@ vitest:
 e2e:
  stage: test
  services:
-    - name: postgis/postgis:14-3.2
+    - name: postgis/postgis:16-3.4
      alias: postgres
  variables:
    MIX_ENV: "e2e"
@@ -206,7 +205,7 @@ pages:
      - public

 .docker: &docker
-  stage: docker
+  stage: build
  image: docker:24
  variables:
    DOCKER_TLS_CERTDIR: "/certs"
@@ -214,6 +213,7 @@ pages:
    DOCKER_TLS_VERIFY: 1
    DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
    DOCKER_DRIVER: overlay2
+    DOCKER_CLI_EXPERIMENTAL: enabled
  services:
    - docker:24-dind
  cache: {}
@@ -229,6 +229,8 @@ pages:
    # Install qemu/binfmt
    - docker pull tonistiigi/binfmt:latest
    - docker run --rm --privileged tonistiigi/binfmt:latest --install all
+    # Install jq
+    - apk --no-cache add jq
    # Login to DockerHub
    - mkdir -p ~/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$CI_REGISTRY_AUTH\",\"email\":\"$CI_REGISTRY_EMAIL\"}}}" > ~/.docker/config.json
@@ -242,9 +244,9 @@ build-docker-main:
      when: never
    - if: '$CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_TRIGGERED == "true"'
  script:
-    - docker buildx build --push --platform linux/amd64 -t framasoft/mobilizon:main -f docker/production/Dockerfile .
+    - docker buildx build --platform linux/amd64 -t framasoft/mobilizon:main -f docker/production/Dockerfile .

-build-and-push-to-latest-docker-tag:
+build-docker-tag:
  <<: *docker
  rules: &release-tag-rules
    - if: '$CI_PROJECT_NAMESPACE != "framasoft"'
@@ -257,9 +259,9 @@ build-and-push-to-latest-docker-tag:
      docker buildx build
      --push
      --platform linux/${ARCH}
+      --provenance=false
      --build-arg="${ERL_FLAGS}"
-      -t framasoft/mobilizon:$CI_COMMIT_TAG
-      -t framasoft/mobilizon:latest
+      -t framasoft/mobilizon:${CI_COMMIT_TAG}-${ARCH}
      -f docker/production/Dockerfile .
  parallel:
    matrix:
@@ -280,15 +282,49 @@ build-and-push-docker-tag:
  script:
    - >
      docker buildx build
-      --push
      --platform linux/amd64
-      -t framasoft/mobilizon:$CI_COMMIT_TAG
+      --provenance=false
+      -t framasoft/mobilizon:$CI_COMMIT_TAG-amd64
      -f docker/production/Dockerfile .

+# Create manifest and push
+docker-manifest-push:
+  <<: *docker
+  needs: ["build-docker-tag"]
+  rules: &release-tag-rules
+    - if: '$CI_PROJECT_NAMESPACE != "framasoft"'
+      when: never
+    - if: $CI_COMMIT_TAG != null
+      when: on_success
+  script:
+    - >
+      docker manifest create framasoft/mobilizon:${CI_COMMIT_TAG}
+      --amend framasoft/mobilizon:${CI_COMMIT_TAG}-amd64
+      --amend framasoft/mobilizon:${CI_COMMIT_TAG}-arm64
+    - docker manifest push --purge framasoft/mobilizon:${CI_COMMIT_TAG}
+
+###
+# Simply creating an alias to the tag doesn't work:
+# « xxx is a manifest list »
+# https://joonas.fi/2021/02/docker-multi-arch-image-tooling-buildx/
+###
+docker-latest:
+  <<: *docker
+  needs: ["docker-manifest-push"]
+  rules: &release-tag-rules
+    - if: '$CI_PROJECT_NAMESPACE != "framasoft"'
+      when: never
+    - if: $CI_COMMIT_TAG != null && $CI_COMMIT_TAG !~ /alpha|beta|rc/
+      when: on_success
+  script:
+    - echo docker manifest create framasoft/mobilizon:latest $(docker manifest inspect framasoft/mobilizon:$CI_COMMIT_TAG | jq '.manifests[] | .digest' | xargs -I {} echo framasoft/mobilizon@{})
+    - docker manifest create framasoft/mobilizon:latest $(docker manifest inspect framasoft/mobilizon:$CI_COMMIT_TAG | jq -r '.manifests[] | .digest' | xargs -I {} echo framasoft/mobilizon@{})
+    - docker manifest push --purge framasoft/mobilizon:latest
+
 # Packaging app for amd64
 package-app:
-  image: mobilizon/buildpack:1.15.5-erlang-26.0.2-debian-buster
-  stage: package
+  image: mobilizon/buildpack:1.15.7-erlang-26.1.2-${SYSTEM}
+  stage: build
  variables: &release-variables
    MIX_ENV: "prod"
    DEBIAN_FRONTEND: noninteractive
@@ -312,9 +348,23 @@ package-app:
    expire_in: 2 days
    paths:
      - ${APP_ASSET}
+  parallel:
+    matrix:
+      - SYSTEM:
+          [
+            "debian-bookworm",
+            "debian-bullseye",
+            "ubuntu-jammy",
+            "ubuntu-focal",
+            "ubuntu-bionic",
+            "alpine-3.17.5",
+            "alpine-3.18.4",
+            "fedora-38",
+            "fedora-39",
+          ]

 package-app-dev:
-  stage: package
+  stage: build
  variables: *release-variables
  script: *release-script
  except:
@@ -326,7 +376,7 @@ package-app-dev:

 # Packaging app for multi-arch
 multi-arch-release:
-  stage: package
+  stage: build
  image: docker:24
  variables:
    DOCKER_TLS_CERTDIR: "/certs"
@@ -366,6 +416,19 @@ multi-arch-release:
  parallel:
    matrix:
      - ARCH: ["arm64"]
+        ## Currently not used as the hexpm base images do not have support for other architectures than amd64
+        # SYSTEM:
+        #   [
+        #     "debian-bookworm",
+        #     "debian-bullseye",
+        #     "ubuntu-jammy",
+        #     "ubuntu-focal",
+        #     "ubuntu-bionic",
+        #     "alpine-3.17.5",
+        #     "alpine-3.18.4",
+        #     "fedora-38",
+        #     "fedora-39",
+        #   ]
  rules:
    - if: '$CI_COMMIT_TAG != null || $CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_TRIGGERED == "true"'
  timeout: 3h
--- a/docker/multiarch/Dockerfile
+++ b/docker/multiarch/Dockerfile
@@ -1,4 +1,6 @@
-FROM elixir:1.15 as build
+ARG IMAGE="elixir:1.15"
+
+FROM ${IMAGE} as build
 SHELL ["/bin/bash", "-c"]
 ENV MIX_ENV prod
 # ENV LANG en_US.UTF-8
@@ -12,7 +14,7 @@ ENV ERL_FLAGS=$ERL_FLAGS
 # Set the right versions
 ENV ELIXIR_VERSION latest
 ENV ERLANG_VERSION latest
-ENV NODE_VERSION 18
+ENV NODE_VERSION 20

 # Install system dependencies
 RUN apt-get update -yq && apt-get install -yq build-essential cmake postgresql-client git curl gnupg unzip exiftool webp imagemagick gifsicle
--- a/docker/production/Dockerfile
+++ b/docker/production/Dockerfile
@@ -1,5 +1,5 @@
 # First build the application assets
-FROM node:18-alpine as assets
+FROM node:20-alpine as assets

 RUN apk add --no-cache python3 build-base libwebp-tools bash imagemagick ncurses
 WORKDIR /build
--- a/docker/tests/Dockerfile
+++ b/docker/tests/Dockerfile
@@ -1,7 +1,7 @@
 FROM elixir:latest
-LABEL maintainer="Thomas Citharel <tcit@tcit.fr>"
+LABEL maintainer="Thomas Citharel <thomas.citharel@framasoft.org>"

-ENV REFRESHED_AT=2023-08-17
+ENV REFRESHED_AT=2023-11-20
 RUN apt-get update -yq && apt-get install -yq build-essential inotify-tools postgresql-client git curl gnupg xvfb libgtk-3-dev libnotify-dev libgconf-2-4 libnss3 libxss1 libasound2 cmake exiftool python3-pip python3-setuptools
 RUN curl -sL https://deb.nodesource.com/setup_20.x | bash && apt-get install nodejs -yq
 RUN npm install -g wait-on