From cd5cea8c02e2eec46c514e6904e196e142d98592 Mon Sep 17 00:00:00 2001 From: Avi Deitcher Date: Mon, 23 May 2022 20:24:07 -1000 Subject: [PATCH] remove need for maintainers to build packages Signed-off-by: Avi Deitcher --- .github/workflows/publish.yaml | 42 ++++++++++++++++++++++++++++++++++ docs/packages.md | 21 +++++++++++++++-- 2 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/publish.yaml diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 000000000..91cb9d617 --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,42 @@ +# publish changes that are merged to master +name: Packages Push +on: + workflow_run: + workflows: [LinuxKit CI] + types: [completed] + branches: [master, main] + +jobs: + packages: + name: Publish Changed Packages + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v1 + with: + path: ./src/github.com/linuxkit/linuxkit + - name: Download linuxkit + uses: actions/download-artifact@v2 + with: + name: linuxkit-amd64-linux + path: bin + - name: Symlink Linuxkit + run: | + chmod ugo+x bin/linuxkit-amd64-linux + sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit + /usr/local/bin/linuxkit version + - name: Restore Package Cache + uses: actions/cache@v2 + with: + path: ~/.linuxkit/cache/ + key: ${{ runner.os }}-linuxkit-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-linuxkit- + - name: Publish Packages + # this should only push changed ones: + # - unchanged: already in the registry + # - changed: already built and cached, so only will push + # Skip s390x as emulation is unreliable + run: | + make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild" + diff --git a/docs/packages.md b/docs/packages.md index 64b331015..a79fd2ff8 100644 --- a/docs/packages.md +++ b/docs/packages.md @@ -17,13 +17,27 @@ All official LinuxKit packages are: When building and merging packages, it is important to note that our CI process builds packages. The targets `make ci` and `make ci-pr` execute `make -C pkg build`. These in turn execute `linuxkit pkg build` for each package under `pkg/`. This in turn will try to pull the image whose tag matches the tree hash or, failing that, to build it. -We do not want the builds to happen with each CI run for two reasons: +Any released image, i.e. any package under `pkg/` that has _not_ changed as +part of a pull request, +already will be released to Docker Hub. This will cause it to download that image, rather +than try to build it. + +Any non-releaed image, i.e. any package under `pkg/` that _has_ changed as part of +a pull request, will not be in Docker Hub until the PR has merged. +This will cause the download to fail, leading `linuxkit pkg build` to try and build the +image and save it in the cache. + +This does have two downsides: 1. It is slower to do a package build than to just pull the latest image. 2. If any of the steps of the build fails, e.g. a `curl` download that depends on an intermittent target, it can cause all of CI to fail. -Thus, if, as a maintainer, you merge any commits into a `pkg/`, even if the change is documentation alone, please do a `linuxkit pkg push`. +In the past, each PR required a maintainer to build, and push to Docker Hub, every +changed package in `pkg/`. This placed the maintainer in the PR cycle, with the +following downsides: +1. A maintainer had to be involved in every PR, not just reviewing but actually building and pushing. This reduces the ability for others to contribute. +1. The actual package is pushed out by a person, violating good supply-chain practice. ## Package source @@ -280,6 +294,9 @@ This will do the following: 1. Create a multi-arch manifest called `«image-name»:«hash»` (note no `-«arch»`) 1. Push the manifest and all of the images to the hub +Note that for actual release images, these steps normally are performed as part +of CI, by the merge-to-master process. + #### Prerequisites * For all of the steps, you *must* be logged into hub (`docker login`).