ci: refactor rootfs build automation

This change refactors the rootfs build automation to split the workflow into smaller logical jobs. This enables the build job to run on changes to Dockerfile changes. Signed-off-by: Austin Vazquez <[email protected]>
runfinch · Dec 28, 2024 · befb95e · befb95e
1 parent fb8861c
commit befb95e
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 30 deletions.
diff --git a/.github/workflows/rootfs.yaml b/.github/workflows/rootfs.yaml
@@ -5,66 +5,122 @@ on:
     branches:
       - main
     paths:
-      - 'Dockerfile'
+      - 'rootfs/Dockerfile'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'rootfs/Dockerfile'
   workflow_dispatch:
 
 permissions:
-  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
-  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
-  id-token: write
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   build-rootfs-image:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         # finch only supports amd64 for windows
         arch: ['amd64']
-        platform: ['common']
+
+    outputs:
+      timestamp: ${{ steps.vars.outputs.timestamp }}
+
     steps:
-      - name: Generate Timestamp
-        id: timestamp
-        run: echo "value=$(date +%s)" >> $GITHUB_OUTPUT
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          aws-region: ${{ secrets.REGION }}
-          role-to-assume: ${{ secrets.ROLE }}
-          role-session-name: rootfs-ecr-image-upload-session
-      - name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: checkout repo
+      - name: Checkout repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          sparse-checkout: |
+            rootfs/
           fetch-depth: 0
           persist-credentials: false
+
+      - name: Set build variables
+        id: vars
+        run: |
+          echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
       - name: Build Image
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
+          context: rootfs/
+          file: rootfs/Dockerfile
           platforms: linux/${{ matrix.arch }}
           push: false
-          load: true # load the image into Docker so we can create a container from it
           tags: finch-rootfs-image-production:intermediate
-      - name: Tag and Push Container Image
+          outputs: type=docker,dest=finch-rootfs-${{ matrix.arch }}-${{ steps.vars.outputs.timestamp }}.tar
+
+      - name: Upload container image artifact
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: finch-rootfs-${{ matrix.arch }}-image
+          path: finch-rootfs-${{ matrix.arch }}-${{ steps.vars.outputs.timestamp }}.tar
+          if-no-files-found: error
+
+  push-rootfs-image:
+    if: github.repository == 'runfinch/finch-core' && github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    needs: build-rootfs-image
+
+    permissions:
+      # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
+      # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      id-token: write
+      contents: write
+      pull-requests: write
+
+    strategy:
+      matrix:
+        # finch only supports amd64 for windows
+        arch: ['amd64']
+
+    env:
+      TIMESTAMP: ${{ needs.build-rootfs-image.outputs.timestamp }}
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: ${{ secrets.REGION }}
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: rootfs-ecr-image-upload-session
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Download container image artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: finch-rootfs-${{ matrix.arch }}-image
+
+      - name: Load container image
+        run: docker load -i finch-rootfs-${{ matrix.arch }}-${{ env.TIMESTAMP }}.tar
+
+      - name: Tag and push container image to Amazon ECR
         run: |
-          TIMESTAMP=${{ steps.timestamp.outputs.value }}
+          docker tag finch-rootfs-image-production:intermediate ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-${{ env.TIMESTAMP }}
+          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-${{ env.TIMESTAMP }}
+
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
-          docker tag finch-rootfs-image-production:intermediate ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
-          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
       - name: Create, Compress, and Upload Rootfs
         run: |
-          TIMESTAMP=${{ steps.timestamp.outputs.value }}
-
           docker container create --platform linux/${{ matrix.arch }} --name ${{ matrix.arch }}-rootfs finch-rootfs-image-production:intermediate
           docker container export -o finch-rootfs-production-${{ matrix.arch }}.tar ${{ matrix.arch }}-rootfs
 
-          compressed_archive=finch-rootfs-production-${{ matrix.arch }}-"$TIMESTAMP".tar.gz
+          compressed_archive=finch-rootfs-production-${{ matrix.arch }}-${{ env.TIMESTAMP }}.tar.gz
           gzip -9 -c finch-rootfs-production-${{ matrix.arch }}.tar > $compressed_archive
           sha512_digest=$(sha512sum $compressed_archive | cut -d " " -f 1)
           echo $sha512_digest > $compressed_archive.sha512sum
@@ -77,7 +133,7 @@ jobs:
           fi
 
           # Upload tarball and shasum to S3
-          aws s3 cp . s3://${{ secrets.DEPENDENCY_BUCKET_NAME }}/${{ matrix.platform }}/$ARCHPATH/ --recursive --exclude "*" --include "finch-rootfs-production-${{ matrix.arch }}-"$TIMESTAMP".tar.gz*"
+          aws s3 cp . s3://${{ secrets.DEPENDENCY_BUCKET_NAME }}/common/$ARCHPATH/ --recursive --exclude "*" --include "finch-rootfs-production-${{ matrix.arch }}-${{ env.TIMESTAMP }}.tar.gz*"
 
           cat <<EOL > deps/rootfs.conf
           ARTIFACT_BASE_URL=https://deps.runfinch.com
@@ -87,12 +143,12 @@ jobs:
           ${ARTIFACT_KEY}_512_DIGEST=$sha512_digest
           EOL
 
-      - name: create pr
+      - name: Create PR
         uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           signoff: true
-          branch: create-rootfs-${{ matrix.arch }}-${{ steps.timestamp.outputs.value }}
+          branch: create-rootfs-${{ matrix.arch }}-${{ env.TIMESTAMP }} 
           delete-branch: true
           title: 'build(deps): Update windows rootfs'
           add-paths: deps/rootfs.conf

diff --git a/Dockerfile → rootfs/Dockerfile b/Dockerfile → rootfs/Dockerfile