Added GitHub actions to build container images

2021-03-13 17:04:13 +01:00
parent b5c34033c0
commit db3ee29242
3 changed files with 105 additions and 18 deletions
--- a/.github/workflows/build-images.yaml
+++ b/.github/workflows/build-images.yaml
@@ -0,0 +1,81 @@
 name: Build Container Images
 on:
  push:
    tags:
      - "image/v*"
  pull_request:
    branches: [master]
 jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    steps:
      - name: Docker meta
        id: docker_meta
        uses: crazy-max/ghaction-docker-meta@v1
        with:
          images: |
            ghcr.io/hapifhir/hapi
            docker.io/hapiproject/hapi
          tag-sha: false
          tag-match: "v(.*)"
      # waiting for https://github.com/crazy-max/ghaction-docker-meta/issues/13 for a cleaner solution
      - name: Docker distroless meta
        id: docker_distroless_meta
        uses: crazy-max/ghaction-docker-meta@v1
        with:
          images: |
            ghcr.io/hapifhir/hapi
            docker.io/hapiproject/hapi
          tag-sha: false
          tag-match: "v(.*)"
          sep-tags: -distroless,
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Login to DockerHub
        uses: docker/login-action@v1
        if: github.event_name != 'pull_request'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        if: github.event_name != 'pull_request'
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Cache Docker layers
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-
      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v2
        with:
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
      - name: Build and push distroless
        id: docker_build_distroless
        uses: docker/build-push-action@v2
        with:
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.docker_distroless_meta.outputs.tags }}-distroless
          labels: ${{ steps.docker_distroless_meta.outputs.labels }}
          target: release-distroless
      - name: Print image digests
        run: |
          echo ${{ steps.docker_build.outputs.digest }}
          echo ${{ steps.docker_build_distroless.outputs.digest }}
--- a/15
+++ b/15
@@ -7,6 +7,21 @@ RUN mvn -ntp dependency:go-offline
 COPY src/ /tmp/hapi-fhir-jpaserver-starter/src/
 RUN mvn clean install -DskipTests
 FROM build-hapi AS build-distroless
 RUN mvn package spring-boot:repackage -Pboot
 RUN mkdir /app && \
    cp /tmp/hapi-fhir-jpaserver-starter/target/ROOT.war /app/main.war
 FROM gcr.io/distroless/java-debian10:11 AS release-distroless
 COPY --chown=nonroot:nonroot --from=build-distroless /app /app
 EXPOSE 8080
 # 65532 is the nonroot user's uid
 # used here instead of the name to allow Kubernetes to easily detect that the container
 # is running as a non-root (uid != 0) user.
 USER 65532:65532
 WORKDIR /app
 CMD ["/app/main.war"]
 FROM tomcat:9.0.38-jdk11-openjdk-slim-buster
 RUN mkdir -p /data/hapi/lucenefiles && chmod 775 /data/hapi/lucenefiles
--- a/README.md
+++ b/README.md
@@ -344,23 +344,14 @@ elasticsearch.schema_management_strategy=CREATE
 Set `hapi.fhir.lastn_enabled=true` in the [application.yaml](https://github.com/hapifhir/hapi-fhir-jpaserver-starter/blob/master/src/main/resources/application.yaml) file to enable the $lastn operation on this server.  Note that the $lastn operation relies on Elasticsearch, so for $lastn to work, indexing must be enabled using Elasticsearch.
-## Example of a Dockerfile based on distroless images (for lower footprint and improved security)
+## Build the distroless variant of the image (for lower footprint and improved security)
-```code
+The default Dockerfile contains a `release-distroless` stage to build a variant of the image
-FROM maven:3.6.3-jdk-11-slim as build-hapi
+using the `gcr.io/distroless/java-debian10:11` base image:
 WORKDIR /tmp/hapi-fhir-jpaserver-starter
-COPY pom.xml .
+```sh
-RUN mvn -ntp dependency:go-offline
+docker build --target=release-distroless -t hapi-fhir:distroless .
 COPY src/ /tmp/hapi-fhir-jpaserver-starter/src/
 RUN mvn clean package spring-boot:repackage -Pboot
 FROM gcr.io/distroless/java:11
 COPY --from=build-hapi /tmp/hapi-fhir-jpaserver-starter/target/ROOT.war /app/main.war
 EXPOSE 8080
 WORKDIR /app
 CMD ["main.war"]
 ```
 Note that distroless images are also automatically build and pushed to the container registry,
 see the `-distroless` suffix in the image tags.