feat: build and deploy docker images (#5)

kratsg · web-flow · commit a5ed34793d27 · 2025-11-18T01:04:59.000+01:00
* add workflow for building/deploying docker image * typo * precommit * added tons more details in the readme * build args * fix up the dockerfile so args pass through * fix attestation * don't do attestations, it will work * tweak reddme more * more updates/tweak * add hep_oslibs * add -y * use @matthewfeickert's comments on docker meta action * typo * clean it up, consolidate back into a single build (and maybe push)
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,116 @@
+# Some of this (well most) is copied from https://github.com/scikit-hep/pyhf/blob/4ecbf49/.github/workflows/docker.yml
+name: Docker Images
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  docker:
+    name: Build, test, and publish Docker images to Docker Hub
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository_owner }}/actions-runner
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Load current versions
+        id: versions
+        uses: falti/dotenv-action@v1.1.4
+        with:
+          log-variables: true
+          export-variables: true
+          keys-case: "upper"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=edge,branch=main
+            type=sha,format=short
+            type=ref,event=pr
+            type=raw,value=latest
+            type=raw,value=${{ env.RUNNER_VERSION }}-latest
+            type=raw,value=${{ env.RUNNER_VERSION }}-${{ env.RUNNER_CONTAINER_HOOKS_VERSION }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to CERN GitLab
+        if:
+          github.event_name != 'pull_request' && github.repository ==
+          'usatlas/runner'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.GITLAB_REGISTRY_USERNAME }}
+          password: ${{ secrets.GITLAB_REGISTRY_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        if:
+          github.event_name != 'pull_request' && github.repository ==
+          'usatlas/runner'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        id: build-only
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: images/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            RUNNER_VERSION=${{ env.RUNNER_VERSION }}
+            RUNNER_CONTAINER_HOOKS_VERSION=${{ env.RUNNER_CONTAINER_HOOKS_VERSION }}
+          load: true
+          push:
+            ${{ github.event_name == 'pull_request' && github.ref ==
+            'refs/heads/main' && github.repository == 'usatlas/runner' }}
+
+      - name: Generate attestation
+        # every PR will trigger a push event on main, so check the push event is actually coming from main
+        if:
+          github.event_name == 'push' && github.ref == 'refs/heads/main' &&
+          github.repository == 'usatlas/runner'
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Image digest
+        run: echo ${{ steps.build-only.outputs.digest }}
+
+      - name: List built images
+        run: docker images
diff --git a/README.md b/README.md
@@ -1,46 +1,102 @@
 # 🛠️ Alma9 GitHub Actions Runner
 
-This repository manages the list of GitHub Actions **self-hosted runner versions** used by the USATLAS organization.
-It includes an automated workflow that periodically checks for new runner releases and opens a pull request to update the pinned versions.
+This repository manages the list of GitHub Actions **self-hosted runner
+versions** used by the USATLAS organization. It includes an automated workflow
+that periodically checks for new runner releases and opens a pull request to
+update the pinned versions.
 
-Any changes to the versions will build a new docker image deployed to ghcr.io.
+## 🔧 Configuration
 
-## 🚀 How It Works
+The `.env` file stores the pinned versions used in the docker image, for
+example:
 
-A scheduled GitHub Actions workflow runs the following process:
+```
+RUNNER_VERSION=2.329.0
+RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
+```
 
-1. **Fetch latest runner releases** from the official GitHub runners repository.
-2. **Compare versions** against what is currently stored in `.env`.
-3. If any versions have changed:
+These values are automatically updated by the automated version update workflow.
 
-   * A new branch named `update-runner-versions` is created.
-   * `.env` is updated with the new versions.
-   * A commit is created with a message summarizing exactly what changed.
-   * A pull request is automatically opened.
+## 🐳 Docker Image Publishing
 
-## 📝 Example Commit Message
+Docker images for **Alma9-based GitHub Actions self-hosted runners** are
+automatically built and published when changes are pushed to the `main` branch.
+These provide an alternative to the standard Ubuntu/Debian-based runners. Pull
+requests trigger test builds to validate the Dockerfile, but images are only
+published from `main`.
 
-When versions change, the commit message looks like:
+### Published Registries
 
-```
-Update GitHub Actions runner versions
+Images are published to two container registries:
 
-- Container Hooks: [0.7.0](https://github.com/actions/runner-container-hooks/releases/tag/v0.7.0) → [0.8.0](https://github.com/actions/runner-container-hooks/releases/tag/v0.8.0)
-```
+- **CERN GitLab Container Registry**: `gitlab-registry.cern.ch/usatlas/runner`
+- **GitHub Container Registry**: `ghcr.io/usatlas/actions-runner`
 
-Commit messages only include entries for components that actually changed.
+### Available Tags
 
-## 🔧 Configuration
+Multiple tags are created for each build to support different use cases:
+
+- **`latest`** - Always points to the most recent build from `main`
+- **`sha-{hash}`** - Immutable reference to a specific commit (e.g.,
+  `sha-592ad7bd`)
+- **`{RUNNER_VERSION}-latest`** - Latest build for a specific runner version
+  (e.g., `2.329.0-latest`)
+- **`{RUNNER_VERSION}-{HOOKS_VERSION}`** - Fully pinned, reproducible version
+  (e.g., `2.329.0-0.8.0`)
+
+### Versioning Concepts
+
+The Docker images use two independent version numbers:
+
+- **Runner Version** (`RUNNER_VERSION`): The version of the GitHub Actions
+  runner software itself, from
+  [actions/runner](https://github.com/actions/runner/releases)
+- **Runner Container Hooks Version** (`RUNNER_CONTAINER_HOOKS_VERSION`): The
+  version of container hooks for Kubernetes integration, from
+  [actions/runner-container-hooks](https://github.com/actions/runner-container-hooks/releases)
+
+Both versions are stored in the `.env` file and automatically updated by the
+version update workflow.
+
+### Usage Examples
 
-The `.env` file stores the pinned versions, for example:
+Pull the latest image:
 
+```bash
+docker pull ghcr.io/usatlas/actions-runner:latest
 ```
-RUNNER_VERSION=2.329.0
-RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
+
+Pull a specific pinned version:
+
+```bash
+docker pull ghcr.io/usatlas/actions-runner:2.329.0-0.8.0
 ```
 
-These values are automatically updated by the workflow.
+### Multi-Platform Support
+
+Images are built for both `linux/amd64` and `linux/arm64` architectures.
+
+## 🚀 Automated Version Updates
+
+The regularly-scheduled GitHub Actions workflow, powered by `gh` CLI for
+interacting with GitHub's API, runs the following steps:
+
+1. **Fetch latest runner releases** from the official GitHub runners repository.
+2. **Compare versions** against what is currently stored in `.env`.
+3. If any versions have changed:
+   - A new branch named `update-runner-versions` is created.
+   - `.env` is updated with the new versions.
+   - A commit is created with a message summarizing exactly what changed.
+   - A pull request is automatically opened.
+
+### 📝 Example Commit Message
+
+When versions change, the commit message looks like:
+
+```
+Update GitHub Actions runner versions
 
-## 🤖 Automation Workflow
+- Container Hooks: [0.7.0](https://github.com/actions/runner-container-hooks/releases/tag/v0.7.0) → [0.8.0](https://github.com/actions/runner-container-hooks/releases/tag/v0.8.0)
+```
 
-The regularly-scheduled update job is powered by `gh` CLI (preinstalled on runners) for interacting with GitHub.
+Commit messages only include entries for components that actually changed.
diff --git a/images/Dockerfile b/images/Dockerfile
@@ -1,22 +1,25 @@
 # Replace value with the latest runner release version
 # source: https://github.com/actions/runner/releases
-ARG RUNNER_VERSION=2.329.0
+ARG RUNNER_VERSION="2.329.0"
 # Replace value with the latest runner-container-hooks release version
 # source: https://github.com/actions/runner-container-hooks/releases
-ARG RUNNER_CONTAINER_HOOKS_VERSION=0.8.0
+ARG RUNNER_CONTAINER_HOOKS_VERSION="0.8.0"
 ARG RUNNER_ARCH="x64"
 
-FROM ghcr.io/actions/runner:${RUNNER_VERSION} AS runner
-FROM ghcr.io/actions/runner-container-hooks:${RUNNER_CONTAINER_HOOKS_VERSION} AS hooks
-
-FROM gitlab-registry.cern.ch/linuxsupport/alma9-base AS build
+FROM gitlab-registry.cern.ch/linuxsupport/alma9-base AS runner
+ARG RUNNER_VERSION
+ARG RUNNER_CONTAINER_HOOKS_VERSION
+ARG RUNNER_ARCH
 
 # Runner environment
 ENV RUNNER_MANUALLY_TRAP_SIG=1
 ENV ACTIONS_RUNNER_PRINT_LOG_TO_STDOUT=1
 
 # Install dependencies
+# For HEP_OSLibs: https://gitlab.cern.ch/linuxsupport/rpms/HEP_OSlibs
 RUN dnf install -y curl unzip sudo tar gzip \
+    && dnf install -y https://linuxsoft.cern.ch/wlcg/el9/x86_64/wlcg-repo-1.0.0-1.el9.noarch.rpm \
+    && dnf install -y HEP_OSlibs \
     && dnf clean all
 
 # Create runner user
