synapse/.github/workflows/docker.yml

# GitHub actions workflow which builds and publishes the docker images.

name: Build docker images

on:
  push:
    tags: ["v*"]
    branches: [ master, main, develop ]
  workflow_dispatch:

permissions:
  contents: read
  packages: write
  id-token: write # needed for signing the images with GitHub OIDC Token
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Set up QEMU
        id: qemu
        uses: docker/setup-qemu-action@v3
        with:
          platforms: arm64

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3

      - name: Inspect builder
        run: docker buildx inspect

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.5.0

      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Extract version from pyproject.toml
        # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
        # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
        shell: bash
        run: |
          echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV

      - name: Log in to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Calculate docker image tag
        id: set-tag
        uses: docker/metadata-action@master
        with:
          images: |
            docker.io/matrixdotorg/synapse
            ghcr.io/element-hq/synapse
          flavor: |
            latest=false
          tags: |
            type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
            type=pep440,pattern={{raw}}

      - name: Build and push all platforms
        id: build-and-push
        uses: docker/build-push-action@v5
        with:
          push: true
          labels: |
            gitsha1=${{ github.sha }}
            org.opencontainers.image.version=${{ env.SYNAPSE_VERSION }}
          tags: "${{ steps.set-tag.outputs.tags }}"
          file: "docker/Dockerfile"
          platforms: linux/amd64,linux/arm64

          # arm64 builds OOM without the git fetch setting. c.f.
          # https://github.com/rust-lang/cargo/issues/10583
          build-args: |
            CARGO_NET_GIT_FETCH_WITH_CLI=true

      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
          TAGS: ${{ steps.set-tag.outputs.tags }}
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`# GitHub actions workflow which builds and publishes the docker images.`

			`name: Build docker images`

			`on:`
			`push:`
			`tags: ["v*"]`
Publish a `develop` docker image (#11380) I'd find it helpful to have a docker image corresponding to current develop, without having to build my own. 2021-11-19 11:56:59 +01:00			`branches: [ master, main, develop ]`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`workflow_dispatch:`

			`permissions:`
			`contents: read`
Mirror images to the GitHub Container Registry (`ghcr.io/matrix-org/synapse`). (#15281) 2023-03-20 17:28:29 +01:00			`packages: write`
Implement cosign on docker image (#16774) Signed-off-by: Gaël Goinvic <gaelg@element.io> 2024-01-04 12:49:33 +01:00			`id-token: write # needed for signing the images with GitHub OIDC Token`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`jobs:`
			`build:`
			`runs-on: ubuntu-latest`
			`steps:`
			`- name: Set up QEMU`
			`id: qemu`
Bump docker/setup-qemu-action from 2 to 3 (#16338) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-09-18 11:19:05 +02:00			`uses: docker/setup-qemu-action@v3`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`with:`
			`platforms: arm64`

			`- name: Set up Docker Buildx`
			`id: buildx`
Bump docker/setup-buildx-action from 2 to 3 (#16375) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-09-25 12:34:16 +02:00			`uses: docker/setup-buildx-action@v3`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00
			`- name: Inspect builder`
			`run: docker buildx inspect`
Attempt to fix labelling in docker workflow (#16009) 2023-07-27 14:47:48 +02:00
Implement cosign on docker image (#16774) Signed-off-by: Gaël Goinvic <gaelg@element.io> 2024-01-04 12:49:33 +01:00			`- name: Install Cosign`
Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#17088) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.4.0 to 3.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sigstore/cosign-installer/releases">sigstore/cosign-installer's releases</a>.</em></p> <blockquote> <h2>v3.5.0</h2> <h2>What's Changed</h2> <ul> <li>Bump actions/checkout from 4.1.1 to 4.1.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/sigstore/cosign-installer/pull/157">sigstore/cosign-installer#157</a></li> <li>use go 1.22 now by <a href="https://github.com/bobcallaway"><code>@bobcallaway</code></a> in <a href="https://redirect.github.com/sigstore/cosign-installer/pull/160">sigstore/cosign-installer#160</a></li> <li>bump default version to v2.2.4, prep for v3.5.0 release by <a href="https://github.com/bobcallaway"><code>@bobcallaway</code></a> in <a href="https://redirect.github.com/sigstore/cosign-installer/pull/159">sigstore/cosign-installer#159</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sigstore/cosign-installer/compare/v3.4.0...v3.5.0">https://github.com/sigstore/cosign-installer/compare/v3.4.0...v3.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sigstore/cosign-installer/commit/59acb6260d9c0ba8f4a2f9d9b48431a222b68e20"><code>59acb62</code></a> bump default version to v2.2.4, prep for v3.5.0 release (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/159">#159</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/22be4ce325f454c874ccf89af51803efd4e85129"><code>22be4ce</code></a> use go 1.22 now (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/160">#160</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/162dfdf7b9ab8be88c95b4fc982792c4c273e27a"><code>162dfdf</code></a> Bump actions/checkout from 4.1.1 to 4.1.2 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/157">#157</a>)</li> <li>See full diff in <a href="https://github.com/sigstore/cosign-installer/compare/v3.4.0...v3.5.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sigstore/cosign-installer&package-manager=github_actions&previous-version=3.4.0&new-version=3.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-04-19 10:42:35 +02:00			`uses: sigstore/cosign-installer@v3.5.0`
Implement cosign on docker image (#16774) Signed-off-by: Gaël Goinvic <gaelg@element.io> 2024-01-04 12:49:33 +01:00
Attempt to fix labelling in docker workflow (#16009) 2023-07-27 14:47:48 +02:00			`- name: Checkout repository`
Bump actions/checkout from 3 to 4 (#16250) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-09-25 17:39:54 +02:00			`uses: actions/checkout@v4`
Attempt to fix labelling in docker workflow (#16009) 2023-07-27 14:47:48 +02:00
Add synapse version as Docker container label (#15972) Co-authored-by: Mo Balaa <balaa@fractalnetworks.co> 2023-07-26 18:16:12 +02:00			`- name: Extract version from pyproject.toml`
Attempt to fix labelling in docker workflow (#16009) 2023-07-27 14:47:48 +02:00			# Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
			`# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell`
			`shell: bash`
Add synapse version as Docker container label (#15972) Co-authored-by: Mo Balaa <balaa@fractalnetworks.co> 2023-07-26 18:16:12 +02:00			`run: \|`
			`echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml \| sed -E 's/version\s=\s["]([^"]*)["]/\1/')" >> $GITHUB_ENV`
Fix docker build OOMing in CI for arm64 builds (#14173) Co-authored-by: David Robertson <davidr@element.io> 2022-10-13 20:16:21 +02:00
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`- name: Log in to DockerHub`
Bump docker/login-action from 2 to 3 (#16339) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-09-18 11:21:14 +02:00			`uses: docker/login-action@v3`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`with:`
			`username: ${{ secrets.DOCKERHUB_USERNAME }}`
			`password: ${{ secrets.DOCKERHUB_TOKEN }}`

Mirror images to the GitHub Container Registry (`ghcr.io/matrix-org/synapse`). (#15281) 2023-03-20 17:28:29 +01:00			`- name: Log in to GHCR`
Bump docker/login-action from 2 to 3 (#16339) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-09-18 11:21:14 +02:00			`uses: docker/login-action@v3`
Mirror images to the GitHub Container Registry (`ghcr.io/matrix-org/synapse`). (#15281) 2023-03-20 17:28:29 +01:00			`with:`
			`registry: ghcr.io`
			`username: ${{ github.repository_owner }}`
			`password: ${{ secrets.GITHUB_TOKEN }}`

Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`- name: Calculate docker image tag`
			`id: set-tag`
Use `docker/metadata-action` to generate docker image tags (#12573) Update the "Build docker images" GitHub Actions workflow to use `docker/metadata-action` to generate docker image tags, instead of a custom shell script. Signed-off-by: Henry <97804910+henryclw@users.noreply.github.com> 2022-05-05 14:36:42 +02:00			`uses: docker/metadata-action@master`
			`with:`
Mirror images to the GitHub Container Registry (`ghcr.io/matrix-org/synapse`). (#15281) 2023-03-20 17:28:29 +01:00			`images: \|`
			`docker.io/matrixdotorg/synapse`
More renaming 2023-12-13 16:41:11 +01:00			`ghcr.io/element-hq/synapse`
Use `docker/metadata-action` to generate docker image tags (#12573) Update the "Build docker images" GitHub Actions workflow to use `docker/metadata-action` to generate docker image tags, instead of a custom shell script. Signed-off-by: Henry <97804910+henryclw@users.noreply.github.com> 2022-05-05 14:36:42 +02:00			`flavor: \|`
			`latest=false`
			`tags: \|`
			`type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }}`
			`type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}`
			`type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}`
			`type=pep440,pattern={{raw}}`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00
			`- name: Build and push all platforms`
Implement cosign on docker image (#16774) Signed-off-by: Gaël Goinvic <gaelg@element.io> 2024-01-04 12:49:33 +01:00			`id: build-and-push`
Bump docker/build-push-action from 4 to 5 (#16336) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-09-18 11:17:48 +02:00			`uses: docker/build-push-action@v5`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`with:`
Revert "Disable push of docker images" This reverts commit f3f303aa22b9681c21468fb0bdce1b21d1bdbd92. 2022-10-14 11:50:24 +02:00			`push: true`
Add synapse version as Docker container label (#15972) Co-authored-by: Mo Balaa <balaa@fractalnetworks.co> 2023-07-26 18:16:12 +02:00			`labels: \|`
			`gitsha1=${{ github.sha }}`
			`org.opencontainers.image.version=${{ env.SYNAPSE_VERSION }}`
Use `docker/metadata-action` to generate docker image tags (#12573) Update the "Build docker images" GitHub Actions workflow to use `docker/metadata-action` to generate docker image tags, instead of a custom shell script. Signed-off-by: Henry <97804910+henryclw@users.noreply.github.com> 2022-05-05 14:36:42 +02:00			`tags: "${{ steps.set-tag.outputs.tags }}"`
Move the docker image build to Github Actions (#10416) it's flaky on circleCI, and having to manage multiple CI providers is painful. 2021-07-21 13:33:35 +02:00			`file: "docker/Dockerfile"`
			`platforms: linux/amd64,linux/arm64`
Fix docker workflow 2022-10-14 10:57:31 +02:00
			`# arm64 builds OOM without the git fetch setting. c.f.`
			`# https://github.com/rust-lang/cargo/issues/10583`
			`build-args: \|`
			`CARGO_NET_GIT_FETCH_WITH_CLI=true`
Implement cosign on docker image (#16774) Signed-off-by: Gaël Goinvic <gaelg@element.io> 2024-01-04 12:49:33 +01:00
			`- name: Sign the images with GitHub OIDC Token`
			`env:`
			`DIGEST: ${{ steps.build-and-push.outputs.digest }}`
			`TAGS: ${{ steps.set-tag.outputs.tags }}`
			`run: \|`
			`images=""`
			`for tag in ${TAGS}; do`
			`images+="${tag}@${DIGEST} "`
			`done`
			`cosign sign --yes ${images}`