Coder-Workspaces/.github/workflows/build-cpp-dev.yaml at main · nyc-design/Coder-Workspaces · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: Build & Push cpp-dev (multi-arch, native runners) - GHCR

on:
  push:
    branches:
      - main
    paths:
      - "workspace-images/cpp-dev/**"
      - ".github/workflows/build-cpp-dev.yaml"
  workflow_dispatch:
  workflow_run:
    workflows: ["Build & Push base-dev (multi-arch, native runners) - GHCR"]
    types:
      - completed
    branches:
      - main

permissions:
  contents: read
  packages: write

env:
  REGISTRY: ghcr.io
  IMAGE_NAMESPACE: workspace-images
  IMAGE_NAME: cpp-dev

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: linux/amd64
            runs_on: ubuntu-latest
          - platform: linux/arm64
            runs_on: ubuntu-24.04-arm   # native ARM64 runner
    runs-on: ${{ matrix.runs_on }}

    steps:
      - uses: actions/checkout@v4

      # ── Auth to GitHub Container Registry ─────────────────────────────
      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Compute image coords
        run: |
          echo "IMG=${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}" >> $GITHUB_ENV
          echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # Build single-arch on native runner, push by digest (optimized)
      - name: Build & push by digest (${{ matrix.platform }})
        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: workspace-images/cpp-dev/Dockerfile
          platforms: ${{ matrix.platform }}
          tags: ${{ env.IMG }}
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          cache-from: type=gha,ref=${{ env.IMG }}:buildcache
          cache-to: type=gha,ref=${{ env.IMG }}:buildcache,mode=max
          provenance: false
          sbom: false

      - name: Export digest file
        run: |
          mkdir -p ${{ runner.temp }}/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest artifact
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ matrix.platform == 'linux/amd64' && 'linux-amd64' || 'linux-arm64' }}
          path: ${{ runner.temp }}/digests/*
          retention-days: 1

  merge:
    runs-on: ubuntu-latest
    needs: build

    steps:
      - uses: actions/checkout@v4

      # ── Auth to GitHub Container Registry ─────────────────────────────
      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Compute image coords
        run: |
          echo "IMG=${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}" >> $GITHUB_ENV
          echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true

      - name: Create and push multi-arch manifest
        working-directory: ${{ runner.temp }}/digests
        run: |
          set -eux
          refs=""
          for d in *; do
            refs="$refs ${IMG}@sha256:${d}"
          done
          docker buildx imagetools create \
            -t "${IMG}:latest" \
            -t "${IMG}:sha-${SHA_SHORT}" \
            $refs

      - name: Inspect final image
        run: docker buildx imagetools inspect "${IMG}:latest"

      - name: Build list of digests to keep
        id: skipshas
        working-directory: ${{ runner.temp }}/digests
        run: |
          set -euo pipefail
          if ls | grep -q .; then
            # Files are named like: <digest-without-prefix>
            SHAS=$(printf "sha256:%s," *)
            SHAS=${SHAS%,}  # strip trailing comma
            echo "skip_shas=$SHAS" >> "$GITHUB_OUTPUT"
          else
            echo "skip_shas=" >> "$GITHUB_OUTPUT"
          fi

      - name: Clean up old GHCR versions (manifests + per-arch digests)
        uses: snok/container-retention-policy@v3.0.1
        with:
          # Personal account; if this is an org, use the org name instead
          account: user
          # Ephemeral GITHUB_TOKEN with packages:write perms is enough
          token: ${{ secrets.GITHUB_TOKEN }}
          # This is the GHCR package name, e.g. "workspace-images/base-dev"
          image-names: "${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}"
          # Look at both tagged and untagged versions
          tag-selection: both
          # Keep only the newest tagged multi-arch manifest
          keep-n-most-recent: 1
          # Consider everything, regardless of age
          cut-off: 0s
          # Never delete the per-arch digests from this run
          skip-shas: ${{ steps.skipshas.outputs.skip_shas }}