Automate publishing multiarch images to GHCR (migrate away from Docker Hub) #395
Conversation
klardotsh
force-pushed
the
multiarch-ghcr
branch
from
59ae626 to
786fb3e
Compare
|
Hm, someone with admin rights needs to OK the new (forked) actions I believe, for those to get tested here. |
| # Changelog: | ||
| # | ||
| # 6.1-1: Add ARM64 support, publish to GHCR | ||
| # <--> This file created here <--> | ||
| # 6.1-0: final version published exclusively to Docker Hub | ||
|
|
||
| 6.1-1 |
There was a problem hiding this comment.
I don’t think it’s worthwhile to maintain an extra changelog when we already have Git.
Can we have things trigger based on the names of Git tags pushed to the repository, rather than maintaining this file?
There was a problem hiding this comment.
Yep, we can definitely do that easily in GHA. The only tradeoff is "how automatic will this be?" - as authored, as soon as this file changes in main, a new GHCR tag is cut, meaning 0 human interaction required post-merge to get Docker image changes published. The tag method is 1 (small) interaction that - so long as the same naming scheme is followed - comes with no other tradeoffs I can think of.
There was a problem hiding this comment.
Editing a file is an interaction too. We want the Git tags to be there anyway; they’re self-documenting, more flexible (e.g. we could push a tag that isn’t on main for an emergency patch release), more standard, and simpler. So I think we should go with that.
There was a problem hiding this comment.
Mmm yeah the non-main case seems especially useful of an addition here. I'll patch this up.
klardotsh
force-pushed
the
multiarch-ghcr
branch
2 times, most recently
from
fe8eeca to
88fbdcc
Compare
There doesn’t seem to be a way to do that. |
|
Ah right the workflows still belong to my fork (as seen by the syntax errors in https://github.com/klardotsh/docker-zulip/actions before I fixed and rebased those out) until merged into (there's a corner case probably not worth solving here that while we might want this forked run to have access to secrets, we don't want most forked runs to have access to secrets, and I forget if there's one-off toggles to allow one PR to have access to secrets...) |
|
If you were to reopen this PR from a branch in zulip/docker-zulip rather than a branch in klardotsh/docker-zulip, would that suffice? |
|
That's an excellent question. Let me try that with a new PR number and find out :) |
klardotsh
force-pushed
the
multiarch-ghcr
branch
from
88fbdcc to
5319f93
Compare
|
Two step process: #396 helped me isolate where a syntax error was in the original PR (which didn't report on my fork, from what I can tell), but wasn't ultimately necessary (pushing that same commit series here triggered a build). |
klardotsh
force-pushed
the
multiarch-ghcr
branch
from
5319f93 to
d50c312
Compare
In light of recent changes to Docker Hub, move our Docker images into GHCR which integrates more tightly with GitHub flows we already use throughout the Zulip org. Since it's near-trivial to do so at the same time, add officiallly-supported ARM64 builds. Resolves zulip#357.
klardotsh
force-pushed
the
multiarch-ghcr
branch
from
d50c312 to
5328986
Compare
|
Closing in favor of #397, because this branch indeed needs to be within the org to push to the repo (push permissions aren't granted to forks and the CI runs in the context of the fork in this case). |
Supercedes #390 by building multiarch images in GHCR rather than depending on local workstation builds.
Blockers: https://github.com/orgs/zulip/packages/container/package/zulip needs to be made public, and I need to verify that this repo actually has permissions to push to that registry (while I'm an admin of the registry, I'm not an admin of this repo, so can't double-check the secrets plumbing behind the scenes that I vaguely recall being a thing to do here).
Right now it'll push a SHA-tagged image for the tip of any PRs to
main, and then push whateverIMAGE_TAGis +:latestfor merges tomain, which in general should provide both debuggability of images and of GHA workflows, as well as The Expected Behavior for automatic public-facing image publishes. Open to tinkering with these conditions if necessary.