]> granicus.if.org Git - graphviz/commitdiff
docker: Split building SHA and pushing to :latest
authorMark Hansen <markhansen@google.com>
Sat, 20 Feb 2021 05:29:12 +0000 (16:29 +1100)
committerMark Hansen <markhansen@google.com>
Sat, 20 Feb 2021 05:29:12 +0000 (16:29 +1100)
Previously, we guarded the :latest tag by limiting it to master only,
not merge requests.

Now we need to split this:
- it's safe for merge requests to push to their own SHA, nobody else is
  using that SHA
- the merge request tests assume that a docker image is tagged with a
  SHA, so the merge request tests require the docker_build step to run.

I'm a bit disappointed I couldn't get this to work in a single step
(hence the undesirable duplication) -- perhaps there's a way to lock
down :latest within a single CI job that I'm missing?

This commit is loosely based off
https://blog.callr.tech/building-docker-images-with-gitlab-ci-best-practices/

.gitlab-ci.yml

index 65c67469948f8bb05f4deade54fe179be6167510..9c5dc8509503ba2771828fdcbbf60519daa71f07 100644 (file)
@@ -1,5 +1,6 @@
 stages:
     - build_docker_images
+    - push_docker_images
     - source
     - build
     - test
@@ -598,7 +599,7 @@ deployment:
     only:
         - master@graphviz/graphviz
 
-.docker_build_template: &docker_build_definition
+.docker_template: &docker_definition
   image: docker:stable
   services:
     - docker:dind
@@ -608,10 +609,13 @@ deployment:
     # $CI_JOB_TOKEN is documented at
     # https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#job-token
     - echo -n $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
-  stage: build_docker_images
   # do not re-run this job for new Git tags of previously seen commits
   except:
     - tags
+
+.docker_build_template: &docker_build_definition
+  <<: *docker_definition
+  stage: build_docker_images
   script:
     - cd ci/$IMAGE
     # fetches the :latest image (not failing if image is not found) for caching
@@ -619,12 +623,18 @@ deployment:
     # Build and push with git commit SHA tag, reusing layers from the :latest image if possible
     - docker build -t $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA --cache-from $CI_REGISTRY_IMAGE/$IMAGE:latest .
     - docker push     $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA
+
+.docker_push_template: &docker_push_definition
+  stage: push_docker_images
+  only:
+    refs:
+      # Only master should be pushed to :latest, not unmerged merge-requests.
+      - master@graphviz/graphviz
+  script:
+    - docker pull $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA
     # Re-tag, push to :latest tag
     - docker tag $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE/$IMAGE:latest
     - docker push     $CI_REGISTRY_IMAGE/$IMAGE:latest
-  only:
-    refs:
-        - master@graphviz/graphviz
 
 docker_build_centos7:
   <<: *docker_build_definition
@@ -660,3 +670,38 @@ docker_build_ubuntu-20.10:
   <<: *docker_build_definition
   variables:
     IMAGE: ubuntu-20.10
+
+docker_push_centos7:
+  <<: *docker_push_definition
+  variables:
+    IMAGE: centos7
+
+docker_push_centos8:
+  <<: *docker_push_definition
+  variables:
+    IMAGE: centos8
+
+docker_push_fedora32:
+  <<: *docker_push_definition
+  variables:
+    IMAGE: fedora32
+
+docker_push_fedora33:
+  <<: *docker_push_definition
+  variables:
+    IMAGE: fedora33
+
+docker_push_ubuntu-18.04:
+  <<: *docker_push_definition
+  variables:
+    IMAGE: ubuntu-18.04
+
+docker_push_ubuntu-20.04:
+  <<: *docker_push_definition
+  variables:
+    IMAGE: ubuntu-20.04
+
+docker_push_ubuntu-20.10:
+  <<: *docker_push_definition
+  variables:
+    IMAGE: ubuntu-20.10