From aedfa531fac97ec7555d47f0cc1bb853e40792a8 Mon Sep 17 00:00:00 2001 From: Mark Hansen Date: Sat, 20 Feb 2021 16:29:12 +1100 Subject: [PATCH] docker: Split building SHA and pushing to :latest Previously, we guarded the :latest tag by limiting it to master only, not merge requests. Now we need to split this: - it's safe for merge requests to push to their own SHA, nobody else is using that SHA - the merge request tests assume that a docker image is tagged with a SHA, so the merge request tests require the docker_build step to run. I'm a bit disappointed I couldn't get this to work in a single step (hence the undesirable duplication) -- perhaps there's a way to lock down :latest within a single CI job that I'm missing? This commit is loosely based off https://blog.callr.tech/building-docker-images-with-gitlab-ci-best-practices/ --- .gitlab-ci.yml | 55 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 65c674699..9c5dc8509 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,6 @@ stages: - build_docker_images + - push_docker_images - source - build - test @@ -598,7 +599,7 @@ deployment: only: - master@graphviz/graphviz -.docker_build_template: &docker_build_definition +.docker_template: &docker_definition image: docker:stable services: - docker:dind @@ -608,10 +609,13 @@ deployment: # $CI_JOB_TOKEN is documented at # https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#job-token - echo -n $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY - stage: build_docker_images # do not re-run this job for new Git tags of previously seen commits except: - tags + +.docker_build_template: &docker_build_definition + <<: *docker_definition + stage: build_docker_images script: - cd ci/$IMAGE # fetches the :latest image (not failing if image is not found) for caching @@ -619,12 +623,18 @@ deployment: # Build and push with git commit SHA tag, reusing layers from the :latest image if possible - docker build -t $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA --cache-from $CI_REGISTRY_IMAGE/$IMAGE:latest . - docker push $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA + +.docker_push_template: &docker_push_definition + stage: push_docker_images + only: + refs: + # Only master should be pushed to :latest, not unmerged merge-requests. + - master@graphviz/graphviz + script: + - docker pull $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA # Re-tag, push to :latest tag - docker tag $CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE/$IMAGE:latest - docker push $CI_REGISTRY_IMAGE/$IMAGE:latest - only: - refs: - - master@graphviz/graphviz docker_build_centos7: <<: *docker_build_definition @@ -660,3 +670,38 @@ docker_build_ubuntu-20.10: <<: *docker_build_definition variables: IMAGE: ubuntu-20.10 + +docker_push_centos7: + <<: *docker_push_definition + variables: + IMAGE: centos7 + +docker_push_centos8: + <<: *docker_push_definition + variables: + IMAGE: centos8 + +docker_push_fedora32: + <<: *docker_push_definition + variables: + IMAGE: fedora32 + +docker_push_fedora33: + <<: *docker_push_definition + variables: + IMAGE: fedora33 + +docker_push_ubuntu-18.04: + <<: *docker_push_definition + variables: + IMAGE: ubuntu-18.04 + +docker_push_ubuntu-20.04: + <<: *docker_push_definition + variables: + IMAGE: ubuntu-20.04 + +docker_push_ubuntu-20.10: + <<: *docker_push_definition + variables: + IMAGE: ubuntu-20.10 -- 2.40.0