Skip to content
Rust MUSL

Rust MUSL #1360

Sign in to view logs

Rust MUSL

Rust MUSL #1360

Workflow file for this run

.github/workflows/rust-musl.yml at 937397d
name: Rust MUSL
permissions: {}
on:
push:
paths:
- ".github/workflows/rust-musl.yml"
- "Dockerfile.musl-base"
- "test/multicrate/**"
branches:
- main
workflow_dispatch:
inputs:
nightly_date:
description: "Nightly date to build"
required: false
default: ""
fresh_stable:
description: "Trigger new stable build"
required: false
default: ""
schedule:
- cron: '30 9 * * *' # everyday at 09:30 UTC
## ##
## To trigger this workflow using `act` (https://github.com/nektos/act) you can do the following.
## Full run no/different rustc_hash: (This triggers a fresh stable, since the rustc_hash is not available)
## act push -j musl_base
##
## Run per architecutre
## # amd64
## act push -j musl_base --matrix image_tag:x86_64-musl
## # armv7
## act push -j musl_base --matrix image_tag:armv7-musleabihf
## # arm64
## act push -j musl_base --matrix image_tag:aarch64-musl
## # armv6
## act push -j musl_base --matrix image_tag:arm-musleabi
##
## Use a local build toolchain container
## act push --env TOOLCHAIN_REG=localhost:5000 -j musl_base
##
## Full run with same rustc_hash: (Get the current rustc_hash either from the output of the rust_stable step, or running rustc -vV your self)
## act push --env RUSTC_STABLE_HASH_ACT=f1edd0429 -j musl_base
##
## Nightly dispatch:
## act workflow_dispatch -j musl_base
##
## Nightly dispatch specific date:
## act workflow_dispatch -e <(echo '{"act": true, "inputs":{"nightly_date":"2012-12-03","fresh_stable":""}}') -j musl_base
##
## Stable and Nightly dispatch:
## act workflow_dispatch -e <(echo '{"act": true, "inputs":{"nightly_date":"","fresh_stable":"true"}}') -j musl_base
##
## To only see the outputs from the mbuild_vars to see what is getting triggered, use the same commands as above but replace `musl_base` with `mbuild_vars`
##
## To build arm64 images too, use `qemu` instead of `push`. But this is very slow on a local system!
## ##
jobs:
mbuild_vars:
if: ${{ github.repository == 'BlackDex/rust-musl' }}
name: Generate Build Variables
runs-on: ubuntu-24.04
env:
HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_ENABLED == 'true' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
HAVE_GHCR_LOGIN: ${{ vars.GHCR_ENABLED == 'true' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
HAVE_QUAY_LOGIN: ${{ vars.QUAY_ENABLED == 'true' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
outputs:
have_dockerhub_login: ${{ env.HAVE_DOCKERHUB_LOGIN }}
have_ghcr_login: ${{ env.HAVE_GHCR_LOGIN }}
have_quay_login: ${{ env.HAVE_QUAY_LOGIN }}
current_date: ${{ steps.build_vars.outputs.current_date }}
nightly_date: ${{ steps.build_vars.outputs.nightly_date }}
nightly_tag_postfix: ${{ steps.build_vars.outputs.nightly_tag_postfix }}
nightly_trigger: ${{ steps.build_vars.outputs.nightly_trigger }}
stable_trigger: ${{ steps.build_vars.outputs.stable_trigger }}
#
# Set versions extacted during the rust_versions step
stable_version: ${{ steps.rust_versions.outputs.stable_version }}
stable_semver: ${{ steps.rust_versions.outputs.stable_semver }}
# We also append the value of workflow input fresh_stable here.
# This will ensure we do trigger a fresh rustup.
stable_hash: "${{ steps.rust_versions.outputs.stable_hash }}${{ github.event.inputs.fresh_stable }}"
#
# Nightly version
nightly_version: ${{ steps.rust_versions.outputs.nightly_version }}
nightly_semver: ${{ steps.rust_versions.outputs.nightly_semver }}
#
# Special version to match the vaultwarden stable version currently used in master
vaultwarden_version: ${{ steps.rust_versions.outputs.vaultwarden_version }}
vaultwarden_semver: ${{ steps.rust_versions.outputs.vaultwarden_semver }}
#
# An array of container registries
registry_list: ${{ steps.registry.outputs.list }}
# Which container repo to use for the toolchain container
toolchain_reg: ${{ steps.registry.outputs.toolchain }}
steps:
- name: Determine Container Registries
id: registry
env:
HAVE_DOCKERHUB_LOGIN: ${{ env.HAVE_DOCKERHUB_LOGIN }}
HAVE_GHCR_LOGIN: ${{ env.HAVE_GHCR_LOGIN }}
HAVE_QUAY_LOGIN: ${{ env.HAVE_QUAY_LOGIN }}
HAVE_LOCALHOST: ${{ github.event.act }}
shell: bash
run: |
# Generate a list of registries to where to push too
registries=""
if [[ "${HAVE_DOCKERHUB_LOGIN}" = true ]]; then
registries="${registries:+${registries} }docker.io"
fi
if [[ "${HAVE_GHCR_LOGIN}" = true ]]; then
registries="${registries:+${registries} }ghcr.io"
fi
if [[ "${HAVE_QUAY_LOGIN}" = true ]]; then
registries="${registries:+${registries} }quay.io"
fi
if [[ "${HAVE_LOCALHOST}" = true ]]; then
registries="${registries:+${registries} }localhost:5000"
fi
echo "list=${registries}" | tee -a "${GITHUB_OUTPUT}"
# Determine which registry to use for the toolchain container
# When testing via `act` and `$TOOLCHAIN_REG` is set use that else ghcr.io
if [[ "${HAVE_LOCALHOST}" = true ]] && [[ -n "${TOOLCHAIN_REG}" ]]; then
echo "toolchain=${TOOLCHAIN_REG}" | tee -a "${GITHUB_OUTPUT}"
else
echo "toolchain=ghcr.io" | tee -a "${GITHUB_OUTPUT}"
fi
- name: Get Rust version info
id: rust_versions
shell: bash
run: |
#
function github_output () {
echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}"
}
# Fetch the rustup channel files for stable and nightly
curl -sSL --retry 5 --retry-all-errors -o "${{ runner.temp }}/channel-rust-stable.toml" "https://static.rust-lang.org/dist/channel-rust-stable.toml"
curl -sSL --retry 5 --retry-all-errors -o "${{ runner.temp }}/channel-rust-nightly.toml" "https://static.rust-lang.org/dist/channel-rust-nightly.toml"
# Get the Rust stable version info from the toml file
# Prefix the fetched version with `rustc` to mimic `rustc -V` output
STABLE_VERSION_STRING="rustc $(awk '/^\[pkg.rust\]/{flag=1; next} flag && /version = /{gsub(/version = |"/, "", $0); print; exit}' "${{ runner.temp }}/channel-rust-stable.toml")"
STABLE_VERSION=$(echo "${STABLE_VERSION_STRING}" | grep -oP '\S+\s(\K\S+)(?=\s)')
github_output "stable_version" "${STABLE_VERSION}"
STABLE_HASH=$(echo "${STABLE_VERSION_STRING}" | grep -oP '\s\((\K\S+)(?=\s)')
github_output "stable_hash" "${STABLE_HASH}"
STABLE_SEMVER=${STABLE_VERSION//.}
github_output "stable_semver" "${STABLE_SEMVER}"
# Get the Rust nightly version info from the toml file
# Prefix the fetched version with `rustc` to mimic `rustc -V` output
NIGHTLY_VERSION_STRING="rustc $(awk '/^\[pkg.rust\]/{flag=1; next} flag && /version = /{gsub(/version = |"/, "", $0); print; exit}' "${{ runner.temp }}/channel-rust-nightly.toml")"
NIGHTLY_VERSION=$(echo "${NIGHTLY_VERSION_STRING}" | grep -oP '\S+\s(\K\S+)(?=\s)')
github_output "nightly_version" "${NIGHTLY_VERSION}"
NIGHTLY_HASH=$(echo "${NIGHTLY_VERSION_STRING}" | grep -oP '\s\((\K\S+)(?=\s)')
github_output "nightly_hash" "${NIGHTLY_HASH}"
NIGHTLY_SEMVER=$(echo "${NIGHTLY_VERSION//.}" | grep -oP '(\K\d{4})')
github_output "nightly_semver" "${NIGHTLY_SEMVER}"
# Get the Vaultwarden Rust version from the `rust-toolchain` or `rust-toolchain.toml` file.
VW_RUST_VER="UNKNOWN"
CODE="$(curl -sSL --retry 5 --retry-all-errors -w '%{http_code}' -o /tmp/rust-toolchain.toml https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/rust-toolchain.toml)"
if [[ "$CODE" =~ ^2 ]]; then
VW_RUST_VER="$(grep -oP 'channel.*"(\K.*?)(?=")' /tmp/rust-toolchain.toml)"
fi
# Check if the version matches X.YY.Z, if not use the STABLE_VERSION instead
if [[ "${VW_RUST_VER}" =~ ^[0-9]{1}\.[0-9]{2}\.[0-9]{1}$ ]]; then
github_output "vaultwarden_version" "${VW_RUST_VER}"
VAULTWARDEN_SEMVER=${VW_RUST_VER//.}
github_output "vaultwarden_semver" "${VAULTWARDEN_SEMVER}"
else
github_output "vaultwarden_version" "${STABLE_VERSION}"
github_output "vaultwarden_semver" "${STABLE_SEMVER}"
fi
- name: Cache previous rustc stable hash
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
if: ${{ !github.event.act }}
with:
path: ~/rustc-stable.hash
key: build-vars-rustc-stable-${{ steps.rust_versions.outputs.stable_hash }}
restore-keys: |
build-vars-rustc-stable-
# Check if this is a scheduled job, if so, set to nightly
- name: Get build variables
id: build_vars
shell: bash
env:
FRESH_STABLE: ${{ github.event.inputs.fresh_stable }}
STABLE_HASH: ${{ steps.rust_versions.outputs.stable_hash }}
NIGHTLY_DATE: ${{ github.event.inputs.nightly_date }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_SCHEDULE: ${{ github.event.schedule }}
run: |
#
function github_output () {
echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}"
}
#
# Date
export DATE=$(date +'%Y-%m-%d')
github_output "current_date" "${DATE}"
#
# Since `act` doesn't support actions/cache (yet) we check some env vars here.
# With this we can fake the cache if we want to so we can test the flow.
if [[ -n "${RUSTC_STABLE_HASH_ACT}" ]]; then
echo "Found RUSTC_STABLE_HASH_ACT"
echo "${RUSTC_STABLE_HASH_ACT}" | tee ~/rustc-stable.hash
fi
#
# Determine if we need to update the stable version
export RUSTC_STABLE_HASH_CACHED="$( cat ~/rustc-stable.hash 2>/dev/null )"
if [[ -n "${FRESH_STABLE}" ]]; then
github_output "stable_trigger" "true"
elif [[ "${RUSTC_STABLE_HASH_CACHED}" != ${STABLE_HASH} ]]; then
echo "Cached: '${RUSTC_STABLE_HASH_CACHED}' - Current: '${STABLE_HASH}'"
github_output "stable_trigger" "true"
else
github_output "stable_trigger" ""
fi
# Store the current stable hash in GHA Cache
echo "${STABLE_HASH}" | tee ~/rustc-stable.hash
#
# Determine nightly date
# If this is triggered by a workflow dispatch and a date is filled use that, else use the current date
if [[ -z "${NIGHTLY_DATE}" ]]; then
github_output "nightly_date" "${DATE}"
# Set an empty nightly_tag_postfix because we are building the current nightly
github_output "nightly_tag_postfix" ""
# When there is a custom nightly_date set, lets first validate it.
elif [[ "${NIGHTLY_DATE}" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]] \
&& date +'%Y-%m-%d' -d'${NIGHTLY_DATE}' >/dev/null 2>&1 \
&& [[ $(date +%s -d "00:00:00") -ge $(date +%s -d'${NIGHTLY_DATE}') ]] ; then
github_output "nightly_date" "${NIGHTLY_DATE}"
# To prevent tagging an older nightly version, we set a postfix here which is used by the nightly build/push action
github_output "nightly_tag_postfix" "-${NIGHTLY_DATE}"
# If there was a workflow run, and it had an invalid date, stop the whole workflow
else
echo "error::Invalid nightly_date"
echo "::error::Invalid nightly_date"
exit 1
fi
#
# Check if we want to build a nightly only.
# We want this either when the cron is triggered
# Or if we trigger a manual workflow
if [[ "${GITHUB_EVENT_NAME}" == 'workflow_dispatch' ]] || [[ "${GITHUB_SCHEDULE}" == '30 9 * * *' ]]; then
github_output "nightly_trigger" "true"
else
github_output "nightly_trigger" ""
fi
# ###
# Building the final MUSL Based images including the rust toolchain.
musl_base:
if: ${{ github.repository == 'BlackDex/rust-musl' }}
name: Build MUSL Base Image - ${{ matrix.image_tag }} - ${{ matrix.os }}
needs:
- mbuild_vars
runs-on: ${{ matrix.os }}
permissions:
packages: write
contents: read
attestations: write
id-token: write
strategy:
# When using `act` only run 1 matrix, since this could use a lot of memory or cause other issues
max-parallel: ${{ github.event.act && 1 || 8 }}
fail-fast: false
matrix:
act:
- ${{ github.event.act }}
os:
- ubuntu-24.04
- ${{ (github.event.act && github.event_name == 'qemu') && 'ubuntu-24.04-qemu-arm' || 'ubuntu-24.04-arm' }}
image_tag:
- x86_64-musl
- aarch64-musl
- armv7-musleabihf
- arm-musleabi
include:
- image_tag: x86_64-musl
target: x86_64-unknown-linux-musl
openssl_arch: "linux-x86_64 enable-ec_nistp_64_gcc_128"
- image_tag: armv7-musleabihf
target: armv7-unknown-linux-musleabihf
openssl_arch: linux-armv4
- image_tag: aarch64-musl
target: aarch64-unknown-linux-musl
openssl_arch: linux-aarch64
# The aarch64 musl does not support outline-atomics and needs to be disabled
# We need to provide some extra CPPFLAGS to prevent errors during the compilation of the Rust project
arch_cppflags: "-mno-outline-atomics"
- image_tag: arm-musleabi
target: arm-unknown-linux-musleabi
openssl_arch: linux-armv4
exclude:
- os: ubuntu-24.04-arm
act: true
steps:
- name: "[act] Debug Matrix"
if: ${{ github.event.act }}
shell: bash
env:
EVENT_NAME: ${{ github.event_name }}
MATRIX_JSON: ${{ toJson(matrix) }}
NEEDS_JSON: ${{ toJson(needs)}}
# GITHUB_JSON: ${{ toJson(github) }}
run: |
echo "event_name = ${EVENT_NAME}"
echo ; echo "matrix = ${MATRIX_JSON}"
echo ; echo "needs = ${NEEDS_JSON}"
# echo ; echo "github = ${GITHUB_JSON}"
- name: Arch Tag
id: arch
shell: bash
env:
MATRIX_OS: ${{ matrix.os }}
run: |
if [[ "${MATRIX_OS}" == *-arm ]]; then
echo "type=arm64" | tee -a "${GITHUB_OUTPUT}"
else
echo "type=amd64" | tee -a "${GITHUB_OUTPUT}"
fi
# If we buid using act and use qemu-aarch64-static
if [[ "${MATRIX_OS}" = "ubuntu-24.04-qemu-arm" ]]; then
echo "qemu_cpu=max,pauth-impdef=on" | tee -a "${GITHUB_OUTPUT}"
else
echo "qemu_cpu=" | tee -a "${GITHUB_OUTPUT}"
fi
- name: Setup Docker Buildx (setup-buildx-action)
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
with:
# When using `act`, use the `docker` driver to use local 'docker build' cache
driver: ${{ github.event.act && 'docker' || 'docker-container' }}
cache-binary: false
driver-opts: |
network=host
- name: "[act] Start local registry"
if: ${{ github.event.act }}
shell: bash
run: |
# Start a local docker registry
docker run -d --name act-registry --network host registry:2 || true
- name: Login to DockerHub
if: ${{ needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ghcr.io
if: ${{ needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to quay.io
if: ${{ needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Determine Docker Build Cache
id: docker_cache
shell: bash
env:
HAVE_GHCR_LOGIN: ${{ needs.mbuild_vars.outputs.have_ghcr_login }}
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
run: |
#
function github_output () {
echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}"
}
#
# Check if we are running this via act or not and determine the caching method
if [[ "${HAVE_GHCR_LOGIN}" = true ]]; then
github_output "cache_from" "type=registry,ref=ghcr.io/blackdex/rust-musl-buildcache:${ARCH_TYPE}${{ matrix.image_tag }}"
github_output "cache_to" "type=registry,ref=ghcr.io/blackdex/rust-musl-buildcache:${ARCH_TYPE}${{ matrix.image_tag }},compression=zstd,mode=max"
else
github_output "cache_from" ""
github_output "cache_to" ""
fi
#
- name: Generate arch container tags
id: arch_tags
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_VERSION: ${{ needs.mbuild_vars.outputs.stable_version }}
VW_VERSION: ${{ needs.mbuild_vars.outputs.vaultwarden_version }}
NIGHTLY_DATE: ${{ needs.mbuild_vars.outputs.nightly_date }}
shell: bash
run: |
arch_tags_stable=""
arch_tags_stable_vw=""
arch_tags_nightly=""
for registry in ${REGISTRIES}; do
#
# Stable
arch_tags_stable+="${registry}/blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-stable-${STABLE_VERSION},"
#
# Vaultwarden Stable
arch_tags_stable_vw+="${registry}/blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-stable-${VW_VERSION},"
#
# Nightly
arch_tags_nightly+="${registry}/blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-nightly-${NIGHTLY_DATE},"
done
echo ""
echo "Arch Tags"
echo "stable=${arch_tags_stable%,}" | tee -a "${GITHUB_OUTPUT}"
echo "stable_vw=${arch_tags_stable_vw%,}" | tee -a "${GITHUB_OUTPUT}"
echo "nightly=${arch_tags_nightly%,}" | tee -a "${GITHUB_OUTPUT}"
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
# ###
# Rust Current Stable
- name: Docker Build - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ (matrix.os == 'ubuntu-24.04-arm' || matrix.os == 'ubuntu-24.04-qemu-arm') && 'linux/arm64' || 'linux/amd64'}}
context: .
# Set load to true so that we can test the builded image in the next step (default with docker driver)
load: true
# Do not push the image just yet, we first want to test it
push: false
file: ./Dockerfile.musl-base
build-args: |
QEMU_CPU=${{ steps.arch.outputs.qemu_cpu }}
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
TARGET=${{ matrix.target }}
IMAGE_TAG=${{ matrix.image_tag }}
OPENSSL_ARCH=${{ matrix.openssl_arch }}
ARCH_CPPFLAGS=${{ matrix.arch_cppflags }}
RUST_CHANNEL=stable
RUSTC_HASH=${{ needs.mbuild_vars.outputs.stable_hash }}
tags: blackdex/rust-musl:${{ steps.arch.outputs.type }}-${{ matrix.image_tag }}-test
cache-from: ${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Test Docker Image (PQ16) - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
shell: bash
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache-${{ matrix.image_tag }}:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ15) - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
shell: bash
# continue-on-error: true
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache-${{ matrix.image_tag }}:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e PQ_LIB_DIR="/usr/local/musl/pq15/lib" \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ17) - Rust Current Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
shell: bash
# continue-on-error: true
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache-${{ matrix.image_tag }}:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e PQ_LIB_DIR="/usr/local/musl/pq17/lib" \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Docker Push - Rust Current Stable
id: push_stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ (matrix.os == 'ubuntu-24.04-arm' || matrix.os == 'ubuntu-24.04-qemu-arm') && 'linux/arm64' || 'linux/amd64'}}
context: .
push: true
file: ./Dockerfile.musl-base
build-args: |
QEMU_CPU=${{ steps.arch.outputs.qemu_cpu }}
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
TARGET=${{ matrix.target }}
IMAGE_TAG=${{ matrix.image_tag }}
OPENSSL_ARCH=${{ matrix.openssl_arch }}
ARCH_CPPFLAGS=${{ matrix.arch_cppflags }}
RUST_CHANNEL=stable
RUSTC_HASH=${{ needs.mbuild_vars.outputs.stable_hash }}
tags: ${{ steps.arch_tags.outputs.stable }}
cache-from: ${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Export Digest - Rust Current Stable
if : ${{ steps.push_stable.outputs.digest != '' }}
env:
DIGEST: ${{ steps.push_stable.outputs.digest }}
shell: bash
run: |
mkdir -pv "${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}"
touch "${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}/${DIGEST#sha256:}"
- name: Upload digest - Rust Current Stable
if : ${{ steps.push_stable.outputs.digest != '' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: digests-stable-${{ matrix.image_tag }}-${{ steps.arch.outputs.type }}
path: ${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}/*
if-no-files-found: error
retention-days: 1
- name: Attest - Stable - docker.io
if : ${{ !github.event.act && steps.push_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.push_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Stable - ghcr.io
if : ${{ !github.event.act && steps.push_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.push_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Stable - quay.io
if : ${{ !github.event.act && steps.push_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.push_stable.outputs.digest }}
push-to-registry: true
# ###
# Rust Vaultwarden Stable
- name: Docker Build - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ (matrix.os == 'ubuntu-24.04-arm' || matrix.os == 'ubuntu-24.04-qemu-arm') && 'linux/arm64' || 'linux/amd64'}}
context: .
# Set load to true so that we can test the builded image in the next step (default with docker driver)
load: true
# Do not push the image just yet, we first want to test it
push: false
file: ./Dockerfile.musl-base
build-args: |
QEMU_CPU=${{ steps.arch.outputs.qemu_cpu }}
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
TARGET=${{ matrix.target }}
IMAGE_TAG=${{ matrix.image_tag }}
OPENSSL_ARCH=${{ matrix.openssl_arch }}
ARCH_CPPFLAGS=${{ matrix.arch_cppflags }}
RUST_CHANNEL=${{ needs.mbuild_vars.outputs.vaultwarden_version }}
tags: blackdex/rust-musl:${{ steps.arch.outputs.type }}-${{ matrix.image_tag }}-vw-test
cache-from: ${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Test Docker Image (PQ16) - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
shell: bash
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-vw-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ15) - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
# continue-on-error: true
shell: bash
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e PQ_LIB_DIR="/usr/local/musl/pq15/lib" \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-vw-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ17) - Rust Vaultwarden Stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
# continue-on-error: true
shell: bash
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e PQ_LIB_DIR="/usr/local/musl/pq17/lib" \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-vw-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Docker Push - Rust Vaultwarden Stable
id: push_vw_stable
# Skip during nightly builds
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ (matrix.os == 'ubuntu-24.04-arm' || matrix.os == 'ubuntu-24.04-qemu-arm') && 'linux/arm64' || 'linux/amd64'}}
context: .
push: true
file: ./Dockerfile.musl-base
build-args: |
QEMU_CPU=${{ steps.arch.outputs.qemu_cpu }}
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
TARGET=${{ matrix.target }}
IMAGE_TAG=${{ matrix.image_tag }}
OPENSSL_ARCH=${{ matrix.openssl_arch }}
ARCH_CPPFLAGS=${{ matrix.arch_cppflags }}
RUST_CHANNEL=${{ needs.mbuild_vars.outputs.vaultwarden_version }}
tags: ${{ steps.arch_tags.outputs.stable_vw }}
cache-from: ${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Export Digest - Rust Vaultwarden Stable
if : ${{ steps.push_vw_stable.outputs.digest != '' }}
env:
DIGEST: ${{ steps.push_vw_stable.outputs.digest }}
shell: bash
run: |
mkdir -pv "${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}"
touch "${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}/${DIGEST#sha256:}"
- name: Upload digest - Rust Vaultwarden Stable
if : ${{ steps.push_vw_stable.outputs.digest != '' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: digests-vw-${{ matrix.image_tag }}-${{ steps.arch.outputs.type }}
path: ${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}/*
if-no-files-found: error
retention-days: 1
- name: Attest - VW Stable - docker.io
if : ${{ !github.event.act && steps.push_vw_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.push_vw_stable.outputs.digest }}
push-to-registry: true
- name: Attest - VW Stable - ghcr.io
if : ${{ !github.event.act && steps.push_vw_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.push_vw_stable.outputs.digest }}
push-to-registry: true
- name: Attest - VW Stable - quay.io
if : ${{ !github.event.act && steps.push_vw_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.push_vw_stable.outputs.digest }}
push-to-registry: true
# ###
# Rust Nightly
- name: Docker Build - Rust Nightly
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ (matrix.os == 'ubuntu-24.04-arm' || matrix.os == 'ubuntu-24.04-qemu-arm') && 'linux/arm64' || 'linux/amd64'}}
context: .
# Set load to true so that we can test the builded image in the next step (default with docker driver)
load: true
# Do not push the image just yet, we first want to test it
push: false
file: ./Dockerfile.musl-base
build-args: |
QEMU_CPU=${{ steps.arch.outputs.qemu_cpu }}
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
TARGET=${{ matrix.target }}
IMAGE_TAG=${{ matrix.image_tag }}
OPENSSL_ARCH=${{ matrix.openssl_arch }}
ARCH_CPPFLAGS=${{ matrix.arch_cppflags }}
RUST_CHANNEL=nightly-${{ needs.mbuild_vars.outputs.nightly_date }}
tags: blackdex/rust-musl:${{ steps.arch.outputs.type }}-${{ matrix.image_tag }}-nightly-test
cache-from: ${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Test Docker Image (PQ16) - Rust Nightly
shell: bash
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-nightly-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ15) - Rust Nightly
shell: bash
# continue-on-error: true
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e PQ_LIB_DIR="/usr/local/musl/pq15/lib" \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-nightly-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Test Docker Image (PQ17) - Rust Nightly
shell: bash
# continue-on-error: true
env:
ARCH_TYPE: "${{ steps.arch.outputs.type }}-"
QEMU_CPU: ${{ steps.arch.outputs.qemu_cpu }}
run: |
# Run the test
docker run --rm \
-v cargo-cache:/root/.cargo/registry \
-v "$(pwd)/test/multicrate":/home/rust/src \
--tmpfs /home/rust/src/target:rw,exec,mode=1777 \
-e QEMU_CPU=${QEMU_CPU} \
-e RUST_BACKTRACE=FULL \
-e PQ_LIB_DIR="/usr/local/musl/pq17/lib" \
-e RUSTFLAGS="${{ matrix.xtra_rustflags }}-Clink-arg=-s" \
blackdex/rust-musl:${ARCH_TYPE}${{ matrix.image_tag }}-nightly-test bash -c 'rm -vf Cargo.lock ; cargo -Vv ; rustc -Vv ; cargo update ; cargo build --release'
- name: Docker Push - Rust Nightly
id: push_nightly
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
env:
BUILDKIT_PROGRESS: plain
with:
platforms: ${{ (matrix.os == 'ubuntu-24.04-arm' || matrix.os == 'ubuntu-24.04-qemu-arm') && 'linux/arm64' || 'linux/amd64'}}
context: .
push: true
file: ./Dockerfile.musl-base
build-args: |
QEMU_CPU=${{ steps.arch.outputs.qemu_cpu }}
TOOLCHAIN_REGISTRY=${{ needs.mbuild_vars.outputs.toolchain_reg }}
TARGET=${{ matrix.target }}
IMAGE_TAG=${{ matrix.image_tag }}
OPENSSL_ARCH=${{ matrix.openssl_arch }}
ARCH_CPPFLAGS=${{ matrix.arch_cppflags }}
RUST_CHANNEL=nightly-${{ needs.mbuild_vars.outputs.nightly_date }}
tags: ${{ steps.arch_tags.outputs.nightly }}
cache-from: ${{ steps.docker_cache.outputs.cache_from }}
cache-to: ${{ steps.docker_cache.outputs.cache_to }}
- name: Export Digest - Rust Nightly
if : ${{ steps.push_nightly.outputs.digest != '' }}
env:
DIGEST: ${{ steps.push_nightly.outputs.digest }}
shell: bash
run: |
mkdir -p ${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}
touch "${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}/${DIGEST#sha256:}"
- name: Upload digest - Rust Nightly
if : ${{ steps.push_nightly.outputs.digest != '' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: digests-nightly-${{ matrix.image_tag }}-${{ steps.arch.outputs.type }}
path: ${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}/*
if-no-files-found: error
retention-days: 1
- name: Attest - Nightly - docker.io
if : ${{ !github.event.act && steps.push_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.push_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Nightly - ghcr.io
if : ${{ !github.event.act && steps.push_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.push_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Nightly - quay.io
if : ${{ !github.event.act && steps.push_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.push_nightly.outputs.digest }}
push-to-registry: true
# Merge the separate build amd64 and arm64 builds into one
# https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
musl_base_merge:
if: ${{ github.repository == 'BlackDex/rust-musl' }}
name: Merge Toolchain Container - ${{ matrix.image_tag }}
runs-on: ubuntu-24.04
permissions:
packages: write
contents: read
attestations: write
id-token: write
needs:
- mbuild_vars
- musl_base
strategy:
max-parallel: ${{ github.event.act && 1 || 8 }}
matrix:
image_tag:
- x86_64-musl
- aarch64-musl
- armv7-musleabihf
- arm-musleabi
steps:
- name: "[act] Debug Matrix"
if: ${{ github.event.act }}
shell: bash
env:
BUILD_JSON: ${{ toJson(needs.mbuild_vars) }}
NEEDS_JSON: ${{ toJson(needs.musl_base) }}
EVENT_NAME: ${{ github.event_name }}
MATRIX_JSON: ${{ toJson(matrix) }}
# GITHUB_JSON: ${{ toJson(github) }}
run: |
echo ""
echo "# ##################### DEBUGGING #######################"
echo ""
echo "event_name = ${EVENT_NAME}"
echo "build_json = ${BUILD_JSON}"
echo "needs_json = ${NEEDS_JSON}"
echo ; echo "matrix = ${MATRIX_JSON}"
# echo ; echo "github = ${GITHUB_JSON}"
echo ""
echo "# #######################################################"
echo ""
- name: Generate merged container tags
id: base_tags
env:
STABLE_VERSION: ${{ needs.mbuild_vars.outputs.stable_version }}
VW_VERSION: ${{ needs.mbuild_vars.outputs.vaultwarden_version }}
NIGHTLY_TAG_POSTFIX: ${{ needs.mbuild_vars.outputs.nightly_tag_postfix }}
NIGHTLY_DATE: ${{ needs.mbuild_vars.outputs.nightly_date }}
shell: bash
run: |
#
# Stable
base_tags_stable=""
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }},"
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }}-${STABLE_VERSION},"
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }}-stable,"
base_tags_stable+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }}-stable-${STABLE_VERSION},"
#
# Vaultwarden Stable
base_tags_stable_vw=""
base_tags_stable_vw+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }}-${VW_VERSION},"
base_tags_stable_vw+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }}-stable-${VW_VERSION},"
#
# Nightly
base_tags_nightly=""
base_tags_nightly+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }}-nightly${NIGHTLY_TAG_POSTFIX},"
base_tags_nightly+="@RGSTRY@/blackdex/rust-musl:${{ matrix.image_tag }}-nightly-${NIGHTLY_DATE},"
echo ""
echo "stable=${base_tags_stable%,}" | tee -a "${GITHUB_OUTPUT}"
echo "stable_vw=${base_tags_stable_vw%,}" | tee -a "${GITHUB_OUTPUT}"
echo "nightly=${base_tags_nightly%,}" | tee -a "${GITHUB_OUTPUT}"
- name: Setup Docker Buildx (setup-buildx-action)
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
with:
# When using `act`, use the `docker` driver to use local 'docker build' cache
driver: ${{ github.event.act && 'docker' || 'docker-container' }}
cache-binary: false
driver-opts: |
network=host
- name: "[act] Start local registry"
if: ${{ github.event.act }}
shell: bash
run: |
# Start a local docker registry
docker run -d --name act-registry --network host registry:2 || true
- name: Login to DockerHub
if: ${{ needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ghcr.io
if: ${{ needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to quay.io
if: ${{ needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}
#
# Generate stable combined manifest
- name: Download Digests - Stable
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: ${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}
pattern: digests-stable-${{ matrix.image_tag }}*
merge-multiple: true
- name: Create combined manifests - Stable
if: ${{ needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger }}
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_TAGS: ${{ steps.base_tags.outputs.stable }}
working-directory: ${{ runner.temp }}/digests-stable-${{ matrix.image_tag }}
shell: bash
run: |
for registry in ${REGISTRIES}; do
echo "Generating manifest for ${registry}:"
# Modify the base tag to convert `,` to a space and replace `@RGSTRY@` with the actual registry needed here
# The first `printf` converts the `REG_TAGS` to the `--tag` parameter for each tag
# The second `printf` is expanded to the sha256 digests uploaded from the previous job for the specific image_tag
REG_TAGS=$(echo "${STABLE_TAGS//,/ }" | sed "s#@RGSTRY@#${registry}#g")
docker buildx imagetools create \
$(printf -- " --tag %s" ${REG_TAGS}) \
$(printf "${registry}/blackdex/rust-musl@sha256:%s " *)
done
- name: Inspect combined manifests - Stable
id: comb_stable
shell: bash
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_VERSION: ${{ needs.mbuild_vars.outputs.stable_version }}
run: |
for registry in ${REGISTRIES}; do
echo "Inspecting manifest for ${registry}:"
docker buildx imagetools inspect ${registry}/blackdex/rust-musl:${{ matrix.image_tag }}-stable-${STABLE_VERSION}
# Extract the combined digest to run attest on this too
if [[ "${registry}" = "ghcr.io" ]]; then
combined_digest=$(docker buildx imagetools inspect --format "{{json .Manifest.Digest}}" ghcr.io/blackdex/rust-musl:${{ matrix.image_tag }}-stable-${STABLE_VERSION})
echo "digest=${combined_digest//\"/}" | tee -a "${GITHUB_OUTPUT}"
fi
done
- name: Attest - Combined Stable - docker.io
if : ${{ !github.event.act && steps.comb_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Stable - ghcr.io
if : ${{ !github.event.act && steps.comb_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_stable.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Stable - quay.io
if : ${{ !github.event.act && steps.comb_stable.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_stable.outputs.digest }}
push-to-registry: true
#
# Generate Vaultwarden stable combined manifest
- name: Download Digests - Vaultwarden Stable
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: ${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}
pattern: digests-vw-${{ matrix.image_tag }}*
merge-multiple: true
- name: Create combined manifests - Vaultwarden Stable
if: ${{ needs.mbuild_vars.outputs.stable_version != needs.mbuild_vars.outputs.vaultwarden_version && (needs.mbuild_vars.outputs.stable_trigger || !needs.mbuild_vars.outputs.nightly_trigger) }}
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
STABLE_VW_TAGS: ${{ steps.base_tags.outputs.stable_vw }}
working-directory: ${{ runner.temp }}/digests-vw-${{ matrix.image_tag }}
shell: bash
run: |
for registry in ${REGISTRIES}; do
echo "Generating manifest for ${registry}:"
# Modify the base tag to convert `,` to a space and replace `@RGSTRY@` with the actual registry needed here
# The first `printf` converts the `REG_TAGS` to the `--tag` parameter for each tag
# The second `printf` is expanded to the sha256 digests uploaded from the previous job for the specific image_tag
REG_TAGS=$(echo "${STABLE_VW_TAGS//,/ }" | sed "s#@RGSTRY@#${registry}#g")
docker buildx imagetools create \
$(printf -- " --tag %s" ${REG_TAGS}) \
$(printf "${registry}/blackdex/rust-musl@sha256:%s " *)
done
- name: Inspect combined manifests - Vaultwarden Stable
id: comb_vw
shell: bash
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
VW_VERSION: ${{ needs.mbuild_vars.outputs.vaultwarden_version }}
run: |
for registry in ${REGISTRIES}; do
echo "Inspecting manifest for ${registry}:"
docker buildx imagetools inspect ${registry}/blackdex/rust-musl:${{ matrix.image_tag }}-stable-${VW_VERSION}
# Extract the combined digest to run attest on this too
if [[ "${registry}" = "ghcr.io" ]]; then
combined_digest=$(docker buildx imagetools inspect --format "{{json .Manifest.Digest}}" ghcr.io/blackdex/rust-musl:${{ matrix.image_tag }}-stable-${VW_VERSION})
echo "digest=${combined_digest//\"/}" | tee -a "${GITHUB_OUTPUT}"
fi
done
- name: Attest - Combined VW Stable - docker.io
if : ${{ !github.event.act && steps.comb_vw.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_vw.outputs.digest }}
push-to-registry: true
- name: Attest - Combined VW Stable - ghcr.io
if : ${{ !github.event.act && steps.comb_vw.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_vw.outputs.digest }}
push-to-registry: true
- name: Attest - Combined VW Stable - quay.io
if : ${{ !github.event.act && steps.comb_vw.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_vw.outputs.digest }}
push-to-registry: true
#
# Generate nightly combined manifest
- name: Download Digests - Nightly
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: ${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}
pattern: digests-nightly-${{ matrix.image_tag }}*
merge-multiple: true
- name: Create combined manifests - Nightly
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
NIGHTLY_TAGS: ${{ steps.base_tags.outputs.nightly }}
working-directory: ${{ runner.temp }}/digests-nightly-${{ matrix.image_tag }}
shell: bash
run: |
for registry in ${REGISTRIES}; do
echo "Generating manifest for ${registry}:"
REG_TAGS=$(echo "${NIGHTLY_TAGS//,/ }" | sed "s#@RGSTRY@#${registry}#g")
# Modify the base tag to convert `,` to a space and replace `@RGSTRY@` with the actual registry needed here
# The first `printf` converts the `REG_TAGS` to the `--tag` parameter for each tag
# The second `printf` is expanded to the sha256 digests uploaded from the previous job for the specific image_tag
docker buildx imagetools create \
$(printf -- " --tag %s" ${REG_TAGS}) \
$(printf "${registry}/blackdex/rust-musl@sha256:%s " *)
done
- name: Inspect combined manifests - Nightly
id: comb_nightly
shell: bash
env:
REGISTRIES: ${{ needs.mbuild_vars.outputs.registry_list }}
NIGHTLY_DATE: ${{ needs.mbuild_vars.outputs.nightly_date }}
run: |
for registry in ${REGISTRIES}; do
echo "Inspecting manifest for ${registry}:"
docker buildx imagetools inspect ${registry}/blackdex/rust-musl:${{ matrix.image_tag }}-nightly-${NIGHTLY_DATE}
# Extract the combined digest to run attest on this too
if [[ "${registry}" = "ghcr.io" ]]; then
combined_digest=$(docker buildx imagetools inspect --format "{{json .Manifest.Digest}}" ghcr.io/blackdex/rust-musl:${{ matrix.image_tag }}-nightly-${NIGHTLY_DATE})
echo "digest=${combined_digest//\"/}" | tee -a "${GITHUB_OUTPUT}"
fi
done
- name: Attest - Combined Nightly - docker.io
if : ${{ !github.event.act && steps.comb_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_dockerhub_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: docker.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Nightly - ghcr.io
if : ${{ !github.event.act && steps.comb_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_ghcr_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: ghcr.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_nightly.outputs.digest }}
push-to-registry: true
- name: Attest - Combined Nightly - quay.io
if : ${{ !github.event.act && steps.comb_nightly.outputs.digest != '' && needs.mbuild_vars.outputs.have_quay_login == 'true' }}
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: quay.io/blackdex/rust-musl
subject-digest: ${{ steps.comb_nightly.outputs.digest }}
push-to-registry: true