feat: Add comprehensive Docker build pipeline for multi-architecture images

2026-01-17 01:30:33 +00:00 · 2025-06-16 07:07:28 +08:00
parent 57cda74fbd
commit d29bf4809d
4 changed files with 1066 additions and 0 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,300 @@
+name: Build and Push Docker Images
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      push_to_registry:
+        description: 'Push images to registry'
+        required: false
+        default: 'true'
+        type: boolean
+
+env:
+  REGISTRY_IMAGE_DOCKERHUB: rustfs/rustfs
+  REGISTRY_IMAGE_GHCR: ghcr.io/${{ github.repository }}
+
+jobs:
+  # Skip duplicate job runs
+  skip-check:
+    permissions:
+      actions: write
+      contents: read
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+    steps:
+      - id: skip_check
+        uses: fkirc/skip-duplicate-actions@v5
+        with:
+          concurrent_skipping: 'same_content_newer'
+          cancel_others: true
+          paths_ignore: '["*.md", "docs/**"]'
+
+  # Build RustFS binary for different platforms
+  build-binary:
+    needs: skip-check
+    if: needs.skip-check.outputs.should_skip != 'true'
+    strategy:
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-musl
+            os: ubuntu-latest
+            arch: amd64
+          - target: aarch64-unknown-linux-musl
+            os: ubuntu-latest
+            arch: arm64
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 60
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          target: ${{ matrix.target }}
+          components: rustfmt, clippy
+
+      - name: Install cross-compilation dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y musl-tools
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
+            sudo apt-get install -y gcc-aarch64-linux-gnu
+          fi
+
+      - name: Install protoc
+        uses: arduino/setup-protoc@v3
+        with:
+          version: "31.1"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install flatc
+        uses: Nugine/setup-flatc@v1
+        with:
+          version: "25.2.10"
+
+      - name: Cache cargo dependencies
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-${{ matrix.target }}-
+            ${{ runner.os }}-cargo-
+
+      - name: Build RustFS binary
+        run: |
+          export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=aarch64-linux-gnu-gcc
+          cargo build --release --target ${{ matrix.target }} --bin rustfs
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: rustfs-${{ matrix.arch }}
+          path: target/${{ matrix.target }}/release/rustfs
+          retention-days: 1
+
+  # Build and push Docker images
+  build-images:
+    needs: [skip-check, build-binary]
+    if: needs.skip-check.outputs.should_skip != 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      matrix:
+        image-type: [production, ubuntu, rockylinux, devenv]
+        platform: [linux/amd64, linux/arm64]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download binary artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./artifacts
+
+      - name: Setup binary files
+        run: |
+          mkdir -p target/x86_64-unknown-linux-musl/release
+          mkdir -p target/aarch64-unknown-linux-musl/release
+          cp artifacts/rustfs-amd64/rustfs target/x86_64-unknown-linux-musl/release/
+          cp artifacts/rustfs-arm64/rustfs target/aarch64-unknown-linux-musl/release/
+          chmod +x target/*/release/rustfs
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/'))
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/'))
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set Dockerfile and context
+        id: dockerfile
+        run: |
+          case "${{ matrix.image-type }}" in
+            production)
+              echo "dockerfile=Dockerfile" >> $GITHUB_OUTPUT
+              echo "context=." >> $GITHUB_OUTPUT
+              echo "suffix=" >> $GITHUB_OUTPUT
+              ;;
+            ubuntu)
+              echo "dockerfile=.docker/Dockerfile.ubuntu22.04" >> $GITHUB_OUTPUT
+              echo "context=." >> $GITHUB_OUTPUT
+              echo "suffix=-ubuntu22.04" >> $GITHUB_OUTPUT
+              ;;
+            rockylinux)
+              echo "dockerfile=.docker/Dockerfile.rockylinux9.3" >> $GITHUB_OUTPUT
+              echo "context=." >> $GITHUB_OUTPUT
+              echo "suffix=-rockylinux9.3" >> $GITHUB_OUTPUT
+              ;;
+            devenv)
+              echo "dockerfile=.docker/Dockerfile.devenv" >> $GITHUB_OUTPUT
+              echo "context=." >> $GITHUB_OUTPUT
+              echo "suffix=-devenv" >> $GITHUB_OUTPUT
+              ;;
+          esac
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY_IMAGE_DOCKERHUB }}
+            ${{ env.REGISTRY_IMAGE_GHCR }}
+          tags: |
+            type=ref,event=branch,suffix=${{ steps.dockerfile.outputs.suffix }}
+            type=ref,event=pr,suffix=${{ steps.dockerfile.outputs.suffix }}
+            type=semver,pattern={{version}},suffix=${{ steps.dockerfile.outputs.suffix }}
+            type=semver,pattern={{major}}.{{minor}},suffix=${{ steps.dockerfile.outputs.suffix }}
+            type=semver,pattern={{major}},suffix=${{ steps.dockerfile.outputs.suffix }}
+            type=raw,value=latest,suffix=${{ steps.dockerfile.outputs.suffix }},enable={{is_default_branch}}
+          flavor: |
+            latest=false
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ steps.dockerfile.outputs.context }}
+          file: ${{ steps.dockerfile.outputs.dockerfile }}
+          platforms: ${{ matrix.platform }}
+          push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ matrix.image-type }}-${{ matrix.platform }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.image-type }}-${{ matrix.platform }}
+          build-args: |
+            BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
+            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+            REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+
+  # Create multi-arch manifests
+  create-manifest:
+    needs: [skip-check, build-images]
+    if: needs.skip-check.outputs.should_skip != 'true' && github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/'))
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image-type: [production, ubuntu, rockylinux, devenv]
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set image suffix
+        id: suffix
+        run: |
+          case "${{ matrix.image-type }}" in
+            production) echo "suffix=" >> $GITHUB_OUTPUT ;;
+            ubuntu) echo "suffix=-ubuntu22.04" >> $GITHUB_OUTPUT ;;
+            rockylinux) echo "suffix=-rockylinux9.3" >> $GITHUB_OUTPUT ;;
+            devenv) echo "suffix=-devenv" >> $GITHUB_OUTPUT ;;
+          esac
+
+      - name: Create and push manifest
+        run: |
+          # Set tag based on ref
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            TAG=${GITHUB_REF#refs/tags/}
+          else
+            TAG="main"
+          fi
+
+          SUFFIX="${{ steps.suffix.outputs.suffix }}"
+
+          # Docker Hub manifest
+          docker buildx imagetools create -t ${REGISTRY_IMAGE_DOCKERHUB}:${TAG}${SUFFIX} \
+            ${REGISTRY_IMAGE_DOCKERHUB}:${TAG}${SUFFIX}-linux-amd64 \
+            ${REGISTRY_IMAGE_DOCKERHUB}:${TAG}${SUFFIX}-linux-arm64
+
+          # GitHub Container Registry manifest
+          docker buildx imagetools create -t ${REGISTRY_IMAGE_GHCR}:${TAG}${SUFFIX} \
+            ${REGISTRY_IMAGE_GHCR}:${TAG}${SUFFIX}-linux-amd64 \
+            ${REGISTRY_IMAGE_GHCR}:${TAG}${SUFFIX}-linux-arm64
+
+          # Create latest tag for main branch
+          if [[ $GITHUB_REF == refs/heads/main ]]; then
+            docker buildx imagetools create -t ${REGISTRY_IMAGE_DOCKERHUB}:latest${SUFFIX} \
+              ${REGISTRY_IMAGE_DOCKERHUB}:${TAG}${SUFFIX}-linux-amd64 \
+              ${REGISTRY_IMAGE_DOCKERHUB}:${TAG}${SUFFIX}-linux-arm64
+
+            docker buildx imagetools create -t ${REGISTRY_IMAGE_GHCR}:latest${SUFFIX} \
+              ${REGISTRY_IMAGE_GHCR}:${TAG}${SUFFIX}-linux-amd64 \
+              ${REGISTRY_IMAGE_GHCR}:${TAG}${SUFFIX}-linux-arm64
+          fi
+
+  # Security scanning
+  security-scan:
+    needs: [skip-check, build-images]
+    if: needs.skip-check.outputs.should_skip != 'true'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image-type: [production]
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY_IMAGE_GHCR }}:main
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'