ci(docker): add build workflow for xen-riscv64-trixie image#27
ci(docker): add build workflow for xen-riscv64-trixie image#27gounthar wants to merge 4 commits into
Conversation
Build the docker/riscv/trixie image: amd64 build (no push) on PRs touching that path, build and push :latest on pushes to main. Split out from baptleduc#1 at baptleduc's request. Signed-off-by: Bruno Verachten <gounthar@gmail.com>
|
Thanks for opening a dedicated PR. I would suggest pushing images only on specific tags (e.g. Moreover, since this repository hosts multiple H&K development tools, not every merge should trigger a Docker image release. As for the registry, GitHub Container Registry (GHCR) could be a better fit, as it would keep both the source code and container images in the same place. What do you think? |
… Hub Per review on xcp-ng#27: publish the image only on tags matching v[0-9]+.[0-9]+.[0-9]+-xen-riscv64 (a routine merge no longer triggers a release), and push to GHCR using the built-in GITHUB_TOKEN instead of Docker Hub secrets. PRs keep an amd64 build-only check. Signed-off-by: Bruno Verachten <gounthar@gmail.com>
|
@baptleduc Good calls, both done. The publish step now triggers only on tags matching |
Maybe for consistency with the image's name, the tag pattern should be instead |
| on: | ||
| push: | ||
| tags: | ||
| - 'v[0-9]+.[0-9]+.[0-9]+-xen-riscv64' |
There was a problem hiding this comment.
| - 'v[0-9]+.[0-9]+.[0-9]+-xen-riscv64' | |
| - 'v[0-9]+.[0-9]+.[0-9]+-xen-riscv64-trixie' |
Per review on xcp-ng#27: tag pattern is now v[0-9]+.[0-9]+.[0-9]+-xen-riscv64-trixie so the release tag lines up with the xen-riscv64-trixie image name. Signed-off-by: Bruno Verachten <gounthar@gmail.com>
|
@baptleduc Done. The publish trigger now matches |
|
Thanks, Igtm |
|
One last thing @gounthar, could you please fix the CI errors? |
Satisfies the repo's zizmor policy: - pin actions/checkout, docker/setup-buildx-action, docker/login-action and docker/build-push-action to full commit SHAs (unpinned-uses). - set persist-credentials: false on checkout (artipacked). Signed-off-by: Bruno Verachten <gounthar@gmail.com>
|
Done, pushed eff343d. The zizmor failures were all the pin-to-SHA policy, so I pinned checkout, setup-buildx, login and build-push to commit SHAs and set |
The CI is green now thanks! One last things that is required, your commits should be sign... |
2 participants
Adds a GitHub Actions workflow to build the
docker/riscv/trixieimage. @baptleduc suggested opening this as a dedicated PR upstream (split out from baptleduc#1, which I closed).docker/riscv/trixie/**: builds amd64, no push (validates the Dockerfile still builds).maintouching the same path: builds and pushes:latest.amd64 only for now. arm64 isn't viable until the AIA + fakedevice-patched QEMU is built for arm64 (it only exists as the amd64 GitLab artifact today), so I left it out rather than ship a broken arm64 image.
Prerequisite: the workflow expects
DOCKERHUB_USERNAME/DOCKERHUB_TOKENrepo secrets for the push step. If you'd prefer a different registry/namespace, or want the push gated to tags /workflow_dispatchonly, happy to adjust.