Rewrite the action in Rust

This rewrites the action from the ground-up to solve most outstanding issues and missing features. The API is consolidated and streamlined (+ largely broken); the performance and logging is improved; there's support for new token types; we can now handle multi-arch images; etc. See the v3 release notes when they're out, for more details.
snok · Jun 24, 2024 · 851b141 · 851b141
1 parent 178bc0b
commit 851b141
Show file tree

Hide file tree

Showing 42 changed files with 5,471 additions and 2,873 deletions.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    reviewers:
+      - sondrelg
diff --git a/.github/get_version.py b/.github/get_version.py
diff --git a/.github/workflows/clean_packages.yml b/.github/workflows/clean_packages.yml
diff --git a/.github/workflows/build.yml → .github/workflows/live_test.yaml b/.github/workflows/build.yml → .github/workflows/live_test.yaml
@@ -10,15 +10,15 @@ jobs:
     runs-on: ubuntu-latest
     name: Ubuntu with classic personal access token
     steps:
-      - uses: snok/container-retention-policy@v3-develop
+      - uses: snok/container-retention-policy@main
         name: Delete test-1-* images with a temporal token
         with:
           account: snok
           token: ${{ secrets.GITHUB_TOKEN }}
           cut-off: 2h
           image-names: container-retention-policy
           image-tags: test-* !test-2* !test-3* !test-4* !test-5*
-          tag-selection: tagged
+          tag-selection: both
           timestamp-to-use: created_at
           dry-run: false
           rust-log: container_retention_policy=debug
@@ -30,28 +30,28 @@ jobs:
           app-id: 911530
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
-      - uses: snok/container-retention-policy@v3-develop
+      - uses: snok/container-retention-policy@main
         name: Delete test-2-* images with an Github app token
         with:
           account: snok
           token: ${{ steps.generate-token.outputs.token }}
           cut-off: 2h
           image-names: container-retention-policy
           image-tags: test-* !test-3* !test-4* !test-5*
-          tag-selection: tagged
+          tag-selection: both
           timestamp-to-use: created_at
           dry-run: false
           rust-log: container_retention_policy=debug
 
-      - uses: snok/container-retention-policy@v3-develop
+      - uses: snok/container-retention-policy@main
         name: Delete remaining test images with a PAT
         with:
           account: snok
           token: ${{ secrets.PAT }}
           cut-off: 2h
           image-names: container-retention-policy
           image-tags: test-*
-          tag-selection: tagged
+          tag-selection: both
           timestamp-to-use: created_at
           dry-run: false
           rust-log: container_retention_policy=debug
@@ -77,11 +77,14 @@ jobs:
               echo "FROM scratch"
               echo "COPY --from=builder /test.txt ."
             } > Dockerfile
+
             imageName="ghcr.io/snok/container-retention-policy:test-${i}"
+
             docker build -f Dockerfile -t "$imageName" --push .
+
             for ((j=1; j<=3; j++))
             do
               docker tag "$imageName" "ghcr.io/snok/container-retention-policy:test-${i}-${j}"
               docker push "ghcr.io/snok/container-retention-policy:test-${i}-${j}"
             done
-          done
+          done
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,114 @@
+# See https://docs.docker.com/build/ci/github-actions/multi-platform/ for docs
+
+name: Create multi-platform container image
+
+on:
+  workflow_dispatch:
+    inputs:
+      version-tag:
+        description: The image tag to build for
+        required: true
+        type: string
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY_IMAGE: ghcr.io/snok/container-retention-policy
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+        include:
+          - platform: linux/amd64
+            arch: amd64
+            target_dir: x86_64-unknown-linux-musl
+          - platform: linux/arm64
+            arch: arm64
+            target_dir: aarch64-unknown-linux-musl
+    steps:
+      - name: Prepare
+        run: |
+          platform="${{ matrix.platform }}"
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,31 @@
+name: Test
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: swatinem/rust-cache@v2
+
+      # This is already installed on GitHub's runners
+      - run: cargo fmt --check
+
+      - run: rustup toolchain install stable --profile minimal && rustup component add clippy
+      - run: rustup toolchain install nightly --profile minimal
+      - uses: cargo-bins/cargo-binstall@main
+      - run: cargo binstall cargo-udeps --locked --no-confirm --force
+      - run: cargo binstall cargo-deny --locked --no-confirm --force
+      - run: cargo binstall cargo-audit --locked --no-confirm
+      - run: pip install pre-commit && pre-commit install
+      - uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit/
+          key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+      - run: cargo build  # needed for `assert_cmd` tests
+      - run: pre-commit run --all-files