Workflow to build ppc64le binary for ubi (#6005)

oseoin · web-flow · commit 233c8b2a9ced · 2024-07-12T09:58:33.000+01:00
diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml
@@ -0,0 +1,137 @@
+name: Build UBI ppc64le Dependency
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - build/dependencies/Dockerfile.ubi-ppc64le
+  workflow_dispatch:
+    inputs:
+      nginx_version:
+        type: string
+        description: "NGINX Version to build for"
+        required: false
+      force:
+        type: boolean
+        description: "Force rebuild"
+        required: false
+        default: false
+
+env:
+  IMAGE_NAME: ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le
+
+concurrency:
+  group: ${{ github.ref_name }}-ubi-ppc64le-build
+  cancel-in-progress: true
+
+jobs:
+  checks:
+    name: Check versions
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: read
+      contents: read
+    strategy:
+      fail-fast: false
+    outputs:
+      nginx_version: ${{ steps.var.outputs.nginx_version }}
+      njs_version: ${{ steps.var.outputs.njs_version }}
+      target_exists: ${{ steps.var.outputs.target_image_exists }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Output Variables
+        id: var
+        run: |
+          if [ -n "${{ inputs.nginx_version }}" ]; then
+            nginx_v=${{ inputs.nginx_version }}
+          else
+            nginx_v=$(grep -m1 'FROM nginx:' <build/dependencies/Dockerfile.ubi-ppc64le | cut -d '@' -f1 | awk -F'[: ]' '{print $3}')
+          fi
+          target_image=${{ env.IMAGE_NAME }}:nginx-${nginx_v}
+          if docker manifest inspect ${target_image}; then
+            target_image_exists=true
+          else
+            target_image_exists=false
+          fi
+          docker pull nginx:$nginx_v || exit 1
+          njs=$(docker run nginx:$nginx_v env | grep NJS_VERSION | cut -d= -f2)
+          echo "> Outputs -------------------------------"
+          echo "NJS_VERSION=$njs"
+          echo "nginx_version=${nginx_v}"
+          echo "njs_version=${njs}"
+          echo "target_image_exists=${target_image_exists}"
+          echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT
+          echo "njs_version=${njs}" >> $GITHUB_OUTPUT
+          echo "target_image_exists=${target_image_exists}" >> $GITHUB_OUTPUT
+
+  build-binaries:
+    name: Build Binary Container Image
+    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }}
+    needs: checks
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write
+      contents: read
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
+        with:
+          platforms: arm64,ppc64le,s390x
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: |
+            name=${{ env.IMAGE_NAME }},enable=true
+          tags: |
+            type=raw,value=nginx-${{ needs.checks.outputs.nginx_version }},enable=true
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Build and push
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+        with:
+          file: ./build/dependencies/Dockerfile.ubi-ppc64le
+          context: "."
+          pull: true
+          push: true
+          # build multi-arch so that it can be mounted from any image
+          # even though only ppc64le will contain binaries
+          platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha,scope=nginx-ubi-ppc64le
+          cache-to: type=gha,scope=nginx-ubi-ppc64le,mode=max
+          target: final
+          sbom: false
+          provenance: mode=max
+          build-args: |
+            NGINX=${{ needs.checks.outputs.nginx_version }}
+            NJS=${{ needs.checks.outputs.njs_version }}
diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le
@@ -0,0 +1,33 @@
+# syntax=docker/dockerfile:1.8
+FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df AS nginx
+
+FROM redhat/ubi9:9.4@sha256:081c96d1b1c7cd1855722d01f1ca53360510443737b1eb33284c6c4c330e537c AS rpm-build
+ARG NGINX
+ARG NJS
+ENV NGINX_VERSION ${NGINX}
+ENV NJS_VERSION ${NJS}
+
+
+RUN mkdir -p /nginx/; \
+    # only build for ppc64le but make multiarch image for mounting
+    [ $(uname -p) != ppc64le ] && exit 0; \
+    rpm --import https://nginx.org/keys/nginx_signing.key \
+    && printf "%s\n" "[nginx]" "name=nginx src repo" \
+    "baseurl=https://nginx.org/packages/mainline/centos/9/SRPMS" \
+    "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \
+    && dnf install rpm-build gcc make dnf-plugins-core which -y \
+    && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
+    && nginxPackages=" \
+    nginx-${NGINX_VERSION} \
+    nginx-module-xslt-${NGINX_VERSION} \
+    nginx-module-image-filter-${NGINX_VERSION} \
+    nginx-module-njs-${NGINX_VERSION}+${NJS_VERSION} \
+    " \
+    && dnf config-manager --set-enabled ubi-9-codeready-builder \
+    && dnf download --source ${nginxPackages} \
+    && dnf builddep -y --srpm nginx*.rpm \
+    && rpmbuild --rebuild --nodebuginfo nginx*.rpm \
+    && cp /root/rpmbuild/RPMS/$(arch)/* /nginx/
+
+FROM scratch AS final
+COPY --link --from=rpm-build /nginx /
