Change default data path to /data (#227) #61
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build deb packages and prebuild images | |
concurrency: | |
group: build-packages-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- "main" | |
paths-ignore: | |
- ".devcontainer/**" | |
- "*.md" | |
permissions: | |
packages: write | |
contents: read | |
id-token: write | |
jobs: | |
build-deb-packages: | |
runs-on: ${{ matrix.runner }} | |
name: ${{ matrix.os }}-${{ matrix.arch }}-pg${{ matrix.pg_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu22.04, ubuntu24.04, deb11, deb12] | |
arch: [amd64, arm64] | |
include: | |
- arch: amd64 | |
runner: ubuntu-24.04 | |
- arch: arm64 | |
runner: ubuntu-24.04-arm | |
pg_version: | |
- 16 | |
- 17 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Extract and Format Default Version | |
id: extract_version | |
run: | | |
DOCUMENTDB_VERSION=$(grep -E "^default_version" pg_documentdb_core/documentdb_core.control | sed -E "s/.*'([0-9]+\.[0-9]+-[0-9]+)'.*/\1/") | |
DOCUMENTDB_VERSION=$(echo $DOCUMENTDB_VERSION | sed "s/-/./g") | |
echo "Extracted Version: $DOCUMENTDB_VERSION" | |
echo "DOCUMENTDB_VERSION=$DOCUMENTDB_VERSION" >> $GITHUB_ENV | |
- name: Build Debian Package | |
run: | | |
./packaging/build_packages.sh --os ${{ matrix.os }} --pg ${{ matrix.pg_version }} --version ${{ env.DOCUMENTDB_VERSION }} | |
- name: Sign DEB packages | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
run: | | |
# Install GPG and dpkg-sig for signing DEB packages | |
sudo apt-get update && sudo apt-get install -y gnupg2 dpkg-sig | |
# Generate a temporary signing key for demo purposes | |
# In production, use proper key management with secure key storage | |
cat > /tmp/gpg-batch <<EOF | |
%echo Generating DocumentDB signing key | |
Key-Type: RSA | |
Key-Length: 2048 | |
Subkey-Type: RSA | |
Subkey-Length: 2048 | |
Name-Real: DocumentDB Package Signing | |
Name-Email: documentdb@noreply.github.com | |
Expire-Date: 1y | |
%no-ask-passphrase | |
%no-protection | |
%commit | |
%echo done | |
EOF | |
gpg --batch --generate-key /tmp/gpg-batch | |
# Sign all DEB packages | |
# The key ID for dpkg-sig is usually the email or Name-Real used during key generation | |
KEY_ID="DocumentDB Package Signing" | |
for deb_file in packaging/*.deb; do | |
if [[ -f "$deb_file" ]]; then | |
echo "Signing package: $deb_file with key $KEY_ID" | |
dpkg-sig --sign "$KEY_ID" "$deb_file" | |
fi | |
done | |
# Export public key for verification | |
# Ensure the email/name matches the one used in Name-Email/Name-Real for key generation | |
gpg --armor --export "DocumentDB Package Signing" > packaging/documentdb-signing-key.asc | |
- name: Upload Debian Package as Artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: archive-${{ matrix.os }}-${{ matrix.arch }}-pg${{ matrix.pg_version }}-documentdb-${{ env.DOCUMENTDB_VERSION }} | |
path: | | |
packaging/*.deb | |
packaging/documentdb-signing-key.asc | |
retention-days: 7 | |
if-no-files-found: error | |
compression-level: 0 | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Extract image build metadata | |
id: image_metadata | |
run: | | |
PACKAGE_NAME=$(ls packaging/*.deb | grep -v dbgsym | head -n1) | |
echo "PACKAGE NAME: $PACKAGE_NAME" | |
echo "PACKAGE_NAME=$PACKAGE_NAME" >> $GITHUB_ENV | |
case ${{ matrix.os }} in | |
deb11) | |
BASE_IMAGE="debian:bullseye" | |
;; | |
deb12) | |
BASE_IMAGE="debian:bookworm" | |
;; | |
ubuntu22.04) | |
BASE_IMAGE="ubuntu:22.04" | |
;; | |
ubuntu24.04) | |
BASE_IMAGE="ubuntu:24.04" | |
;; | |
esac | |
echo "BASE_IMAGE NAME: $BASE_IMAGE" | |
echo "BASE_IMAGE=$BASE_IMAGE" >> $GITHUB_ENV | |
- name: Build and Push Docker Image | |
if: matrix.os == 'ubuntu22.04' | |
uses: docker/build-push-action@v6.18.0 | |
env: | |
DOCKER_BUILD_SUMMARY: false | |
with: | |
provenance: false # Disable provenance to avoid unknown/unknown | |
sbom: false # Disable provenance to avoid unknown/unknown | |
context: . | |
push: true | |
platforms: linux/${{ matrix.arch }} | |
file: .github/containers/Build-Ubuntu/Dockerfile_prebuild | |
tags: ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }} | |
build-args: | | |
BASE_IMAGE=${{ env.BASE_IMAGE }} | |
POSTGRES_VERSION=${{ matrix.pg_version }} | |
DEB_PACKAGE_REL_PATH=${{ env.PACKAGE_NAME }} | |
labels: | | |
org.opencontainers.image.source=https://github.com/microsoft/documentdb | |
org.opencontainers.image.description=Documentdb prebuild image | |
org.opencontainers.image.licenses=MIT | |
- name: Install cosign | |
if: matrix.os == 'ubuntu22.04' | |
uses: sigstore/cosign-installer@main | |
- name: Sign manifest (keyless) | |
if: matrix.os == 'ubuntu22.04' | |
run: | | |
cosign sign ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }} -y | |
- name: Verify manifest signature (keyless) | |
if: matrix.os == 'ubuntu22.04' | |
run: | | |
cosign verify \ | |
--certificate-identity-regexp "https://github.com/${{ github.repository }}/.github/workflows/build_packages.yml@refs/heads/${{ github.ref_name }}" \ | |
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }} |