Skip to content

Change default data path to /data (#227) #61

Change default data path to /data (#227)

Change default data path to /data (#227) #61

name: Build deb packages and prebuild images
concurrency:
group: build-packages-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
on:
workflow_dispatch:
push:
branches:
- "main"
paths-ignore:
- ".devcontainer/**"
- "*.md"
permissions:
packages: write
contents: read
id-token: write
jobs:
build-deb-packages:
runs-on: ${{ matrix.runner }}
name: ${{ matrix.os }}-${{ matrix.arch }}-pg${{ matrix.pg_version }}
strategy:
fail-fast: false
matrix:
os: [ubuntu22.04, ubuntu24.04, deb11, deb12]
arch: [amd64, arm64]
include:
- arch: amd64
runner: ubuntu-24.04
- arch: arm64
runner: ubuntu-24.04-arm
pg_version:
- 16
- 17
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Extract and Format Default Version
id: extract_version
run: |
DOCUMENTDB_VERSION=$(grep -E "^default_version" pg_documentdb_core/documentdb_core.control | sed -E "s/.*'([0-9]+\.[0-9]+-[0-9]+)'.*/\1/")
DOCUMENTDB_VERSION=$(echo $DOCUMENTDB_VERSION | sed "s/-/./g")
echo "Extracted Version: $DOCUMENTDB_VERSION"
echo "DOCUMENTDB_VERSION=$DOCUMENTDB_VERSION" >> $GITHUB_ENV
- name: Build Debian Package
run: |
./packaging/build_packages.sh --os ${{ matrix.os }} --pg ${{ matrix.pg_version }} --version ${{ env.DOCUMENTDB_VERSION }}
- name: Sign DEB packages
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
# Install GPG and dpkg-sig for signing DEB packages
sudo apt-get update && sudo apt-get install -y gnupg2 dpkg-sig
# Generate a temporary signing key for demo purposes
# In production, use proper key management with secure key storage
cat > /tmp/gpg-batch <<EOF
%echo Generating DocumentDB signing key
Key-Type: RSA
Key-Length: 2048
Subkey-Type: RSA
Subkey-Length: 2048
Name-Real: DocumentDB Package Signing
Name-Email: documentdb@noreply.github.com
Expire-Date: 1y
%no-ask-passphrase
%no-protection
%commit
%echo done
EOF
gpg --batch --generate-key /tmp/gpg-batch
# Sign all DEB packages
# The key ID for dpkg-sig is usually the email or Name-Real used during key generation
KEY_ID="DocumentDB Package Signing"
for deb_file in packaging/*.deb; do
if [[ -f "$deb_file" ]]; then
echo "Signing package: $deb_file with key $KEY_ID"
dpkg-sig --sign "$KEY_ID" "$deb_file"
fi
done
# Export public key for verification
# Ensure the email/name matches the one used in Name-Email/Name-Real for key generation
gpg --armor --export "DocumentDB Package Signing" > packaging/documentdb-signing-key.asc
- name: Upload Debian Package as Artifact
uses: actions/upload-artifact@v4
with:
name: archive-${{ matrix.os }}-${{ matrix.arch }}-pg${{ matrix.pg_version }}-documentdb-${{ env.DOCUMENTDB_VERSION }}
path: |
packaging/*.deb
packaging/documentdb-signing-key.asc
retention-days: 7
if-no-files-found: error
compression-level: 0
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract image build metadata
id: image_metadata
run: |
PACKAGE_NAME=$(ls packaging/*.deb | grep -v dbgsym | head -n1)
echo "PACKAGE NAME: $PACKAGE_NAME"
echo "PACKAGE_NAME=$PACKAGE_NAME" >> $GITHUB_ENV
case ${{ matrix.os }} in
deb11)
BASE_IMAGE="debian:bullseye"
;;
deb12)
BASE_IMAGE="debian:bookworm"
;;
ubuntu22.04)
BASE_IMAGE="ubuntu:22.04"
;;
ubuntu24.04)
BASE_IMAGE="ubuntu:24.04"
;;
esac
echo "BASE_IMAGE NAME: $BASE_IMAGE"
echo "BASE_IMAGE=$BASE_IMAGE" >> $GITHUB_ENV
- name: Build and Push Docker Image
if: matrix.os == 'ubuntu22.04'
uses: docker/build-push-action@v6.18.0
env:
DOCKER_BUILD_SUMMARY: false
with:
provenance: false # Disable provenance to avoid unknown/unknown
sbom: false # Disable provenance to avoid unknown/unknown
context: .
push: true
platforms: linux/${{ matrix.arch }}
file: .github/containers/Build-Ubuntu/Dockerfile_prebuild
tags: ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }}
build-args: |
BASE_IMAGE=${{ env.BASE_IMAGE }}
POSTGRES_VERSION=${{ matrix.pg_version }}
DEB_PACKAGE_REL_PATH=${{ env.PACKAGE_NAME }}
labels: |
org.opencontainers.image.source=https://github.com/microsoft/documentdb
org.opencontainers.image.description=Documentdb prebuild image
org.opencontainers.image.licenses=MIT
- name: Install cosign
if: matrix.os == 'ubuntu22.04'
uses: sigstore/cosign-installer@main
- name: Sign manifest (keyless)
if: matrix.os == 'ubuntu22.04'
run: |
cosign sign ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }} -y
- name: Verify manifest signature (keyless)
if: matrix.os == 'ubuntu22.04'
run: |
cosign verify \
--certificate-identity-regexp "https://github.com/${{ github.repository }}/.github/workflows/build_packages.yml@refs/heads/${{ github.ref_name }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/${{ github.repository }}/documentdb-oss:PG${{ matrix.pg_version }}-${{ matrix.arch }}-${{ env.DOCUMENTDB_VERSION }}