WIP: GHA: Docker workflow refactor

.docker/docker-bake.hcl

@@ -13,7 +13,7 @@ variable "ORGANIZATION" {
 }
 
 variable "REGISTRY" {
-  default = "docker.io/"
+  default = "ghcr.io/"
 }
 
 variable "PLATFORMS" {
@@ -27,7 +27,7 @@ variable "TARGETS" {
 function "tags" {
   params = [image]
   result = [
-    "${REGISTRY}${ORGANIZATION}/${image}:newly-baked"
+    "${REGISTRY}${ORGANIZATION}/${image}"
   ]
 }
 

.docker/requirements.txt

@@ -1,8 +1,6 @@
 docker
-pre-commit
 pytest
 requests
 tabulate
 pytest-docker
 docker-compose
-pyyaml<=5.3.1

.github/workflows/docker-build.yml

@@ -0,0 +1,77 @@
+name: Build Docker images and upload them to ghcr.io
+
+env:
+  BUILDKIT_PROGRESS: plain
+
+on:
+  workflow_call:
+    inputs:
+      runsOn:
+        description: GitHub Actions Runner image
+        required: true
+        type: string
+      platforms:
+        description: Target platforms for the build (linux/amd64 and/or linux/arm64)
+        required: true
+        type: string
+    outputs:
+      images:
+        description: Images identified by digests
+        value: ${{ jobs.build.outputs.images }}
+
+jobs:
+  build:
+    name: ${{ inputs.platforms }}
+    runs-on: ${{ inputs.runsOn }}
+    timeout-minutes: 60
+    defaults:
+      run:
+            # Make sure we fail if any command in a piped command sequence fails
+        shell: bash -e -o pipefail {0}
+        working-directory: .docker
+
+    outputs:
+      images: ${{ steps.bake_metadata.outputs.images }}
+
+    steps:
+
+    - name: Checkout Repo ⚡️
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      if: ${{ inputs.platforms != 'linux/amd64' }}
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Container Registry 🔑
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and upload to ghcr.io 📤
+      id: build
+      uses: docker/bake-action@v4
+      with:
+        push: true
+                  # Using provenance to disable default attestation so it will build only desired images:
+                  # https://github.com/orgs/community/discussions/45969
+        provenance: false
+        set: |
+          *.platform=${{ inputs.platforms }}
+          *.output=type=registry,push-by-digest=true,name-canonical=true
+          *.cache-to=type=gha,scope=${{ github.workflow }},mode=max
+          *.cache-from=type=gha,scope=${{ github.workflow }}
+        files: |
+          docker-bake.hcl
+          build.json
+
+    - name: Set output variables
+      id: bake_metadata
+      run: |
+        .github/workflows/extract-docker-image-names.sh | tee -a "${GITHUB_OUTPUT}"
+      env:
+        BAKE_METADATA: ${{ steps.build.outputs.metadata }}

.github/workflows/docker-publish.yml

@@ -0,0 +1,82 @@
+name: Publish images to Docker container registries
+
+env:
+    # https://github.com/docker/metadata-action?tab=readme-ov-file#environment-variables
+  DOCKER_METADATA_PR_HEAD_SHA: true
+
+on:
+  workflow_call:
+    inputs:
+      runsOn:
+        description: GitHub Actions Runner image
+        required: true
+        type: string
+      images:
+        description: Images built in build step
+        required: true
+        type: string
+      registry:
+        description: Docker container registry
+        required: true
+        type: string
+
+jobs:
+
+  release:
+    runs-on: ${{ inputs.runsOn }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: true
+      matrix:
+        target: [aiida-core-base, aiida-core-with-services, aiida-core-dev]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Login to GitHub Container Registry 🔑
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Login to DockerHub 🔑
+      uses: docker/login-action@v3
+      if: inputs.registry == 'docker.io'
+      with:
+        registry: docker.io
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+
+    - name: Read build variables
+      id: build_vars
+      run: |
+        vars=$(cat build.json | jq -c '[.variable | to_entries[] | {"key": .key, "value": .value.default}] | from_entries')
+        echo "vars=$vars" | tee -a "${GITHUB_OUTPUT}"
+
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v5
+      env: ${{ fromJSON(steps.build_vars.outputs.vars) }}
+      with:
+                  # e.g. ghcr.io/aiidalab/full-stack
+        images: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ matrix.target }}
+        tags: |
+          type=ref,event=pr
+          type=edge,enable={{is_default_branch}}
+          type=raw,value=aiida-${{ env.AIIDA_VERSION }},enable=${{ github.ref_type == 'tag'  && startsWith(github.ref_name, 'v') }}
+          type=raw,value=python-${{ env.PYTHON_VERSION }},enable=${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'v') }}
+          type=raw,value=postgresql-${{ env.PGSQL_VERSION }},enable=${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'v') }}
+          type=match,pattern=v(\d{4}\.\d{4}(-.+)?),group=1
+
+    - name: Determine source image
+      id: images
+      run: |
+        src=$(echo '${{ inputs.images }}'| jq -cr '.[("${{ matrix.target }}"|ascii_upcase|sub("-"; "_"; "g")) + "_IMAGE"]')
+        echo "src=$src" | tee -a "${GITHUB_OUTPUT}"
+
+    - name: Push image
+      uses: akhilerm/[email protected]
+      with:
+        src: ${{ steps.images.outputs.src }}
+        dst: ${{ steps.meta.outputs.tags }}