Re: [PATCH 5/9] ci: Add github workflow for building and deploying test-container

["'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>]

On 22.05.26 12:19, Zhihang Wei wrote:
> 
> On 3/23/26 09:30, 'Jan Kiszka' via isar-users wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Trigger a container build if the registery does not yet contain the
>> version of the test-container described by testsuite/dockerdata/version.
>>
>> This obsoletes the need for manual build and deployment. Drop the
>> related README.md.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>   .github/workflows/main.yml     | 72 ++++++++++++++++++++++++++++++++++
>>   testsuite/dockerdata/README.md | 22 -----------
>>   2 files changed, 72 insertions(+), 22 deletions(-)
>>   create mode 100644 .github/workflows/main.yml
>>   delete mode 100644 testsuite/dockerdata/README.md
>>
>> diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
>> new file mode 100644
>> index 00000000..e9dd039e
>> --- /dev/null
>> +++ b/.github/workflows/main.yml
>> @@ -0,0 +1,72 @@
>> +# Copyright (c) Siemens AG, 2026
>> +# SPDX-License-Identifier: MIT
>> +
>> +name: CI
>> +
>> +on: [push]
>> +
>> +env:
>> +  CONTAINER_BASENAME: ${{ vars.CONTAINER_BASENAME || 'ghcr.io/ilbers/
>> isar' }}
>> +
>> +jobs:
>> +  container:
>> +    name: Refresh test-container
>> +    runs-on: ubuntu-latest
>> +    permissions:
>> +      id-token: write
>> +      packages: write
>> +      contents: read
>> +      attestations: write
>> +      artifact-metadata: write
>> +    if: github.ref == 'refs/heads/next'
>> +    steps:
>> +      - name: Check out repo
>> +        uses: actions/
>> checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
>> +
>> +      - name: Check for pre-existing container version
>> +        run: |
>> +          TEST_CONTAINER_VERSION=$(cat testsuite/dockerdata/version)
>> +          echo "TEST_CONTAINER_VERSION=$TEST_CONTAINER_VERSION" >>
>> $GITHUB_ENV
> 
> Hi,
> 
> To trigger a new build of this test-container image, we need to increase
> the
> number in testsuite/dockerdata/version, right?

Yes, this was the idea.

> 
>> +          if ! docker manifest inspect ${CONTAINER_BASENAME}/test-
>> container:$TEST_CONTAINER_VERSION >/dev/null 2>&1; then
>> +              eval $(grep "^KAS_CONTAINER_SCRIPT_VERSION=" kas/kas-
>> container)
>> +              echo "KAS_VERSION=$KAS_CONTAINER_SCRIPT_VERSION" >>
>> $GITHUB_ENV
> 
> How about tagging the test-container image with the same version number as
> $KAS_CONTAINER_SCRIPT_VERSION? The current docker-isar image already
> does this.
> 

As we are not simply forwarding that underlying container, that would
prevent signalling "we have updates on top", e.g. an avocado version bump.

Jan

> Other than this, we have tested p1-p8 and LGTM.
> 
> Zhihang
> 
>> +              echo "BUILD_CONTAINER=true" >> $GITHUB_ENV
>> +          fi
>> +
>> +      - name: Set up QEMU
>> +        uses: docker/setup-qemu-
>> action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
>> +        with:
>> +          platforms: linux/amd64,linux/arm64
>> +        if: ${{ env.BUILD_CONTAINER }}
>> +      - name: Set up Docker Buildx
>> +        uses: docker/setup-buildx-
>> action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
>> +        if: ${{ env.BUILD_CONTAINER }}
>> +      - name: Login to ghcr.io
>> +        uses: docker/login-
>> action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
>> +        with:
>> +          registry: ghcr.io
>> +          username: ${{ github.actor }}
>> +          password: ${{ secrets.GITHUB_TOKEN }}
>> +        if: ${{ env.BUILD_CONTAINER }}
>> +
>> +      - name: Build and deploy container
>> +        uses: docker/build-push-
>> action@d08e5c354a6adb9ed34480a06d141179aa583294  #v7.0.0
>> +        id: push
>> +        with:
>> +          platforms: linux/amd64,linux/arm64
>> +          file: testsuite/dockerdata/Dockerfile
>> +          build-args: KAS_VERSION=${{ env.KAS_VERSION }}
>> +          provenance: false
>> +          outputs: type=registry
>> +          tags: |
>> +            ${{ env.CONTAINER_BASENAME }}/test-container:latest
>> +            ${{ env.CONTAINER_BASENAME }}/test-container:
>> ${{ env.TEST_CONTAINER_VERSION }}
>> +          annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
>> +        if: ${{ env.BUILD_CONTAINER }}
>> +      - name: Attest container image
>> +        uses: actions/
>> attest@59d89421af93a897026c735860bf21b6eb4f7b26  # v4.1.0
>> +        with:
>> +          subject-name: ${{ env.CONTAINER_BASENAME }}/test-container
>> +          subject-digest: ${{ steps.push.outputs.digest }}
>> +          push-to-registry: true
>> +        if: ${{ env.BUILD_CONTAINER }}
>> diff --git a/testsuite/dockerdata/README.md b/testsuite/dockerdata/
>> README.md
>> deleted file mode 100644
>> index 54a78187..00000000
>> --- a/testsuite/dockerdata/README.md
>> +++ /dev/null
>> @@ -1,22 +0,0 @@
>> -# Creating image
>> -
>> -- Make sure `testsuite/dockerdata/version` is bumped for new images,
>> also
>> -  after updating `kas/kas-container`.
>> -
>> -- Run:
>> -
>> -```
>> -testsuite/dockerdata/build.sh
>> -```
>> -
>> -# Pushing the image to docker hub
>> -
>> -- Configure github token (classic) with `write:packages` permissions.
>> -
>> -- Use it for uploading docker image:
>> -
>> -```
>> -docker push ghcr.io/ilbers/isar/test-container:$(cat testsuite/
>> dockerdata/version)
>> -```
>> -
>> -- Make the uploaded package public
> 

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/66a2f439-6172-42ba-a96f-c0cf2a576830%40siemens.com.