build container images automatically

[NUZAT-TABASSUM]

This pull request adds a GitHub Actions workflow that automatically builds and publishes Tobira’s Docker images.

The workflow does the following:

• Builds Tobira’s Docker image for both linux/amd64 and linux/arm64

• Uses Node and Rust versions from util/scripts/build-container-image.sh

• Builds and pushes images to GitHub Container Registry (GHCR) under ghcr.io/elan-ev/tobira

• Automatically generates appropriate tags based on the Git event:

  • For pull requests, it only builds the image (no pushing).
  • For pushes to main, it builds and pushes development tags:
    edge → represents the latest code from main
    sha-<commit> → a unique tag for each commit,
  • For version tags (e.g., v3.9.0), it creates release images with multiple tags: v3.9.0, v3.9, v3, and latest

• Each architecture (amd64 and arm64) is built separately and then combined into a multi-architecture image, so users can simply pull ghcr.io/elan-ev/tobira:<tag> and Docker automatically selects the correct architecture.

[KatrinIhler]

This is related to opencast/opencast-docker#243 which is supposed to be a first step for opencast/opencast-docker#240.

@NUZAT-TABASSUM In your description, could you elaborate a bit more on what your workflow does?

[NUZAT-TABASSUM]

This is related to opencast/opencast-docker#243 which is supposed to be a first step for opencast/opencast-docker#240.

@NUZAT-TABASSUM In your description, could you elaborate a bit more on what your workflow does?

I’ve updated the PR description and added more details about what the workflow does.

[LukasKalbertodt]

Hi! Sorry for the delay responding to your PR.

I don't know a ton about Docker, certainly not about best practices. This is my first review of it, but which is mostly just questions to you, not necessarily change requests. It would be nice if you could explain the reasoning behind your changes for me to understand.

• Generally the script seems to be quite involved, covering many different cases. I would have expected something simpler first. Maybe all of this makes sense, it's just my intuition to start with something with fewer bells and whistles.
• Did you test all of this on your own fork? I.e. also test the upload part?
• Can you quickly explain why you decided for ghcr.io instead of say, quay.io, which is used in build-container-image.sh?

Also summoning @mtneug who knows a lot more about these things. I know you don't have a lot of time right now, but maybe you want to have a look here anyway.

[LukasKalbertodt]

What is this used for?

[mtneug]

This creates an environment for cross-platform builds.

[LukasKalbertodt]

So it is required for building the ARM build? Because Rust doesn't need QEMU to cross-compile to ARM. Not sure what Docker (or buildx or whatever) requires.

[NUZAT-TABASSUM]

Yes, rust cross-compiling doesn’t need QEMU, but the Docker build still needs it to run package installs/scripts during the arm64 stages.

[LukasKalbertodt]

Why build for ARM? 🤔 Tobira never released for ARM, was never tested for ARM and is very unlikely to be used on an ARM machine.

[mtneug]

Why not? I build Opencast container images for ARM. Tobira is probably even easier to build for this platform.

[LukasKalbertodt]

(a) bc it wastes compute and storage resources if no one uses it. And (b) we would have to at least clearly document somewhere that this is experimental/not officially supported or whatever. People should know that Tobira devs never compile nor test it. So I'd rather leave it out, until someone asks for it. Or am I missing something?

[mtneug]

Users on macOS are on arm. While you can run other architectures, Docker (and probably any other container engine) defaults to downloading arm images. I would always build them if not only for local testing.

[LukasKalbertodt]

I would run this workflow a lot less often, specifically: just for tags (i.e. releases). Is there any particular reason why you also build for PRs and build+upload for main pushes?

[mtneug]

Probably debatable if you want this, but container images for Opencast have {version}-dev images that build from the r/{version}.x release branch (and dev that builds from develop) to ease testing of upcoming versions. There are no images resulting from Opencast PRs.

[LukasKalbertodt]

Is using this action better than using build-container-image.sh? Would be nice to not duplicate the logic I guess? But maybe there are good reasons for not reusing the script?

[NUZAT-TABASSUM]

Yes, I can do that too.

[LukasKalbertodt]

What exactly is cached here? Is it actually worth it using a cache? In particular if we switch to only building releases.

[mtneug]

These are BuildKit caches. This could speed up builds if Docker can verify that a step in the Dockerfile does not need to be performed again. I don't think this will improve much if only releases are built. Also, I'm a bit afraid that some layers with external changes, e.g. OS package installs, are cached indefinitely.

[NUZAT-TABASSUM]

Those lines just turn on Docker BuildKit caching. It saves already-built Docker layers in GitHub Actions so the next build can reuse them and run faster.
This is mainly useful if we build often (PRs/main). If we switch to release-only builds, the cache probably won’t help much. I can remove it then.

[LukasKalbertodt]

I'm not quite sure what all of this does

[mtneug]

This is creating a multi-platform image, e.g. pulling ghcr.io/elan-ev/tobira:latest will automatically pull the arm64 or amd64 image based on the host (if not set otherwise during the pull). I never used the imagetools subcommands. That control is interesting, especially since I had some trouble with ghcr.io in the past when deleting some tags of multi-platform images.

@NUZAT-TABASSUM are you sure this works? Are the ${TAG}-amd64 and ${TAG}-arm64 variants created as tags?

[NUZAT-TABASSUM]

yes, its working

[mtneug]

Use dev instead of edge?

[NUZAT-TABASSUM]

Sure

[mtneug]

Do we want that? Git hashes as container tags?

[NUZAT-TABASSUM]

I added the sha mainly for traceability as it is easy to say use the image from this exact commit when debugging or testing. If you don’t want that, I can disable it.

[mtneug]

Is this working? Tobira tags don't follow semver.

[mtneug]

There is now v6. Please check all versions again for current releases.

[mtneug]

Is this the canonical place to look for the current versions? Maybe add a new file that contains this info for all scripts in the repository? Not sure what is best for Rust projects. The Opencast container build repo simply has VERSION_OPENCAST, VERSION_FFMPEG etc.

[LukasKalbertodt]

Good point. Yes I already noticed that stuff is kind of out of date. There is util/scripts/check-system.sh and build-container-images.sh. There are probably better ways to do it, honestly. Cargo.toml has a field to specify the minimum Rust version required, for example. Will look into it.

[NUZAT-TABASSUM]

Right now it's reading the Node/Rust versions from build-container-image.sh just because they already live there, but I agree that’s not a great way. Could I create versions.env fiile that hold both Node and Rust versions in one shared place for scripts? while Cargo.toml only covers Rust and not Node.

[mtneug]

Why set other tags than selected with docker/metadata-action?

[NUZAT-TABASSUM]

I use docker/metadata-action for the final tags people will pull (latest, edge, release tags, etc.).
The extra tags I set manually (…-amd64 / …-arm64) are just temporary helper tags so the manifest step can combine both architectures into one multi-arch tag.

[mtneug]

These are BuildKit caches. This could speed up builds if Docker can verify that a step in the Dockerfile does not need to be performed again. I don't think this will improve much if only releases are built. Also, I'm a bit afraid that some layers with external changes, e.g. OS package installs, are cached indefinitely.

[mtneug]

This is creating a multi-platform image, e.g. pulling ghcr.io/elan-ev/tobira:latest will automatically pull the arm64 or amd64 image based on the host (if not set otherwise during the pull). I never used the imagetools subcommands. That control is interesting, especially since I had some trouble with ghcr.io in the past when deleting some tags of multi-platform images.

@NUZAT-TABASSUM are you sure this works? Are the ${TAG}-amd64 and ${TAG}-arm64 variants created as tags?

[NUZAT-TABASSUM]

Hi! Sorry for the delay responding to your PR.

I don't know a ton about Docker, certainly not about best practices. This is my first review of it, but which is mostly just questions to you, not necessarily change requests. It would be nice if you could explain the reasoning behind your changes for me to understand.

* Generally the script seems to be quite involved, covering many different cases. I would have expected something simpler first. Maybe all of this makes sense, it's just my intuition to start with something with fewer bells and whistles.

* Did you test all of this on your own fork? I.e. also test the upload part?

* Can you quickly explain why you decided for ghcr.io instead of say, quay.io, which is used in `build-container-image.sh`?

Also summoning @mtneug who knows a lot more about these things. I know you don't have a lot of time right now, but maybe you want to have a look here anyway.

Hi Lukas — thanks a lot for the careful review.
I tried to cover the common “full workflow” in one go ((build, tag, push, and multi-arch).If you’d prefer I can start simpler (e.g. build/push only on release tags first).
Yes — I tested this on my fork on a main push, it pushed the images and created the multi-arch tags.
I used ghcr.io instead of quay.io as it was suggested from tobira group.

[NUZAT-TABASSUM]

Hi! I’ve updated the workflow based on the feedback. Could you please take another look and re-review when you have a time? Thanks!