refactor(deploy): replace Makefile with build-push-action

With the Makefile radically simplified by freelawproject#3260, the work that it does can easily be done by a `docker/build-push-action` step in the deployment workflow. Beyond than simplicity, the use of the action makes build caching available and will trim a decent amount of time from the build job. In this change, the method of referring to the image is changed: instead of a tag (e.g. `c29346b-prod`), the digest of the uploaded image is used. The digest is an unambiguous and immutable reference to an image, whereas a tag can change and cause surprises. For this reason, it's recommended for deployments (see https://cloud.google.com/kubernetes-engine/docs/concepts/about-container-images). Also in this change is the use of `docker/metadata-action`. It is configured to produce the same tags as before (`c29346b-prod`), but it is capable of doing much more. A future direction is to replace the `sha` tag with either a build date or build id (`$RUN_ID-$RUN_ATTEMPT`). For now we only introduce `labels`, which add the creation date and full sha SHA to the built image.
cweider · Oct 22, 2024 · 06538ba · 06538ba
1 parent 81acc7d
commit 06538ba
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 39 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -11,16 +11,39 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      digest: ${{ steps.build_push.outputs.digest }}
     steps:
       - uses: actions/checkout@v4
+      - name: Set up docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Collect docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            freelawproject/courtlistener
+          flavor: |
+            latest=false
+          tags: |
+            type=sha,prefix=,suffix=-prod,format=short
       - name: Build and Push
-        run: |
-          make push-image --file docker/django/Makefile -e VERSION=$(git rev-parse --short HEAD)
+        id: build_push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: docker/django/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
 
   deploy:
     needs: build
@@ -50,12 +73,12 @@ jobs:
       - name: Launch Temporary Pod
         id: tempPod
         run: |
-          kubectl run temp-pod-${{ steps.vars.outputs.sha_short }} -n ${{ env.EKS_NAMESPACE }} --image=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod --restart Never --pod-running-timeout=120s --overrides='
+          kubectl run temp-pod-${{ steps.vars.outputs.sha_short }} -n ${{ env.EKS_NAMESPACE }} --image=freelawproject/courtlistener@${{ needs.build.outputs.digest }} --restart Never --pod-running-timeout=120s --overrides='
           {
               "spec": {
               "containers": [{
                   "name": "temp-pod",
-                  "image": "freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod",
+                  "image": "freelawproject/courtlistener@${{ needs.build.outputs.digest }}",
                   "command": ["/bin/sh", "-c", "trap : TERM INT; sleep 259200 & wait"],
                   "envFrom": [{
                   "secretRef": {
@@ -92,37 +115,37 @@ jobs:
 
       # Rollout new versions one by one (watch "deployments" in k9s)
       - name: Rollout cl-python
-        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-python web=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod
+        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-python web=freelawproject/courtlistener@${{ needs.build.outputs.digest }}
       - name: Watch cl-python rollout status
         run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/cl-python
 
       - name: Rollout cl-celery-prefork
-        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork cl-celery-prefork=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod
+        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork cl-celery-prefork=freelawproject/courtlistener@${{ needs.build.outputs.digest }}
       - name: Watch cl-celery-prefork rollout status
         run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork
 
       - name: Rollout cl-celery-prefork-bulk
-        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork-bulk cl-celery-prefork-bulk=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod
+        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork-bulk cl-celery-prefork-bulk=freelawproject/courtlistener@${{ needs.build.outputs.digest }}
       - name: Watch cl-celery-prefork-bulk rollout status
         run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork-bulk
 
       - name: Rollout cl-celery-prefork-es-sweep
-        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork-es-sweep cl-celery-prefork-es-sweep=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod
+        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork-es-sweep cl-celery-prefork-es-sweep=freelawproject/courtlistener@${{ needs.build.outputs.digest }}
       - name: Watch cl-celery-prefork-es-sweep rollout status
         run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/cl-celery-prefork-es-sweep
 
       - name: Rollout cl-scrape-rss
-        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-scrape-rss scrape-rss=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod
+        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-scrape-rss scrape-rss=freelawproject/courtlistener@${{ needs.build.outputs.digest }}
       - name: Watch cl-scrape-rss rollout status
         run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/cl-scrape-rss
 
       - name: Rollout cl-retry-webhooks
-        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-retry-webhooks retry-webhooks=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod
+        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-retry-webhooks retry-webhooks=freelawproject/courtlistener@${{ needs.build.outputs.digest }}
       - name: Watch cl-retry-webhooks rollout status
         run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/cl-retry-webhooks
 
       - name: Rollout cl-es-sweep-indexer
-        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-es-sweep-indexer sweep-indexer=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod
+        run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/cl-es-sweep-indexer sweep-indexer=freelawproject/courtlistener@${{ needs.build.outputs.digest }}
       - name: Watch cl-es-sweep-indexer rollout status
         run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/cl-es-sweep-indexer
 
@@ -132,5 +155,5 @@ jobs:
         run: |
           CRONJOB_NAMES=$(kubectl get cronjobs -n court-listener -o jsonpath='{.items.*.metadata.name}' -l image_type=web-prod);
           for name in $CRONJOB_NAMES; do
-             kubectl set image -n ${{ env.EKS_NAMESPACE }} CronJob/$name job=freelawproject/courtlistener:${{ steps.vars.outputs.sha_short }}-prod;
+             kubectl set image -n ${{ env.EKS_NAMESPACE }} CronJob/$name job=freelawproject/courtlistener@${{ needs.build.outputs.digest }};
           done;
diff --git a/docker/django/Makefile b/docker/django/Makefile