feat(docker-build-images): add cache-type input

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>

Author: neilime

.github/workflows/__test-workflow-docker-build-images.yml

@@ -24,19 +24,16 @@ jobs:
             exit 1
           fi
 
-  act:
+  act-build-arch:
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
-      build-secrets: |
-        SECRET_REPOSITORY_OWNER=${{ github.repository_owner }}
-        SECRET_REPOSITORY=${{ github.repository }}
       build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
     with:
       # First image is multi arch
       # Second image is mono arch
-      # Third image tests build args, secrets
+      # Default caching
       images: |
         [
           {
@@ -55,31 +52,11 @@ jobs:
             "target": "prod",
             "platforms": ["linux/amd64"],
             "tag": "0.1.0"
-          },
-          {
-            "name": "test-build-args-secrets",
-            "context": ".",
-            "target": "test",
-            "dockerfile": "./tests/application/Dockerfile",
-            "platforms": ["linux/amd64"],
-            "build-args": {
-              "BUILD_RUN_ID": "${{ github.run_id }}",
-              "BUILD_REPOSITORY_OWNER": "${{ github.repository_owner }}",
-              "BUILD_REPOSITORY": "${{ github.repository }}"
-            },
-            "secret-envs": {
-              "SECRET_ENV_REPOSITORY_OWNER": "GITHUB_REPOSITORY_OWNER",
-              "SECRET_ENV_REPOSITORY": "GITHUB_REPOSITORY"
-            }
           }
         ]
-      build-secret-github-app-id: ${{ vars.CI_BOT_APP_ID }}
-      build-secret-github-app-token-env: |
-        SECRET_ENV_GITHUB_APP_TOKEN_1
-        SECRET_ENV_GITHUB_APP_TOKEN_2
 
-  assert:
-    needs: act
+  assert-build-arch:
+    needs: act-build-arch
     runs-on: "ubuntu-latest"
     steps:
       - name: Check built images ouput
@@ -88,7 +65,7 @@ jobs:
           script: |
             const assert = require("assert");
 
-            const builtImagesOutput = `${{ needs.act.outputs.built-images }}`;
+            const builtImagesOutput = `${{ needs.act-build-arch.outputs.built-images }}`;
             assert(builtImagesOutput.length, `"built-images" output is empty`);
 
             // Check if is valid Json
@@ -101,8 +78,7 @@ jobs:
 
             const expectedCreatedImages = [
               "test-multi-arch",
-              "test-mono-arch",
-              "test-build-args-secrets"
+              "test-mono-arch"
             ];
             assert(typeof builtImages === "object" && !Array.isArray(builtImages), `"built-images" output is not an object`);
             assert.equal(Object.keys(builtImages).length, expectedCreatedImages.length, `"built-images" output does not contain ${expectedCreatedImages.length} images`);
@@ -162,7 +138,7 @@ jobs:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act.outputs.built-images).test-multi-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-multi-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -224,7 +200,7 @@ jobs:
           script: |
             const assert = require("assert");
 
-            const image = `${{ fromJson(needs.act.outputs.built-images).test-mono-arch.images[0] }}`;
+            const image = `${{ fromJson(needs.act-build-arch.outputs.built-images).test-mono-arch.images[0] }}`;
 
             await exec.exec('docker', ['pull', image]);
 
@@ -263,4 +239,120 @@ jobs:
               );
             });
 
+  act-build-args-secrets-and-registry-caching:
+    needs: arrange
+    uses: ./.github/workflows/docker-build-images.yml
+    secrets:
+      oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
+      build-secrets: |
+        SECRET_REPOSITORY_OWNER=${{ github.repository_owner }}
+        SECRET_REPOSITORY=${{ github.repository }}
+      build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
+    with:
+      cache-type: registry
+      images: |
+        [
+          {
+            "name": "test-build-args-secrets",
+            "context": ".",
+            "target": "test",
+            "dockerfile": "./tests/application/Dockerfile",
+            "platforms": ["linux/amd64","linux/arm64"],
+            "build-args": {
+              "BUILD_RUN_ID": "${{ github.run_id }}",
+              "BUILD_REPOSITORY_OWNER": "${{ github.repository_owner }}",
+              "BUILD_REPOSITORY": "${{ github.repository }}"
+            },
+            "secret-envs": {
+              "SECRET_ENV_REPOSITORY_OWNER": "GITHUB_REPOSITORY_OWNER",
+              "SECRET_ENV_REPOSITORY": "GITHUB_REPOSITORY"
+            }
+          }
+        ]
+      build-secret-github-app-id: ${{ vars.CI_BOT_APP_ID }}
+      build-secret-github-app-token-env: |
+        SECRET_ENV_GITHUB_APP_TOKEN_1
+        SECRET_ENV_GITHUB_APP_TOKEN_2
+
+  assert-build-args-secrets-and-registry-caching:
+    needs: act-build-args-secrets-and-registry-caching
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Check built images ouput
+        uses: actions/github-script@v7.0.1
+        with:
+          script: |
+            const assert = require("assert");
+
+            const builtImagesOutput = `${{ needs.act-build-args-secrets-and-registry-caching.outputs.built-images }}`;
+            assert(builtImagesOutput.length, `"built-images" output is empty`);
+
+            // Check if is valid Json
+            let builtImages = null;
+            try {
+              builtImages = JSON.parse(builtImagesOutput);
+            } catch (error) {
+              throw new Error(`"built-images" output is not a valid JSON: ${error}`);
+            }
+
+            const expectedCreatedImages = [
+              "test-build-args-secrets"
+            ];
+
+            assert(typeof builtImages === "object" && !Array.isArray(builtImages), `"built-images" output is not an object`);
+            assert.equal(Object.keys(builtImages).length, expectedCreatedImages.length, `"built-images" output does not contain ${expectedCreatedImages.length} images`);
+
+            for (const image of expectedCreatedImages) {
+              assert(builtImages[image], `"built-images" output does not contain "${image}" image`);
+            }
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ github.token }}
+
+      - name: Check docker image and cache
+        uses: actions/github-script@v7.0.1
+        with:
+          script: |
+            const assert = require("assert");
+
+            let expectedTag;
+
+            const isPullRequest = `${{ github.event_name }}` === "pull_request";
+            if (isPullRequest) {
+              const shortSha = `${{ github.sha }}`.substring(0, 7);
+              expectedTag = `pr-${{ github.event.pull_request.number }}-${shortSha}`;
+            } else {
+              expectedTag = `${{ github.ref_name }}`;
+            }
+
+            const expectedImage = `ghcr.io/hoverkraft-tech/ci-github-container/test-build-args-secrets`;
+            const expectedImageTag = `${expectedImage}:${expectedTag}`;
+
+            const image = `${{ fromJson(needs.act-build-args-secrets-and-registry-caching.outputs.built-images).test-build-args-secrets.images[0] }}`;
+
+            assert.equal(image, expectedImageTag, `"built-images" output is not valid. Expected "${expectedImage}", got "${image}"`);
+
+            await exec.exec('docker', ['pull', image]);
+
+            let expectedCacheTag;
+
+            if (isPullRequest) {
+              expectedCacheTag = `pr-${{ github.event.pull_request.number }}`;
+            } else {
+              expectedCacheTag = `${{ github.ref_name }}`;
+            }
+
+            const cacheImage = `${expectedImage}/cache:${expectedCacheTag}`;
+
+            const cacheImages = [
+              `${cacheImage}-linux-arm64`,
+              `${cacheImage}-linux-amd64`
+            ];
+
+            for (const cacheImage of cacheImages) {
+              await exec.exec('docker', ['manifest', 'inspect', cacheImage]);
+            }
+
 # jscpd:ignore-end

.github/workflows/docker-build-images.yml

@@ -108,6 +108,13 @@ on: # yamllint disable-line rule:truthy
         required: false
         type: string
         default: ${{ github.repository_owner }}
+      cache-type:
+        description: |
+          Cache type.
+          See <https://docs.docker.com/build/cache/backends>.
+        default: "gha"
+        type: string
+        required: false
     secrets:
       oci-registry-password:
         description: |
@@ -406,6 +413,7 @@ jobs:
           platform: ${{ matrix.image.platform }}
           secret-envs: ${{ steps.prepare-secret-envs.outputs.secret-envs }}
           secrets: ${{ secrets.build-secrets }}
+          cache-type: ${{ inputs.cache-type }}
 
       # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
       # https://github.com/orgs/community/discussions/26639

actions/docker/build-image/action.yml

@@ -103,6 +103,12 @@ inputs:
       List of secret environment variables to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR).
       See <https://docs.docker.com/build/ci/github-actions/secrets/>.
     required: false
+  cache-type:
+    description: |
+      Cache type.
+      See <https://docs.docker.com/build/cache/backends>.
+    default: "gha"
+    required: false
 
 runs:
   using: "composite"
@@ -141,6 +147,14 @@ runs:
 
         echo "cache-flavor=$CACHE_FLAVOR" >> "$GITHUB_OUTPUT"
 
+        # Define cache image
+        CACHE_TYPE="${{ inputs.cache-type }}"
+        if [ "$CACHE_TYPE" = "registry" ]; then
+          echo "cache-image=${{ steps.metadata.outputs.image }}/cache" >> "$GITHUB_OUTPUT"
+        else
+          echo "cache-image=${{ steps.metadata.outputs.image }}" >> "$GITHUB_OUTPUT"
+        fi
+
         # Check if docker exists
         if command -v docker &> /dev/null; then
           echo "docker-exists=true" >> "$GITHUB_OUTPUT"
@@ -188,10 +202,10 @@ runs:
     - id: cache
       uses: int128/docker-build-cache-config-action@v1.37.0
       with:
-        image: ${{ steps.metadata.outputs.image }}/cache
+        image: ${{ steps.get-docker-config.outputs.cache-image }}
         flavor: ${{ steps.get-docker-config.outputs.cache-flavor }}
         pull-request-cache: true
-        cache-type: gha
+        cache-type: ${{ inputs.cache-type }}
         extra-cache-to: "image-manifest=true,oci-mediatypes=true"
 
     - if: steps.get-docker-config.outputs.docker-exists != 'true'