build: create Docker images automatically

1 files changed, 85 insertions, 18 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 916e124e..b8c61504 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,6 +13,8 @@ on:
 jobs:
   build:
     name: Build
+    permissions:
+      contents: read
     strategy:
       matrix:
         os:
@@ -32,10 +34,6 @@ jobs:
           if [ "${SONAR_TOKEN}" != '' ]; then
             echo 'is_SONAR_TOKEN_set=true' >> $GITHUB_OUTPUT
           fi
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: ${{ !steps.check-secret.outputs.is_SONAR_TOKEN_set && 1 || 0 }}  # Shallow clones should be disabled for a better relevancy of SonarCloud analysis
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
@@ -56,6 +54,10 @@ jobs:
             ~/.sonar/cache
           key: ${{ matrix.os }}-sonar
           restore-keys: ${{ matrix.os }}-sonar
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: ${{ !steps.check-secret.outputs.is_SONAR_TOKEN_set && 1 || 0 }}  # Shallow clones should be disabled for a better relevancy of SonarCloud analysis
       - name: Cache node distribution
         uses: actions/cache@v4
         with:
@@ -81,7 +83,7 @@ jobs:
         run: |
           ./gradlew sonar -Pci --info --stacktrace --max-workers 4 --no-daemon
       - name: Build signed Maven repository
-        if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'push' && github.repository == 'graphs4value/refinery' }}
+        if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'push' && github.repository_owner == 'graphs4value' }}
         env:
           PGP_KEY: ${{ secrets.PGP_KEY }}
           PGP_KEY_ID: ${{ secrets.PGP_KEY_ID }}
@@ -89,7 +91,7 @@ jobs:
         run: |
           ./gradlew mavenRepositoryTar -Pci -PforceSign --info --stacktrace --max-workers 4 --no-daemon
       - name: Build unsigned Maven repository
-        if: ${{ matrix.os == 'ubuntu-latest' && (github.event_name != 'push' || github.repository != 'graphs4value/refinery') }}
+        if: ${{ matrix.os == 'ubuntu-latest' && (github.event_name != 'push' || github.repository_owner != 'graphs4value') }}
         run: |
           ./gradlew mavenRepositoryTar -Pci --info --stacktrace --max-workers 4 --no-daemon
       - name: Upload Maven repository artifact
@@ -99,6 +101,14 @@ jobs:
           name: maven-repository-tar
           path: build/refinery-maven-repository.tar
           compression-level: 0
+      - name: Upload application artifacts
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: distributions-tar
+          path: subprojects/**/build/distributions/*.tar
+          compression-level: 0
+          retention-days: 5  # No need to preserve for long, since they are uploaded to GHCR
       - name: Upload site artifact
         if: ${{ matrix.os == 'ubuntu-latest' }}
         uses: actions/upload-artifact@v4
@@ -108,9 +118,12 @@ jobs:
           compression-level: 0
   reuse-check:
     name: REUSE Compliance Check
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v4
       - name: REUSE Compliance Check
         uses: fsfe/reuse-action@a46482ca367aef4454a87620aa37c2be4b2f8106
         with:
@@ -140,25 +153,79 @@ jobs:
           git_config_global: true
           git_user_signingkey: true
           git_commit_gpgsign: true
-      - name: Commit and push to graphs4value.github.io
-        env:
-          GH_PAGES_TOKEN: ${{ secrets.GH_PAGES_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.sha }}
-          GITHUB_SHA: ${{ github.sha }}
+      - name: Create empty git repository
         run: |
           mkdir graphs4value.github.io
-          pushd graphs4value.github.io
+          cd graphs4value.github.io
           git config --global init.defaultBranch main
           git config --global user.name "Graphs4Value bot"
           git config --global user.email "refinery@refinery.tools"
           git init
-          git remote add origin "https://x-access-token:${GH_PAGES_TOKEN}@github.com/graphs4value/graphs4value.github.io.git"
+      - name: Extract site artifact
+        working-directory: ./graphs4value.github.io
+        run: |
           unzip ../site-zip/refinery-docs.zip
+      - name: Extract Maven repository artifact
+        working-directory: ./graphs4value.github.io
+        run: |
           mkdir -p maven/snapshots
-          pushd maven/snapshots
-          tar xf ../../../maven-repository-tar/refinery-maven-repository.tar
-          popd
+          cd maven/snapshots
+          tar -xvf ../../../maven-repository-tar/refinery-maven-repository.tar
+      - name: Commit and push to graphs4value.github.io
+        working-directory: ./graphs4value.github.io
+        env:
+          GH_PAGES_TOKEN: ${{ secrets.GH_PAGES_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_SHA: ${{ github.sha }}
+        run: |
+          git remote add origin "https://x-access-token:${GH_PAGES_TOKEN}@github.com/graphs4value/graphs4value.github.io.git"
           git add .
           git commit -S -m "Update from https://github.com/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}"
           git push --force origin main
-          popd
+  docker-build:
+    name: Build Docker images
+    needs: build
+    permissions:
+      packages: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3
+        with:
+          platforms: arm64
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb
+        with:
+          platforms: linux/amd64,linux/arm64
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Download application artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: distributions-tar
+          path: subprojects
+      - name: Extract application artifacts
+        working-directory: ./docker
+        run: |
+          ./prepare_context.sh
+      - name: Bake images
+        working-directory: ./docker
+        run: |
+          ./bake.sh false --set '*.cache-from=gha' --set '*.cache-to=type=gha,mode=max'
+      - name: Log in to GitHub Container registry
+        if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'graphs4value/refinery' }}
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload images to GitHub Container registry
+        if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'graphs4value/refinery' }}
+        working-directory: ./docker
+        run: |
+          ./bake.sh true --set '*.cache-from=gha' --set '*.cache-to=type=gha,mode=max'
+      - name: Delete application artifacts
+        uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1
+        with:
+          name: distributions-tar