diff --git a/.dockerignore b/.dockerignore index 3aeaa04e7..858192e05 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,6 @@ -# Version control -.git/ +# Version control — exclude credential files that actions/checkout writes +# but keep the rest of .git so git describe / git rev-parse work correctly. +.git/config .gitignore # Sensitive / secret files diff --git a/.github/workflows/build-aggkit-image.yml b/.github/workflows/build-aggkit-image.yml index cd09d1c3e..6de00ee46 100644 --- a/.github/workflows/build-aggkit-image.yml +++ b/.github/workflows/build-aggkit-image.yml @@ -30,8 +30,19 @@ jobs: - name: Build Aggkit Docker Image run: make build-docker + - name: Verify version in image + env: + IMAGE_NAME: ${{ inputs.docker-image-name }} + run: | + out=$(docker run --rm "${IMAGE_NAME}:local" version) || { echo "ERROR: docker run failed"; exit 1; } + ver=$(echo "$out" | awk '/^Version:/{print $2}') + [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; } + echo "Version check passed: $ver" + - name: Save Aggkit Image to Archive - run: docker save --output /tmp/${{ inputs.docker-image-name }}.tar ${{ inputs.docker-image-name }} + env: + IMAGE_NAME: ${{ inputs.docker-image-name }} + run: docker save --output "/tmp/${IMAGE_NAME}.tar" "${IMAGE_NAME}" - name: Upload Aggkit Archive uses: actions/upload-artifact@v4 diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml index 928785adc..2a38b9bc7 100644 --- a/.github/workflows/build-push-docker-image.yml +++ b/.github/workflows/build-push-docker-image.yml @@ -92,6 +92,13 @@ jobs: INCLUDE_SHELL=${{ matrix.variant.include_shell }} outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true + - name: Verify version in image + run: | + out=$(docker run --rm "${{ env.REGISTRY_IMAGE }}@${{ steps.build.outputs.digest }}" version) || { echo "ERROR: docker run failed"; exit 1; } + ver=$(echo "$out" | awk '/^Version:/{print $2}') + [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; } + echo "Version check passed: $ver" + - name: Export digest run: | mkdir -p /tmp/digests diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f92621134..a7366bc18 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -117,6 +117,15 @@ jobs: INCLUDE_SHELL=${{ matrix.variant.include_shell }} outputs: type=image,name=${{ (matrix.variant.suffix == '') && steps.image_builder_prod.outputs.IMAGE || steps.image_builder_dev.outputs.IMAGE }},push-by-digest=true,push=true + - name: Verify version in image + run: | + IMAGE_NAME="${{ (matrix.variant.suffix == '') && steps.image_builder_prod.outputs.IMAGE || steps.image_builder_dev.outputs.IMAGE }}" + DIGEST="${{ steps.build.outputs.digest }}" + out=$(docker run --rm "${IMAGE_NAME}@${DIGEST}" version) || { echo "ERROR: docker run failed"; exit 1; } + ver=$(echo "$out" | awk '/^Version:/{print $2}') + [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; } + echo "Version check passed: $ver" + - name: Export digest run: | mkdir -p /tmp/digests diff --git a/Dockerfile b/Dockerfile index a09c7cc03..56e6ae4d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,11 +8,6 @@ RUN apk add --no-cache gcc musl-dev make sqlite-dev git WORKDIR /app -# Version build arguments (injected from host git metadata) -ARG VERSION -ARG GITREV -ARG GITBRANCH - # Download Go dependencies COPY go.mod go.sum ./ RUN go mod download diff --git a/Makefile b/Makefile index 4653a7bab..b6e0a796b 100644 --- a/Makefile +++ b/Makefile @@ -87,40 +87,15 @@ $(GOBIN)/remove_ger: ## Build remove_ger tool .PHONY: build-docker build-docker: ## Builds a docker image with the aggkit binary - docker build \ - --build-arg VERSION="$(VERSION)" \ - --build-arg GITREV="$(GITREV)" \ - --build-arg GITBRANCH="$(GITBRANCH)" \ - -t aggkit:local -f ./Dockerfile . - @out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \ - ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \ - [ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \ - echo "Version check passed: $$ver" + docker build -t aggkit:local -f ./Dockerfile . .PHONY: build-docker-ci build-docker-ci: ## Builds a docker image with the aggkit binary for CI (includes shell) - docker build \ - --build-arg INCLUDE_SHELL=true \ - --build-arg VERSION="$(VERSION)" \ - --build-arg GITREV="$(GITREV)" \ - --build-arg GITBRANCH="$(GITBRANCH)" \ - -t aggkit:local -f ./Dockerfile . - @out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \ - ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \ - [ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \ - echo "Version check passed: $$ver" + docker build --build-arg INCLUDE_SHELL=true -t aggkit:local -f ./Dockerfile . .PHONY: build-docker-nc build-docker-nc: ## Builds a docker image with the aggkit binary - but without build cache - docker build --no-cache=true \ - --build-arg VERSION="$(VERSION)" \ - --build-arg GITREV="$(GITREV)" \ - --build-arg GITBRANCH="$(GITBRANCH)" \ - -t aggkit:local -f ./Dockerfile . - @out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \ - ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \ - [ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \ - echo "Version check passed: $$ver" + docker build --no-cache=true -t aggkit:local -f ./Dockerfile . .PHONY: build-docker-debug build-docker-debug: ## Builds a debug docker image (dlv headless on :40000, no optimizations) diff --git a/version.mk b/version.mk index 4067da7fe..73db3b019 100644 --- a/version.mk +++ b/version.mk @@ -1,4 +1,4 @@ -VERSION ?= $(shell git describe --tags --always) -GITREV ?= $(shell git rev-parse --short HEAD) -GITBRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) +VERSION := $(shell git describe --tags --always) +GITREV := $(shell git rev-parse --short HEAD) +GITBRANCH := $(shell git rev-parse --abbrev-ref HEAD) DATE := $(shell LANG=US date +"%a, %d %b %Y %X %z")