.github/workflows/build-ci-container.yml - llvm-project - Git at Google

 name: Build CI Container

 permissions:
   contents: read

 on:
   push:
     branches:
       - main
     paths:
       - .github/workflows/build-ci-container.yml
       - '.github/workflows/containers/github-action-ci/**'
   pull_request:
     paths:
       - .github/workflows/build-ci-container.yml
       - '.github/workflows/containers/github-action-ci/**'

 jobs:
   build-ci-container:
     if: github.repository_owner == 'llvm'
     runs-on: ${{ matrix.runs-on }}
     strategy:
       matrix:
         include:
           # The arch names should match the names used on dockerhub.
           # See https://github.com/docker-library/official-images#architectures-other-than-amd64
           - arch: amd64
             runs-on: depot-ubuntu-24.04-16
           - arch: arm64v8
             runs-on: depot-ubuntu-24.04-arm-16
     steps:
       - name: Checkout LLVM
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           sparse-checkout: .github/workflows/containers/github-action-ci/
       # podman is not installed by default on the ARM64 images.
       - name: Install Podman
         if: runner.arch == 'ARM64'
         run: |
           sudo apt-get install podman
       - name: Write Variables
         id: vars
         run: |
           tag=$(git rev-parse --short=12 HEAD)
           container_name="ghcr.io/$GITHUB_REPOSITORY_OWNER/${{ matrix.arch }}/ci-ubuntu-24.04"
           echo "container-name=$container_name" >> $GITHUB_OUTPUT
           echo "container-name-agent=$container_name-agent" >> $GITHUB_OUTPUT
           echo "container-name-tag=$container_name:$tag" >> $GITHUB_OUTPUT
           echo "container-name-agent-tag=$container_name-agent:$tag" >> $GITHUB_OUTPUT
           echo "container-filename=$(echo $container_name:$tag  | sed -e 's/\//-/g' -e 's/:/-/g').tar" >> $GITHUB_OUTPUT
           echo "container-agent-filename=$(echo $container_name-agent:$tag  | sed -e 's/\//-/g' -e 's/:/-/g').tar" >> $GITHUB_OUTPUT
       - name: Build container
         working-directory: ./.github/workflows/containers/github-action-ci/
         run: |
           podman build --target ci-container -t ${{ steps.vars.outputs.container-name-tag }} .
           podman build --target ci-container-agent -t ${{ steps.vars.outputs.container-name-agent-tag }} .

       # Save the container so we have it in case the push fails.  This also
       # allows us to separate the push step into a different job so we can
       # maintain minimal permissions while building the container.
       - name: Save container image
         run: |
           podman save ${{ steps.vars.outputs.container-name-tag }}  >  ${{ steps.vars.outputs.container-filename }}
           podman save ${{ steps.vars.outputs.container-name-agent-tag }} > ${{ steps.vars.outputs.container-agent-filename }}

       - name: Upload container image
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: container-${{ matrix.arch }}
           path: "*.tar"
           retention-days: 14

       - name: Test Container
         run: |
           for image in ${{ steps.vars.outputs.container-name-tag }}; do
             # Use --pull=never to ensure we are testing the just built image.
             podman run --pull=never --rm -it $image /usr/bin/bash -x -c 'cd $HOME && printf '\''#include <iostream>\nint main(int argc, char **argv) { std::cout << "Hello\\n"; }'\'' | clang++ -x c++ - && ./a.out | grep Hello'
           done

   push-ci-container:
     if: github.event_name == 'push'
     needs:
       - build-ci-container
     permissions:
       packages: write
     runs-on: ubuntu-24.04
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Download container
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

       - name: Push Container
         run: |
           function push_container {
             image_name=$1
             latest_name=$(echo $image_name | sed 's/:[a-f0-9]\+$/:latest/g')
             podman tag $image_name $latest_name
             echo "Pushing $image_name ..."
             podman push $image_name
             echo "Pushing $latest_name ..."
             podman push $latest_name
           }

           podman login -u ${{ github.actor }} -p $GITHUB_TOKEN ghcr.io
           for f in $(find . -iname *.tar); do
             image_name=$(podman load -q -i $f | sed 's/Loaded image: //g')
             push_container $image_name

             if echo $image_name | grep '/amd64/'; then
               # For amd64, create an alias with the arch component removed.
               # This matches the convention used on dockerhub.
               default_image_name=$(echo $(dirname $(dirname $image_name))/$(basename $image_name))
               podman tag $image_name $default_image_name
               push_container $default_image_name
             fi
           done
	name: Build CI Container

	permissions:
	contents: read

	on:
	push:
	branches:
	- main
	paths:
	- .github/workflows/build-ci-container.yml
	- '.github/workflows/containers/github-action-ci/**'
	pull_request:
	paths:
	- .github/workflows/build-ci-container.yml
	- '.github/workflows/containers/github-action-ci/**'

	jobs:
	build-ci-container:
	if: github.repository_owner == 'llvm'
	runs-on: ${{ matrix.runs-on }}
	strategy:
	matrix:
	include:
	# The arch names should match the names used on dockerhub.
	# See https://github.com/docker-library/official-images#architectures-other-than-amd64
	- arch: amd64
	runs-on: depot-ubuntu-24.04-16
	- arch: arm64v8
	runs-on: depot-ubuntu-24.04-arm-16
	steps:
	- name: Checkout LLVM
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	sparse-checkout: .github/workflows/containers/github-action-ci/
	# podman is not installed by default on the ARM64 images.
	- name: Install Podman
	if: runner.arch == 'ARM64'
	run: \|
	sudo apt-get install podman
	- name: Write Variables
	id: vars
	run: \|
	tag=$(git rev-parse --short=12 HEAD)
	container_name="ghcr.io/$GITHUB_REPOSITORY_OWNER/${{ matrix.arch }}/ci-ubuntu-24.04"
	echo "container-name=$container_name" >> $GITHUB_OUTPUT
	echo "container-name-agent=$container_name-agent" >> $GITHUB_OUTPUT
	echo "container-name-tag=$container_name:$tag" >> $GITHUB_OUTPUT
	echo "container-name-agent-tag=$container_name-agent:$tag" >> $GITHUB_OUTPUT
	echo "container-filename=$(echo $container_name:$tag \| sed -e 's/\//-/g' -e 's/:/-/g').tar" >> $GITHUB_OUTPUT
	echo "container-agent-filename=$(echo $container_name-agent:$tag \| sed -e 's/\//-/g' -e 's/:/-/g').tar" >> $GITHUB_OUTPUT
	- name: Build container
	working-directory: ./.github/workflows/containers/github-action-ci/
	run: \|
	podman build --target ci-container -t ${{ steps.vars.outputs.container-name-tag }} .
	podman build --target ci-container-agent -t ${{ steps.vars.outputs.container-name-agent-tag }} .

	# Save the container so we have it in case the push fails. This also
	# allows us to separate the push step into a different job so we can
	# maintain minimal permissions while building the container.
	- name: Save container image
	run: \|
	podman save ${{ steps.vars.outputs.container-name-tag }} > ${{ steps.vars.outputs.container-filename }}
	podman save ${{ steps.vars.outputs.container-name-agent-tag }} > ${{ steps.vars.outputs.container-agent-filename }}

	- name: Upload container image
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: container-${{ matrix.arch }}
	path: "*.tar"
	retention-days: 14

	- name: Test Container
	run: \|
	for image in ${{ steps.vars.outputs.container-name-tag }}; do
	# Use --pull=never to ensure we are testing the just built image.
	podman run --pull=never --rm -it $image /usr/bin/bash -x -c 'cd $HOME && printf '\''#include <iostream>\nint main(int argc, char **argv) { std::cout << "Hello\\n"; }'\'' \| clang++ -x c++ - && ./a.out \| grep Hello'
	done

	push-ci-container:
	if: github.event_name == 'push'
	needs:
	- build-ci-container
	permissions:
	packages: write
	runs-on: ubuntu-24.04
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	steps:
	- name: Download container
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

	- name: Push Container
	run: \|
	function push_container {
	image_name=$1
	latest_name=$(echo $image_name \| sed 's/:[a-f0-9]\+$/:latest/g')
	podman tag $image_name $latest_name
	echo "Pushing $image_name ..."
	podman push $image_name
	echo "Pushing $latest_name ..."
	podman push $latest_name
	}

	podman login -u ${{ github.actor }} -p $GITHUB_TOKEN ghcr.io
	for f in $(find . -iname *.tar); do
	image_name=$(podman load -q -i $f \| sed 's/Loaded image: //g')
	push_container $image_name

	if echo $image_name \| grep '/amd64/'; then
	# For amd64, create an alias with the arch component removed.
	# This matches the convention used on dockerhub.
	default_image_name=$(echo $(dirname $(dirname $image_name))/$(basename $image_name))
	podman tag $image_name $default_image_name
	push_container $default_image_name
	fi
	done