From b3763f1290f8fe2912b9230088f1db662167b704 Mon Sep 17 00:00:00 2001 From: Nathan Flurry Date: Tue, 14 Apr 2026 15:02:46 -0700 Subject: [PATCH] fix(publish): use published engine base tag --- .github/workflows/publish.yaml | 40 +----------- docker/build/darwin-arm64.Dockerfile | 3 +- docker/build/darwin-x64.Dockerfile | 3 +- docker/build/linux-arm64-gnu.Dockerfile | 3 +- docker/build/linux-arm64-musl.Dockerfile | 3 +- docker/build/linux-x64-gnu.Dockerfile | 4 +- docker/build/linux-x64-musl.Dockerfile | 3 +- docker/build/windows-x64.Dockerfile | 3 +- docker/engine/Dockerfile | 8 +-- scripts/docker-builder-base/build-push.sh | 74 ++++++++++++++++++++++- 10 files changed, 82 insertions(+), 62 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 121baffcdc..1d215fb42e 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -37,9 +37,6 @@ on: default: true env: - # Base image tag pinned here. Update after rebuilding base images with - # scripts/docker-builder-base/build-push.sh all --push. - BASE_TAG: 0e33ceb98 # Depot project ID (rivet-dev/rivet-engine). DEPOT_PROJECT_ID: 1rcpv5rn8n @@ -216,7 +213,6 @@ jobs: depot build \ --project ${{ env.DEPOT_PROJECT_ID }} \ --secret id=DEPOT_TOKEN,env=DEPOT_TOKEN \ - --build-arg BASE_TAG=${{ env.BASE_TAG }} \ --build-arg BUILD_TARGET=${{ matrix.build_target }} \ --build-arg BUILD_MODE=${{ steps.mode.outputs.build_mode }} \ --build-arg BUILD_FRONTEND=false \ @@ -236,43 +232,11 @@ jobs: path: artifacts/${{ matrix.artifact }} if-no-files-found: error - # --------------------------------------------------------------------------- - # engine-base-images — publish engine-specific GHCR bases for this commit SHA - # --------------------------------------------------------------------------- - engine-base-images: - needs: [context] - name: "Engine Base ${{ matrix.base }}" - if: needs.context.outputs.is_fork != 'true' - strategy: - fail-fast: false - matrix: - include: - - base: engine-builder - - base: engine-runtime-full - - base: engine-runtime-slim - runs-on: ubuntu-24.04 - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v4 - - uses: docker/setup-buildx-action@v3 - - name: Log in to ghcr.io - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build & Push Engine Base - run: | - TAG_OVERRIDE=${{ needs.context.outputs.sha }} \ - ./scripts/docker-builder-base/build-push.sh ${{ matrix.base }} --push - # --------------------------------------------------------------------------- # docker-images — per-arch runtime images pushed to Docker Hub # --------------------------------------------------------------------------- docker-images: - needs: [context, engine-base-images] + needs: [context] name: "Docker ${{ matrix.arch_suffix }}" if: needs.context.outputs.is_fork != 'true' strategy: @@ -315,7 +279,6 @@ jobs: target: engine-full platforms: ${{ matrix.platform }} build-args: | - ENGINE_BASE_TAG=${{ needs.context.outputs.sha }} BUILD_FRONTEND=${{ steps.mode.outputs.build_frontend }} CARGO_BUILD_MODE=${{ steps.mode.outputs.cargo_build_mode }} - name: Build & Push (rivetdev/engine:slim) @@ -328,7 +291,6 @@ jobs: target: engine-slim platforms: ${{ matrix.platform }} build-args: | - ENGINE_BASE_TAG=${{ needs.context.outputs.sha }} BUILD_FRONTEND=${{ steps.mode.outputs.build_frontend }} CARGO_BUILD_MODE=${{ steps.mode.outputs.cargo_build_mode }} diff --git a/docker/build/darwin-arm64.Dockerfile b/docker/build/darwin-arm64.Dockerfile index 25d9c4ebff..60642a3fcc 100644 --- a/docker/build/darwin-arm64.Dockerfile +++ b/docker/build/darwin-arm64.Dockerfile @@ -3,8 +3,7 @@ # See linux-x64-gnu.Dockerfile for build arg documentation. # # Base image: docker/builder-base/osxcross.Dockerfile -ARG BASE_TAG=latest -FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:${BASE_TAG} +FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:0e33ceb98 ARG BUILD_TARGET=engine ARG BUILD_MODE=release diff --git a/docker/build/darwin-x64.Dockerfile b/docker/build/darwin-x64.Dockerfile index f2c2482813..30c8e38dbb 100644 --- a/docker/build/darwin-x64.Dockerfile +++ b/docker/build/darwin-x64.Dockerfile @@ -3,8 +3,7 @@ # See linux-x64-gnu.Dockerfile for build arg documentation. # # Base image: docker/builder-base/osxcross.Dockerfile -ARG BASE_TAG=latest -FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:${BASE_TAG} +FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:0e33ceb98 ARG BUILD_TARGET=engine ARG BUILD_MODE=release diff --git a/docker/build/linux-arm64-gnu.Dockerfile b/docker/build/linux-arm64-gnu.Dockerfile index b3347853f8..6129f746a3 100644 --- a/docker/build/linux-arm64-gnu.Dockerfile +++ b/docker/build/linux-arm64-gnu.Dockerfile @@ -3,8 +3,7 @@ # See linux-x64-gnu.Dockerfile for build arg documentation. # # Base image: docker/builder-base/linux-gnu.Dockerfile -ARG BASE_TAG=latest -FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${BASE_TAG} +FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:0e33ceb98 ARG BUILD_TARGET=engine ARG BUILD_MODE=release diff --git a/docker/build/linux-arm64-musl.Dockerfile b/docker/build/linux-arm64-musl.Dockerfile index 6c959d44ee..24161f30c5 100644 --- a/docker/build/linux-arm64-musl.Dockerfile +++ b/docker/build/linux-arm64-musl.Dockerfile @@ -3,8 +3,7 @@ # See linux-x64-gnu.Dockerfile for build arg documentation. # # Base image: docker/builder-base/linux-musl.Dockerfile -ARG BASE_TAG=latest -FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${BASE_TAG} +FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:0e33ceb98 ARG BUILD_TARGET=engine ARG BUILD_MODE=release diff --git a/docker/build/linux-x64-gnu.Dockerfile b/docker/build/linux-x64-gnu.Dockerfile index 3d4eb9ffa3..7d9f9a20c9 100644 --- a/docker/build/linux-x64-gnu.Dockerfile +++ b/docker/build/linux-x64-gnu.Dockerfile @@ -3,15 +3,13 @@ # Builds either rivet-engine or rivetkit-native based on BUILD_TARGET. # # Build args: -# BASE_TAG - base image tag (set by build-push script) # BUILD_TARGET - "engine" or "rivetkit-native" # BUILD_MODE - "debug" (fast) or "release" (optimized) # BUILD_FRONTEND - "true" or "false" (engine only) # # Base image: docker/builder-base/linux-gnu.Dockerfile # Rebuild base: scripts/docker-builder-base/build-push.sh linux-gnu --push -ARG BASE_TAG=latest -FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${BASE_TAG} +FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:0e33ceb98 ARG BUILD_TARGET=engine ARG BUILD_MODE=release diff --git a/docker/build/linux-x64-musl.Dockerfile b/docker/build/linux-x64-musl.Dockerfile index 5a8a7bee99..d6b8532fa2 100644 --- a/docker/build/linux-x64-musl.Dockerfile +++ b/docker/build/linux-x64-musl.Dockerfile @@ -3,8 +3,7 @@ # See linux-x64-gnu.Dockerfile for build arg documentation. # # Base image: docker/builder-base/linux-musl.Dockerfile -ARG BASE_TAG=latest -FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${BASE_TAG} +FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:0e33ceb98 ARG BUILD_TARGET=engine ARG BUILD_MODE=release diff --git a/docker/build/windows-x64.Dockerfile b/docker/build/windows-x64.Dockerfile index 98cd20242d..76225c4078 100644 --- a/docker/build/windows-x64.Dockerfile +++ b/docker/build/windows-x64.Dockerfile @@ -9,8 +9,7 @@ # into MSVC Node.js in practice as long as we statically link libgcc/libstdc++. # # Base image: docker/builder-base/windows-mingw.Dockerfile -ARG BASE_TAG=latest -FROM ghcr.io/rivet-dev/rivet/builder-base-windows-mingw:${BASE_TAG} +FROM ghcr.io/rivet-dev/rivet/builder-base-windows-mingw:0e33ceb98 ARG BUILD_TARGET=engine ARG BUILD_MODE=release diff --git a/docker/engine/Dockerfile b/docker/engine/Dockerfile index c2048531d8..b37baa4820 100644 --- a/docker/engine/Dockerfile +++ b/docker/engine/Dockerfile @@ -1,10 +1,8 @@ # syntax=docker/dockerfile:1.10.0 -ARG ENGINE_BASE_TAG=latest - # MARK: Builder # TODO(RVT-4168): Compile libfdb from scratch for ARM -FROM ghcr.io/rivet-dev/rivet/engine-base-builder:${ENGINE_BASE_TAG} AS builder +FROM ghcr.io/rivet-dev/rivet/engine-base-builder:a36b881 AS builder # Docker automatically provides TARGETARCH ARG TARGETARCH @@ -54,7 +52,7 @@ RUN \ cp target/$CARGO_BUILD_MODE/rivet-engine /app/dist/ # MARK: Engine (full, base) -FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-full:${ENGINE_BASE_TAG} AS engine-full-base +FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-full:a36b881 AS engine-full-base # MARK: Engine (Full) FROM engine-full-base AS engine-full @@ -67,7 +65,7 @@ ENTRYPOINT ["/usr/bin/rivet-engine"] CMD ["start"] # MARK: Engine (Slim) -FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:${ENGINE_BASE_TAG} AS engine-slim +FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:a36b881 AS engine-slim LABEL org.opencontainers.image.source=https://github.com/rivet-dev/rivet diff --git a/scripts/docker-builder-base/build-push.sh b/scripts/docker-builder-base/build-push.sh index 20d880b575..70e5753ca6 100755 --- a/scripts/docker-builder-base/build-push.sh +++ b/scripts/docker-builder-base/build-push.sh @@ -17,8 +17,8 @@ set -e # ghcr.io/rivet-dev/rivet/builder-base-osxcross: # ghcr.io/rivet-dev/rivet/engine-base-builder: # -# After pushing shared builder bases, update BASE_TAG in -# .github/workflows/publish.yaml to reference the new tag. +# After pushing all bases, this script updates the pinned GHCR tags in the +# consumer Dockerfiles. SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" @@ -68,6 +68,69 @@ ensure_multiarch_builder() { docker buildx inspect "$MULTIARCH_BUILDER" --bootstrap >/dev/null } +update_from_line() { + local file="$1" + local pattern="$2" + local replacement="$3" + + if ! grep -Eq "^FROM ${pattern}\$" "$file"; then + echo "ERROR: Failed to find pinned base image reference in $file" + return 1 + fi + + perl -0pi -e "s#^FROM ${pattern}\$#FROM ${replacement}#m" "$file" + + if ! grep -Fqx "FROM ${replacement}" "$file"; then + echo "ERROR: Failed to update pinned base image reference in $file" + return 1 + fi +} + +pin_consumer_dockerfiles() { + echo "==> Updating pinned base image references to tag: $TAG" + + update_from_line \ + "$REPO_ROOT/docker/build/linux-x64-gnu.Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/builder-base-linux-gnu:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${TAG}" + update_from_line \ + "$REPO_ROOT/docker/build/linux-arm64-gnu.Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/builder-base-linux-gnu:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${TAG}" + update_from_line \ + "$REPO_ROOT/docker/build/linux-x64-musl.Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/builder-base-linux-musl:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${TAG}" + update_from_line \ + "$REPO_ROOT/docker/build/linux-arm64-musl.Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/builder-base-linux-musl:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${TAG}" + update_from_line \ + "$REPO_ROOT/docker/build/darwin-x64.Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/builder-base-osxcross:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/builder-base-osxcross:${TAG}" + update_from_line \ + "$REPO_ROOT/docker/build/darwin-arm64.Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/builder-base-osxcross:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/builder-base-osxcross:${TAG}" + update_from_line \ + "$REPO_ROOT/docker/build/windows-x64.Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/builder-base-windows-mingw:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/builder-base-windows-mingw:${TAG}" + update_from_line \ + "$REPO_ROOT/docker/engine/Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/engine-base-builder:[^[:space:]]+ AS builder' \ + "ghcr.io/rivet-dev/rivet/engine-base-builder:${TAG} AS builder" + update_from_line \ + "$REPO_ROOT/docker/engine/Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/engine-base-runtime-full:[^[:space:]]+ AS engine-full-base' \ + "ghcr.io/rivet-dev/rivet/engine-base-runtime-full:${TAG} AS engine-full-base" + update_from_line \ + "$REPO_ROOT/docker/engine/Dockerfile" \ + 'ghcr\\.io/rivet-dev/rivet/engine-base-runtime-slim:[^[:space:]]+' \ + "ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:${TAG}" +} + build_one() { local name="$1" local dockerfile="$DOCKERFILE_DIR/${name}.Dockerfile" @@ -158,6 +221,7 @@ if [ "$BASE_NAME" = "all" ]; then for base in $BASES; do push_one "$base" done + pin_consumer_dockerfiles fi else build_one "$BASE_NAME" @@ -169,4 +233,8 @@ fi echo "" echo "Done. Tag: $TAG" echo "" -echo "Update BASE_TAG to use tag: $TAG if you rebuilt shared builder bases" +if [ "$BASE_NAME" = "all" ] && [ "$PUSH" = "true" ]; then + echo "Pinned consumer Dockerfiles to tag: $TAG" +else + echo "Consumer Dockerfiles were not updated. Run ./scripts/docker-builder-base/build-push.sh all --push to pin them to this tag." +fi