feat(ci): Consolidate docker build workflow (#1374)

* Consolidate docker build into single workflow

* ci: Only push to altran1502 on release

* ci: Tweaks

* feat(ci): Remove metadata key from permissions

* feat(ci): workaround for buildx regression

* Drop buildkit version to workaround regression

* Revert "Drop buildkit version to workaround regression"

This reverts commit 79adadb2d352c070bed95ea64c313d669bd08623.

* Use repo owner name for ghcr login

* feat(ci): Skip docker push on PRs from fork

* feat(ci): Remove explicit permissions config

* temp: Skip docker hub login

* Revert "temp: Skip docker hub login"

This reverts commit e92864d1a3d911095cc514b5f4cee1b6f9d01581.

* Remove fetch-depth from checkout action

.github/workflows/build_push_docker_latest.yml

@@ -1,152 +0,0 @@
-name: Build and Push Docker Image - Latest
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [main]
-
-jobs:
-  # This image include both the server and microservices - the two containers can be slitted into separated
-  # service with its coressponding entry file.
-  build_and_push_server_monorepo_latest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push Immich Mono Repo
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./server
-          file: ./server/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: |
-            altran1502/immich-server:latest
-            ghcr.io/${{ github.repository_owner }}/immich-server:latest
-
-  build_and_push_machine_learning_latest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push Machine Learning
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./machine-learning
-          file: ./machine-learning/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: |
-            altran1502/immich-machine-learning:latest
-            ghcr.io/${{ github.repository_owner }}/immich-machine-learning:latest
-
-  build_and_push_web_latest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push Web
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./web
-          file: ./web/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          target: prod
-          push: true
-          tags: |
-            altran1502/immich-web:latest
-            ghcr.io/${{ github.repository_owner }}/immich-web:latest
-
-  build_and_push_nginx_latest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push Proxy
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./nginx
-          file: ./nginx/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: true
-          tags: |
-            altran1502/immich-proxy:latest
-            ghcr.io/${{ github.repository_owner }}/immich-proxy:latest

.github/workflows/build_push_docker_staging.yml

@@ -1,168 +0,0 @@
-name: Build and Push Docker Image - Staging
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: [main]
-
-jobs:
-  # This image include both the server and microservices - the two containers can be slitted into separated
-  # service with its coressponding entry file.
-  build_and_push_server_monorepo_staging:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push Immich Mono Repo
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./server
-          file: ./server/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: ${{ github.event_name == 'pull_request' && github.repository == 'immich-app/immich' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: |
-            altran1502/immich-server:staging
-            altran1502/immich-server:${{ github.event.pull_request.number }}
-            ghcr.io/${{ github.repository_owner }}/immich-server:staging
-            ghcr.io/${{ github.repository_owner }}/immich-server:${{ github.event.pull_request.number }}
-
-  build_and_push_machine_learning_staging:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push Machine Learning
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./machine-learning
-          file: ./machine-learning/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: ${{ github.event_name == 'pull_request' && github.repository == 'immich-app/immich' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: |
-            altran1502/immich-machine-learning:staging
-            altran1502/immich-machine-learning:${{ github.event.pull_request.number }}
-            ghcr.io/${{ github.repository_owner }}/immich-machine-learning:staging
-            ghcr.io/${{ github.repository_owner }}/immich-machine-learning:${{ github.event.pull_request.number }}
-
-  build_and_push_web_staging:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push Web
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./web
-          file: ./web/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          target: prod
-          push: ${{ github.event_name == 'pull_request' && github.repository == 'immich-app/immich' }}
-          tags: |
-            altran1502/immich-web:staging
-            altran1502/immich-web:${{ github.event.pull_request.number }}
-            ghcr.io/${{ github.repository_owner }}/immich-web:staging
-            ghcr.io/${{ github.repository_owner }}/immich-web:${{ github.event.pull_request.number }}
-
-  build_and_push_nginx_staging:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        if: ${{ github.repository == 'immich-app/immich' }}
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push Proxy
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./nginx
-          file: ./nginx/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: ${{ github.event_name == 'pull_request' && github.repository == 'immich-app/immich' }}
-          tags: |
-            altran1502/immich-proxy:staging
-            altran1502/immich-proxy:${{ github.event.pull_request.number }}
-            ghcr.io/${{ github.repository_owner }}/immich-proxy:staging
-            ghcr.io/${{ github.repository_owner }}/immich-proxy:${{ github.event.pull_request.number }}

.github/workflows/build_push_server_release.yml

@@ -1,197 +0,0 @@
-name: Build and push Docker image - Release
-
-on:
-  workflow_dispatch:
-  release:
-    types: [published]
-
-jobs:
-  build_and_push_server_monorepo_release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          ref: 'main'
-          fetch-depth: 0
-
-      - name: 'Get Previous tag'
-        id: previoustag
-        uses: 'WyriHaximus/github-action-get-previous-tag@v1'
-        with:
-          fallback: latest
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push immich-server release
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./server
-          file: ./server/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: |
-            altran1502/immich-server:${{ steps.previoustag.outputs.tag }}
-            altran1502/immich-server:release
-            ghcr.io/${{ github.repository_owner }}/immich-server:${{ steps.previoustag.outputs.tag }}
-            ghcr.io/${{ github.repository_owner }}/immich-server:release
-
-  build_and_push_machine_learning_release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 'Get Previous tag'
-        id: previoustag
-        uses: 'WyriHaximus/github-action-get-previous-tag@v1'
-        with:
-          fallback: latest
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push Machine Learning
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./machine-learning
-          file: ./machine-learning/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: |
-            altran1502/immich-machine-learning:${{ steps.previoustag.outputs.tag }}
-            altran1502/immich-machine-learning:release
-            ghcr.io/${{ github.repository_owner }}/immich-machine-learning:${{ steps.previoustag.outputs.tag }}
-            ghcr.io/${{ github.repository_owner }}/immich-machine-learning:release
-
-  build_and_push_web_release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          ref: 'main'
-          fetch-depth: 0
-
-      - name: 'Get Previous tag'
-        id: previoustag
-        uses: 'WyriHaximus/github-action-get-previous-tag@v1'
-        with:
-          fallback: latest
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push immich-web release
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./web
-          file: ./web/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          target: prod
-          tags: |
-            altran1502/immich-web:${{ steps.previoustag.outputs.tag }}
-            altran1502/immich-web:release
-            ghcr.io/${{ github.repository_owner }}/immich-web:${{ steps.previoustag.outputs.tag }}
-            ghcr.io/${{ github.repository_owner }}/immich-web:release
-
-  build_and_push_nginx_release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          ref: 'main'
-          fetch-depth: 0
-
-      - name: 'Get Previous tag'
-        id: previoustag
-        uses: 'WyriHaximus/github-action-get-previous-tag@v1'
-        with:
-          fallback: latest
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2.2.1
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push immich-proxy release
-        uses: docker/build-push-action@v3.3.0
-        with:
-          context: ./nginx
-          file: ./nginx/Dockerfile
-          platforms: linux/arm/v7,linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: |
-            altran1502/immich-proxy:release
-            altran1502/immich-proxy:${{ steps.previoustag.outputs.tag }}
-            ghcr.io/${{ github.repository_owner }}/immich-proxy:${{ steps.previoustag.outputs.tag }}
-            ghcr.io/${{ github.repository_owner }}/immich-proxy:release

.github/workflows/docker.yml

@@ -0,0 +1,90 @@
+name: Build and Push Docker Images
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  release:
+    types: [published]
+
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+    strategy:
+      # Prevent a failure in one image from stopping the other builds
+      fail-fast: false
+      matrix:
+        include:
+          - context: "server"
+            image: "immich-server"
+          - context: "web"
+            image: "immich-web"
+          - context: "machine-learning"
+            image: "immich-machine-learning"
+          - context: "nginx"
+            image: "immich-proxy"
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2.1.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2.2.1
+        # Workaround to fix error:
+        # failed to push: failed to copy: io: read/write on closed pipe
+        # See https://github.com/docker/build-push-action/issues/761
+        with:
+          driver-opts: |
+            image=moby/buildkit:v0.10.6
+
+      - name: Login to Docker Hub
+        # Only push to Docker Hub when making a release
+        if: ${{ github.event_name == 'release' }}
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        # Skip when PR from a fork
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate docker image tags
+        id: metadata
+        uses: docker/metadata-action@v4
+        with:
+          flavor: |
+            # Disable latest tag
+            latest=false
+          images: |
+            name=ghcr.io/${{ github.repository_owner }}/${{matrix.image}}
+            name=altran1502/${{matrix.image}},enable=${{ github.event_name == 'release' }}
+          tags: |
+            # Tag with branch name
+            type=ref,event=branch
+            # Tag with pr-number
+            type=ref,event=pr
+            # Tag with git tag on release
+            type=ref,event=tag
+            type=raw,value=release,enable=${{ github.event_name == 'release' }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@v3.3.0
+        with:
+          context: ${{ matrix.context }}
+          platforms: linux/arm/v7,linux/amd64,linux/arm64
+          # Skip pushing when PR from a fork
+          push: ${{ !github.event.pull_request.head.repo.fork }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.metadata.outputs.tags }}