mirror of
https://github.com/All-Hands-AI/OpenHands.git
synced 2026-01-10 07:18:10 -05:00
287 lines
11 KiB
YAML
287 lines
11 KiB
YAML
# Workflow that builds, tests and then pushes the OpenHands and runtime docker images to the ghcr.io repository
|
|
name: Docker
|
|
|
|
# Always run on "main"
|
|
# Always run on tags
|
|
# Always run on PRs
|
|
# Can also be triggered manually
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
tags:
|
|
- "*"
|
|
pull_request:
|
|
workflow_dispatch:
|
|
inputs:
|
|
reason:
|
|
description: "Reason for manual trigger"
|
|
required: true
|
|
default: ""
|
|
|
|
# If triggered by a PR, it will be in the same group. However, each commit on main will be in its own unique group
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ (github.head_ref && github.ref) || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
jobs:
|
|
define-matrix:
|
|
runs-on: blacksmith
|
|
outputs:
|
|
base_image: ${{ steps.define-base-images.outputs.base_image }}
|
|
steps:
|
|
- name: Define base images
|
|
shell: bash
|
|
id: define-base-images
|
|
run: |
|
|
if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
|
|
json=$(jq -n -c '[
|
|
{ image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" },
|
|
{ image: "ubuntu:24.04", tag: "ubuntu" }
|
|
]')
|
|
else
|
|
json=$(jq -n -c '[
|
|
{ image: "nikolaik/python-nodejs:python3.12-nodejs22", tag: "nikolaik" },
|
|
{ image: "ubuntu:24.04", tag: "ubuntu" }
|
|
]')
|
|
fi
|
|
echo "base_image=$json" >> "$GITHUB_OUTPUT"
|
|
|
|
# Builds the OpenHands Docker images
|
|
ghcr_build_app:
|
|
name: Build App Image
|
|
runs-on: blacksmith-4vcpu-ubuntu-2204
|
|
if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3.7.0
|
|
with:
|
|
image: tonistiigi/binfmt:latest
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Lowercase Repository Owner
|
|
run: |
|
|
echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
|
|
- name: Build and push app image
|
|
if: "!github.event.pull_request.head.repo.fork"
|
|
run: |
|
|
./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --push
|
|
|
|
# Builds the runtime Docker images
|
|
ghcr_build_runtime:
|
|
name: Build Runtime Image
|
|
runs-on: blacksmith-8vcpu-ubuntu-2204
|
|
if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
needs: define-matrix
|
|
strategy:
|
|
matrix:
|
|
base_image: ${{ fromJson(needs.define-matrix.outputs.base_image) }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3.7.0
|
|
with:
|
|
image: tonistiigi/binfmt:latest
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Install poetry via pipx
|
|
run: pipx install poetry
|
|
- name: Set up Python
|
|
uses: useblacksmith/setup-python@v6
|
|
with:
|
|
python-version: "3.12"
|
|
cache: poetry
|
|
- name: Install Python dependencies using Poetry
|
|
run: make install-python-dependencies POETRY_GROUP=main INSTALL_PLAYWRIGHT=0
|
|
- name: Create source distribution and Dockerfile
|
|
run: poetry run python3 -m openhands.runtime.utils.runtime_build --base_image ${{ matrix.base_image.image }} --build_folder containers/runtime --force_rebuild
|
|
- name: Lowercase Repository Owner
|
|
run: |
|
|
echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
|
|
- name: Short SHA
|
|
run: |
|
|
echo SHORT_SHA=$(git rev-parse --short "$RELEVANT_SHA") >> $GITHUB_ENV
|
|
- name: Determine docker build params
|
|
if: github.event.pull_request.head.repo.fork != true
|
|
shell: bash
|
|
run: |
|
|
|
|
./containers/build.sh -i runtime -o ${{ env.REPO_OWNER }} -t ${{ matrix.base_image.tag }} --dry
|
|
|
|
DOCKER_BUILD_JSON=$(jq -c . < docker-build-dry.json)
|
|
echo "DOCKER_TAGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.tags | join(",")')" >> $GITHUB_ENV
|
|
echo "DOCKER_PLATFORM=$(echo "$DOCKER_BUILD_JSON" | jq -r '.platform')" >> $GITHUB_ENV
|
|
echo "DOCKER_BUILD_ARGS=$(echo "$DOCKER_BUILD_JSON" | jq -r '.build_args | join(",")')" >> $GITHUB_ENV
|
|
- name: Build and push runtime image ${{ matrix.base_image.image }}
|
|
if: github.event.pull_request.head.repo.fork != true
|
|
uses: useblacksmith/build-push-action@v1
|
|
with:
|
|
push: true
|
|
tags: ${{ env.DOCKER_TAGS }}
|
|
platforms: ${{ env.DOCKER_PLATFORM }}
|
|
build-args: ${{ env.DOCKER_BUILD_ARGS }}
|
|
context: containers/runtime
|
|
provenance: false
|
|
# Forked repos can't push to GHCR, so we just build in order to populate the cache for rebuilding
|
|
- name: Build runtime image ${{ matrix.base_image.image }} for fork
|
|
if: github.event.pull_request.head.repo.fork
|
|
uses: useblacksmith/build-push-action@v1
|
|
with:
|
|
tags: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
|
|
context: containers/runtime
|
|
- name: Upload runtime source for fork
|
|
if: github.event.pull_request.head.repo.fork
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
name: runtime-src-${{ matrix.base_image.tag }}
|
|
path: containers/runtime
|
|
|
|
ghcr_build_enterprise:
|
|
name: Push Enterprise Image
|
|
runs-on: blacksmith-8vcpu-ubuntu-2204
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
needs: [define-matrix, ghcr_build_app]
|
|
# Do not build enterprise in forks
|
|
if: github.event.pull_request.head.repo.fork != true
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
|
|
# Set up Docker Buildx for better performance
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
driver-opts: network=host
|
|
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ghcr.io/openhands/enterprise-server
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=sha
|
|
type=sha,format=long
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
flavor: |
|
|
latest=auto
|
|
prefix=
|
|
suffix=
|
|
env:
|
|
DOCKER_METADATA_PR_HEAD_SHA: true
|
|
- name: Determine app image tag
|
|
shell: bash
|
|
run: |
|
|
# Duplicated with build.sh
|
|
sanitized_ref_name=$(echo "$GITHUB_REF_NAME" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
|
|
OPENHANDS_BUILD_VERSION=$sanitized_ref_name
|
|
sanitized_ref_name=$(echo "$sanitized_ref_name" | tr '[:upper:]' '[:lower:]') # lower case is required in tagging
|
|
echo "OPENHANDS_DOCKER_TAG=${sanitized_ref_name}" >> $GITHUB_ENV
|
|
- name: Build and push Docker image
|
|
uses: useblacksmith/build-push-action@v1
|
|
with:
|
|
context: .
|
|
file: enterprise/Dockerfile
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
OPENHANDS_VERSION=${{ env.OPENHANDS_DOCKER_TAG }}
|
|
platforms: linux/amd64
|
|
# Add build provenance
|
|
provenance: true
|
|
# Add build attestations for better security
|
|
sbom: true
|
|
|
|
enterprise-preview:
|
|
name: Enterprise preview
|
|
if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy')
|
|
runs-on: blacksmith-4vcpu-ubuntu-2204
|
|
needs: [ghcr_build_enterprise]
|
|
steps:
|
|
# This should match the version in enterprise-preview.yml
|
|
- name: Trigger remote job
|
|
run: |
|
|
curl --fail-with-body -sS -X POST \
|
|
-H "Authorization: Bearer ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}" \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-d "{\"ref\": \"main\", \"inputs\": {\"openhandsPrNumber\": \"${{ github.event.pull_request.number }}\", \"deployEnvironment\": \"feature\", \"enterpriseImageTag\": \"pr-${{ github.event.pull_request.number }}\" }}" \
|
|
https://api.github.com/repos/OpenHands/deploy/actions/workflows/deploy.yaml/dispatches
|
|
|
|
# "All Runtime Tests Passed" is a required job for PRs to merge
|
|
# We can remove this once the config changes
|
|
runtime_tests_check_success:
|
|
name: All Runtime Tests Passed
|
|
runs-on: blacksmith-4vcpu-ubuntu-2204
|
|
steps:
|
|
- name: All tests passed
|
|
run: echo "All runtime tests have passed successfully!"
|
|
|
|
update_pr_description:
|
|
name: Update PR Description
|
|
if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'
|
|
needs: [ghcr_build_runtime]
|
|
runs-on: blacksmith-4vcpu-ubuntu-2204
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Get short SHA
|
|
id: short_sha
|
|
run: echo "SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Update PR Description
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
REPO: ${{ github.repository }}
|
|
SHORT_SHA: ${{ steps.short_sha.outputs.SHORT_SHA }}
|
|
shell: bash
|
|
run: |
|
|
echo "Updating PR description with Docker and uvx commands"
|
|
bash ${GITHUB_WORKSPACE}/.github/scripts/update_pr_description.sh
|