build: publish docker images to artifact registry (#1595)

.github/workflows/image.yml

@@ -105,30 +105,76 @@ jobs:
           docker push "$IMG_VERSIONED"
 
   assemble:
-    needs: build-image
-    if: github.event_name != 'pull_request'
+    needs: [build-setup, build-image]
+    if: "needs.build-setup.outputs.full_ci == 'true'"
 
+    name: Assemble for Github Container Registry
     runs-on: ubuntu-20.04
 
+    env:
+      TARGET_IMAGE: ghcr.io/getsentry/symbolicator
+
     steps:
       - name: Docker Login
         run: docker login --username '${{ github.actor }}' --password '${{ secrets.GITHUB_TOKEN }}' ghcr.io
 
       - name: Assemble Sha Image
         run: |
-          docker manifest create \
-            'ghcr.io/getsentry/symbolicator:${{ github.sha }}' \
-            'ghcr.io/getsentry/symbolicator:arm64-${{ github.sha }}' \
-            'ghcr.io/getsentry/symbolicator:amd64-${{ github.sha }}'
-
-          docker manifest push ghcr.io/getsentry/symbolicator:${{ github.sha }}
+          docker buildx imagetools create -t "${TARGET_IMAGE}:${{ github.sha }}" \
+            "${TARGET_IMAGE}:arm64-${{ github.sha }}" \
+            "${TARGET_IMAGE}:amd64-${{ github.sha }}"
 
       - name: Assemble Latest Image
         if: github.ref_name == 'master'
         run: |
-          docker manifest create \
-            'ghcr.io/getsentry/symbolicator:latest' \
-            'ghcr.io/getsentry/symbolicator:arm64-${{ github.sha }}' \
-            'ghcr.io/getsentry/symbolicator:amd64-${{ github.sha }}'
+          docker buildx imagetools create -t "${TARGET_IMAGE}:latest" \
+            "${TARGET_IMAGE}:arm64-${{ github.sha }}" \
+            "${TARGET_IMAGE}:amd64-${{ github.sha }}"
+
+  assemble-ar:
+    needs: [build-setup, build-image]
+    if: "needs.build-setup.outputs.full_ci == 'true'"
+
+    name: Assemble for Google Artifact Registry
+    runs-on: ubuntu-latest
+
+    # required for google auth
+    permissions:
+      contents: read
+      id-token: write
+
+    env:
+      GHCR_IMAGE: ghcr.io/getsentry/symbolicator
+      TARGET_IMAGE: us-central1-docker.pkg.dev/sentryio/symbolicator/image
+
+    steps:
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
+          service_account: [email protected]
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation
+          # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools.
+          version: ">= 390.0.0"
+
+      - name: Configure Docker
+        run: |
+          gcloud auth configure-docker us-central1-docker.pkg.dev
 
-          docker manifest push ghcr.io/getsentry/symbolicator:latest
+      - name: Assemble Sha Image
+        run: |
+          docker buildx imagetools create -t "${TARGET_IMAGE}:${{ github.sha }}" \
+            "${GHCR_IMAGE}:arm64-${{ github.sha }}" \
+            "${GHCR_IMAGE}:amd64-${{ github.sha }}"
+
+      - name: Assemble Latest Image
+        if: github.ref_name == 'master'
+        run: |
+          docker buildx imagetools create -t "${TARGET_IMAGE}:latest" \
+            "${GHCR_IMAGE}:arm64-${{ github.sha }}" \
+            "${GHCR_IMAGE}:amd64-${{ github.sha }}"

cloudbuild.yaml

@@ -1,111 +1,6 @@
 steps:
-  # GCB only fetches a source archive, but the build requires an actual git repo. Note that the
-  # clone behavior changed multiple times between 2017 and 2019 and might not be stable.
-  # See: https://github.com/GoogleCloudPlatform/cloud-builders/issues/236#issuecomment-558991730
   - name: "gcr.io/cloud-builders/git"
     entrypoint: "bash"
     args:
       - "-c"
-      - |
-        git init
-        git remote add origin https://github.com/getsentry/$REPO_NAME.git
-        git fetch --depth=1 origin $COMMIT_SHA
-        git reset --hard FETCH_HEAD
-        git config -f .gitmodules submodule.core.url https://github.com/getsentry/$REPO_NAME.git
-        git submodule update --init --recursive
-
-  - name: 'gcr.io/cloud-builders/docker'
-    args:
-      [
-        'build',
-        '--target',
-        'symbolicator-build',
-        '-t',
-        'us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/builder:latest',
-        '--build-arg',
-        'BUILDKIT_INLINE_CACHE=1',
-        '--cache-from',
-        'us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/builder:latest',
-        '.',
-      ]
-    env: [DOCKER_BUILDKIT=1]
-
-  - name: "us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/builder:latest"
-    entrypoint: "bash"
-    args:
-      - "-c"
-      - |-
-        cp /opt/symbolicator-debug.zip /opt/symbolicator.src.zip .
-
-  # Uploads DIFs to the deployment pipeline group's private bucket.
-  # These are used for sentry releases.
-  - name: "gcr.io/cloud-builders/gsutil"
-    entrypoint: "bash"
-    args:
-      - "-c"
-      - |-
-        gsutil -m cp \
-        ./symbolicator-debug.zip ./symbolicator.src.zip \
-        gs://dicd-team-devinfra-cd--symbolicator/difs/$COMMIT_SHA/
-
-  - name: 'gcr.io/cloud-builders/docker'
-    args:
-      [
-        'build',
-        '-t',
-        'us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:nightly',
-        '-t',
-        'us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:$COMMIT_SHA',
-        '--build-arg',
-        'BUILDKIT_INLINE_CACHE=1',
-        '--cache-from',
-        'us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/builder:latest',
-        '--cache-from',
-        'us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:nightly',
-        '.',
-      ]
-    env: [DOCKER_BUILDKIT=1]
-
-  - name: "us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:nightly"
-    args: ["--version"]
-
-  - name: "us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:nightly"
-    args: ["--help"]
-
-  # Only tag "nightly" when on master
-  - name: "gcr.io/cloud-builders/docker"
-    secretEnv: ["DOCKER_PASSWORD"]
-    entrypoint: "bash"
-    args:
-      - "-e"
-      - "-c"
-      - |
-        # Only push to Docker Hub from master
-        [ "$BRANCH_NAME" != "master" ] && exit 0
-        docker push us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:nightly
-        echo "$$DOCKER_PASSWORD" | docker login --username=sentrybuilder --password-stdin
-        docker tag us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:$COMMIT_SHA getsentry/symbolicator:$SHORT_SHA
-        docker push getsentry/symbolicator:$SHORT_SHA
-        docker tag us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:$COMMIT_SHA getsentry/symbolicator:$COMMIT_SHA
-        docker push getsentry/symbolicator:$COMMIT_SHA
-        docker tag us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:$COMMIT_SHA getsentry/symbolicator:nightly
-        docker push getsentry/symbolicator:nightly
-
-images:
-  [
-    "us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/builder:latest",
-    "us-central1-docker.pkg.dev/$PROJECT_ID/symbolicator/image:$COMMIT_SHA",
-  ]
-timeout: 3600s
-options:
-  # Run on bigger machines
-  machineType: "E2_HIGHCPU_32"
-secrets:
-  - kmsKeyName: projects/sentryio/locations/global/keyRings/service-credentials/cryptoKeys/cloudbuild
-    secretEnv:
-      # This is a personal access token for the sentrybuilder account, encrypted using the
-      # short guide at http://bit.ly/2Pg6uw9
-      DOCKER_PASSWORD: |
-        CiQAE8gN7y3OMxn+a1kofmK4Bi8jQZtdRFj2lYYwaZHVeIIBUzMSTQA9tvn8XCv2vqj6u8CHoeSP
-        TVW9pLvSCorKoeNtOp0eb+6V1yNJW/+JC07DNO1KLbTbodbuza6jKJHU5xeAJ4kGQI78UY5Vu1Gp
-        QcMK
+      - echo noop

gocd/templates/pipelines/symbolicator.libsonnet

@@ -67,7 +67,6 @@ function(region) {
             elastic_profile_id: 'symbolicator',
             tasks: [
               gocdtasks.script(importstr '../bash/github-checks.sh'),
-              gocdtasks.script(importstr '../bash/cloudbuild-checks.sh'),
             ],
           },
         },