OpenHands/.github/workflows/ghcr_app.yml

# Workflow that builds, tests and then pushes the app docker images to the ghcr.io repository
name: Build and Publish App Image


# Always run on "main"
# Always run on tags
# Always run on PRs
# Can also be triggered manually
on:
  push:
    branches:
      - main
    tags:
      - '*'
  pull_request:
  workflow_dispatch:
    inputs:
      reason:
        description: 'Reason for manual trigger'
        required: true
        default: ''

jobs:
  # Builds the OpenHands Docker images
  ghcr_build:
    name: Build App Image
    runs-on: ubuntu-latest
    outputs:
      tags: ${{ steps.capture-tags.outputs.tags }}
      last_tag: ${{ steps.capture-last-tag.outputs.last_tag }}
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        image: ['openhands']
        platform: ['amd64', 'arm64']
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Free Disk Space (Ubuntu)
        uses: jlumbroso/free-disk-space@main
        with:
          # this might remove tools that are actually needed,
          # if set to "true" but frees about 6 GB
          tool-cache: true
          # all of these default to true, but feel free to set to
          # "false" if necessary for your workflow
          android: true
          dotnet: true
          haskell: true
          large-packages: true
          docker-images: false
          swap-storage: true
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and export image
        id: build
        run: ./containers/build.sh ${{ matrix.image }} ${{ github.repository_owner }} ${{ matrix.platform }}
      - name: Capture tags
        id: capture-tags
        run: |
          tags=$(cat tags.txt)
          echo "tags=$tags"
          echo "tags=$tags" >> $GITHUB_OUTPUT
      - name: Capture last tag
        id: capture-last-tag
        run: |
          last_tag=$(cat tags.txt | awk '{print $NF}')
          echo "last_tag=$last_tag"
          echo "last_tag=$last_tag" >> $GITHUB_OUTPUT
      - name: Upload Docker image as artifact
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.image }}_${{ steps.capture-last-tag.outputs.last_tag }}_${{ matrix.platform }}
          path: /tmp/${{ matrix.image }}_${{ steps.capture-last-tag.outputs.last_tag }}_${{ matrix.platform }}.tar
          retention-days: 14

  # Push the OpenHands and sandbox Docker images to the ghcr.io repository
  ghcr_push:
    name: Push App Image
    runs-on: ubuntu-latest
    needs: [ghcr_build]
    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || (github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main')
    env:
      tags: ${{ needs.ghcr_build.outputs.tags }}
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        image: ['openhands']
        last_tag: ${{ needs.ghcr_build.outputs.last_tag }}
        platform: ['amd64', 'arm64']
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Download Docker images
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.image }}_${{ matrix.last_tag }}_${{ matrix.platform }}
          path: /tmp
      - name: Load images and push to registry
        run: |
          mv /tmp/${{ matrix.image }}_${{ matrix.last_tag }}_${{ matrix.platform }}.tar .
          loaded_image=$(docker load -i ${{ matrix.image }}_${{ matrix.last_tag }}_${{ matrix.platform }}.tar | grep "Loaded image:" | head -n 1 | awk '{print $3}')
          echo "loaded image = $loaded_image"
          tags=$(echo ${tags} | tr ' ' '\n')
          image_name=$(echo "ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}" | tr '[:upper:]' '[:lower:]')
          echo "image name = $image_name"
          for tag in $tags; do
            echo "tag = $tag"
            docker tag $loaded_image $image_name:${tag}_${{ matrix.platform }}
            docker push $image_name:${tag}_${{ matrix.platform }}
          done
  # Creates and pushes the OpenHands Docker image manifests
  create_manifest:
    name: Create Manifest
    runs-on: ubuntu-latest
    needs: [ghcr_build, ghcr_push]
    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || (github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main')
    env:
      tags: ${{ needs.ghcr_build.outputs.tags }}
    strategy:
      matrix:
        image: ['openhands']
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Create and push multi-platform manifest
        run: |
          image_name=$(echo "ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}" | tr '[:upper:]' '[:lower:]')
          echo "image name = $image_name"
          tags=$(echo ${tags} | tr ' ' '\n')
          for tag in $tags; do
            echo 'tag = $tag'
            docker buildx imagetools create --tag $image_name:$tag \
              $image_name:${tag}_amd64 \
              $image_name:${tag}_arm64
          done