Add a ruff docker image at ghcr.io/astral-sh/ruff (#8554)

This dockerfile creates a minimal docker container that runs ruff ```console $ docker run -v .:/io --rm ruff check --select G004 . scripts/check_ecosystem.py:51:26: G004 Logging statement uses f-string scripts/check_ecosystem.py:55:22: G004 Logging statement uses f-string scripts/check_ecosystem.py:84:13: G004 Logging statement uses f-string scripts/check_ecosystem.py:177:18: G004 Logging statement uses f-string scripts/check_ecosystem.py:200:18: G004 Logging statement uses f-string scripts/check_ecosystem.py:354:18: G004 Logging statement uses f-string scripts/check_ecosystem.py:477:18: G004 Logging statement uses f-string Found 7 errors. ``` ```console $ docker image ls ruff REPOSITORY TAG IMAGE ID CREATED SIZE ruff latest 505876b0f817 2 minutes ago 16.2MB ``` Test repo: https://github.com/konstin/release-testing2 Successful build: 1865915510 The package: https://github.com/konstin/release-testing2/pkgs/container/release-testing2 After merging this, i have to manually push the first image and connect it the repo in the github UI or the action will fail due to lack of permissions Open questions: * Test arm version: Anyone working on an aarch64 linux machine? I don't see this failing or a high-priority deployment (the vast majority of linux users is on x86), but it would be nice to have it tested one. --------- Co-authored-by: Zanie Blue <contact@zanie.dev>
2025-10-03 07:04:53 +00:00 · 2023-11-17 19:44:28 +01:00 · 2023-11-17 19:44:28 +01:00 · a7fc785cc5
commit a7fc785cc5
parent f460f9c5c0
3 changed files with 99 additions and 0 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -516,6 +516,62 @@ jobs:
          files: binaries/*
          tag_name: v${{ inputs.tag }}

+  docker-publish:
+    # This action doesn't need to wait on any other task, it's easy to re-tag if something failed and we're validating
+    # the tag here also
+    name: Push Docker image ghcr.io/astral-sh/ruff
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+    permissions:
+      # For the docker push
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.sha }}
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/astral-sh/ruff
+
+      - name: Check tag consistency
+        # Unlike validate-tag we don't check if the commit is on the main branch, but it seems good enough since we can
+        # change docker tags
+        if: ${{ inputs.tag }}
+        run: |
+          version=$(grep "version = " pyproject.toml | sed -e 's/version = "\(.*\)"/\1/g')
+          if [ "${{ inputs.tag }}" != "${version}" ]; then
+            echo "The input tag does not match the version from pyproject.toml:" >&2
+            echo "${{ inputs.tag }}" >&2
+            echo "${version}" >&2
+            exit 1
+          else
+            echo "Releasing ${version}"
+          fi
+
+      - name: "Build and push Docker image"
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          # Reuse the builder
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          push: ${{ inputs.tag != '' }}
+          tags: ghcr.io/astral-sh/ruff:latest,ghcr.io/astral-sh/ruff:${{ inputs.tag || 'dry-run' }}
+          labels: ${{ steps.meta.outputs.labels }}
+
  # After the release has been published, we update downstream repositories
  # This is separate because if this fails the release is still fine, we just need to do some manual workflow triggers
  update-dependents: