#!/bin/bash echo ">>> Pushing images..." export DOCKER_CLI_EXPERIMENTAL=enabled declare -A annotations=( [amd64]="--os linux --arch amd64" [arm32v6]="--os linux --arch arm --variant v6" [arm32v7]="--os linux --arch arm --variant v7" [arm64v8]="--os linux --arch arm64 --variant v8" ) source ./hooks/arches.sh set -ex declare -A images for arch in ${arches[@]}; do images[$arch]="${DOCKER_REPO}:${DOCKER_TAG}-${arch}" done # Push the images that were just built; manifest list creation fails if the # images (manifests) referenced don't already exist in the Docker registry. for image in "${images[@]}"; do docker push "${image}" done manifest_lists=("${DOCKER_REPO}:${DOCKER_TAG}") # If the Docker tag starts with a version number, assume the latest release is # being pushed. Add an extra manifest (`latest` or `alpine`, as appropriate) # to make it easier for users to track the latest release. if [[ "${DOCKER_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then if [[ "${DOCKER_TAG}" == *alpine ]]; then manifest_lists+=(${DOCKER_REPO}:alpine) else manifest_lists+=(${DOCKER_REPO}:latest) fi fi for manifest_list in "${manifest_lists[@]}"; do # Create the (multi-arch) manifest list of arch-specific images. docker manifest create ${manifest_list} ${images[@]} # Make sure each image manifest is annotated with the correct arch info. # Docker does not auto-detect the arch of each cross-compiled image, so # everything would appear as `linux/amd64` otherwise. for arch in "${arches[@]}"; do docker manifest annotate ${annotations[$arch]} ${manifest_list} ${images[$arch]} done # Push the manifest list. docker manifest push --purge ${manifest_list} done # Avoid logging credentials and tokens. set +ex # Delete the arch-specific tags, if credentials for doing so are available. # Note that `DOCKER_PASSWORD` must be the actual user password. Passing a JWT # obtained using a personal access token results in a 403 error with # {"detail": "access to the resource is forbidden with personal access token"} if [[ -z "${DOCKER_USERNAME}" || -z "${DOCKER_PASSWORD}" ]]; then exit 0 fi # Given a JSON input on stdin, extract the string value associated with the # specified key. This avoids an extra dependency on a tool like `jq`. extract() { local key="$1" # Extract "<key>":"<val>" (assumes key/val won't contain double quotes). # The colon may have whitespace on either side. grep -o "\"${key}\"[[:space:]]*:[[:space:]]*\"[^\"]\+\"" | # Extract just <val> by deleting the last '"', and then greedily deleting # everything up to '"'. sed -e 's/"$//' -e 's/.*"//' } echo ">>> Getting API token..." jwt=$(curl -sS -X POST \ -H "Content-Type: application/json" \ -d "{\"username\":\"${DOCKER_USERNAME}\",\"password\": \"${DOCKER_PASSWORD}\"}" \ "https://hub.docker.com/v2/users/login" | extract 'token') # Strip the registry portion from `index.docker.io/user/repo`. repo="${DOCKER_REPO#*/}" for arch in ${arches[@]}; do tag="${DOCKER_TAG}-${arch}" echo ">>> Deleting '${repo}:${tag}'..." curl -sS -X DELETE \ -H "Authorization: Bearer ${jwt}" \ "https://hub.docker.com/v2/repositories/${repo}/tags/${tag}/" done