feat(build): Docker build improvements

.github/docker_build_comment_template.md

@@ -0,0 +1,5 @@
+{{ .message }}
+
+| Image           | Build Status       | Security report             |
+| --------------- | ------------------ | --------------------------- |
+| {{ .imageTag }} | {{ .buildStatus }} | {{ .securityReportStatus }} |

.github/workflows/.reusable-docker-build.yml

@@ -22,6 +22,15 @@ on:
         type: string
         description: Image name
         required: true
+      tags:
+        type: string
+        required: false
+        default: |
+          type=ref,event=branch
+          type=ref,event=tag
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
       build-args:
         type: string
         description: List of build-time variables
@@ -36,6 +45,11 @@ on:
         description: Whether to skip push and use Depot's ephemeral registry
         required: false
         default: false
+      comment:
+        type: boolean
+        description: Whether to update the build status in a PR comment
+        required: false
+        default: false
     outputs:
       image:
         description: Resulting image specifier
@@ -53,8 +67,9 @@ jobs:
       image: ${{ steps.image-tag.outputs.image-tag }}
 
     permissions:
-      packages: write
       id-token: write
+      packages: write
+      pull-requests: write
       security-events: write
       contents: read
 
@@ -79,12 +94,34 @@ jobs:
         with:
           images: |
             ${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=tag
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
+          tags: ${{ inputs.tags }}
+
+      - uses: chuhlomin/[email protected]
+        if: inputs.comment
+        id: render-comment-initial
+        with:
+          template: .github/docker_build_comment_template.md
+          vars: |
+            message: "`${{ inputs.image-name }}` is being built... :hourglass_flowing_sand:"
+            imageTag: "Pending :hourglass_flowing_sand:"
+            buildStatus: "Building :hourglass_flowing_sand:"
+            securityReportStatus: "${{ inputs.scan && 'Pending :hourglass_flowing_sand:' || 'Skipped' }}"
+
+      - uses: peter-evans/find-comment@v3
+        if: inputs.comment
+        id: find-comment
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body-includes: '`${{ inputs.image-name }}` '
+
+      - uses: peter-evans/create-or-update-comment@v4
+        if: inputs.comment
+        id: add-comment
+        with:
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          edit-mode: replace
+          issue-number: ${{ github.event.pull_request.number }}
+          body: ${{ steps.render-comment-initial.outputs.result }}
 
       - name: Build and push image
         id: build
@@ -119,6 +156,24 @@ jobs:
           echo ::add-mask::$DEPOT_TOKEN
           echo depot-token=$DEPOT_TOKEN >> $GITHUB_OUTPUT
 
+      - uses: chuhlomin/[email protected]
+        if: inputs.comment
+        id: render-comment-on-finished-build
+        with:
+          template: .github/docker_build_comment_template.md
+          vars: |
+            message: "`${{ inputs.image-name }}` image build finished :sparkles: ${{ inputs.scan && 'Executing security scan...' || '' }}"
+            imageTag: "`${{ steps.image-tag.outputs.image-tag }}`"
+            buildStatus: "Finished :white_check_mark:"
+            securityReportStatus: "${{ inputs.scan && 'Pending :hourglass_flowing_sand:' || 'Skipped' }}"
+
+      - uses: peter-evans/create-or-update-comment@v4
+        if: inputs.comment
+        with:
+          comment-id: ${{ steps.add-comment.outputs.comment-id }}
+          edit-mode: replace
+          body: ${{ steps.render-comment-on-finished-build.outputs.result }}
+
       - name: Run Trivy vulnerability scanner
         id: trivy
         if: inputs.scan
@@ -136,4 +191,28 @@ jobs:
         if: inputs.scan && (success() || failure())
         with:
           sarif_file: trivy-results.sarif
-          category: ${{ inputs.image-name }}
+
+      - name: Render scan results URL
+        id: scan-results-url
+        run: >
+          echo scan-results-url=${{ format('{0}/{1}/security/code-scanning?query=pr%3A{2}+path%3Aflagsmith%2F{3}',
+          github.server_url, github.repository, github.event.pull_request.number, inputs.image-name) }} >>
+          $GITHUB_OUTPUT
+
+      - uses: chuhlomin/[email protected]
+        id: render-comment-on-finished-scan
+        if: inputs.scan && inputs.comment
+        with:
+          template: .github/docker_build_comment_template.md
+          vars: |
+            message: "`${{ inputs.image-name }}` image build and security scan finished :sparkles:"
+            imageTag: "`${{ steps.image-tag.outputs.image-tag }}`"
+            buildStatus: "Finished :white_check_mark:"
+            securityReportStatus: "${{ format('[Results]({0}) :white_check_mark:', steps.scan-results-url.outputs.scan-results-url) }}"
+
+      - uses: peter-evans/create-or-update-comment@v4
+        if: inputs.scan && inputs.comment
+        with:
+          comment-id: ${{ steps.add-comment.outputs.comment-id }}
+          edit-mode: replace
+          body: ${{ steps.render-comment-on-finished-scan.outputs.result }}

.github/workflows/.reusable-docker-e2e-tests.yml

@@ -22,11 +22,16 @@ on:
         description: The concurrent number of browsers to be used on testing
         required: false
         default: 3
+      runs-on:
+        type: string
+        description: The runner label to use. Defaults to `ubuntu-latest`
+        required: false
+        default: ubuntu-latest
 
 jobs:
   run-e2e:
     name: "E2E${{ inputs.tests && format(': {0}', inputs.tests) || '' }}"
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.runs-on }}
 
     permissions:
       contents: read

.github/workflows/platform-docker-build-e2e-image.yml

@@ -7,22 +7,9 @@ on:
 
 jobs:
   build-e2e-docker-image:
-    runs-on: ubuntu-latest
-    name: Publish E2E Frontend Image
-
-    steps:
-      - name: Cloning repo
-        uses: actions/checkout@v4
-
-      - name: Login to Github Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{github.actor}}
-          password: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Build E2E Frontend Image
-        run: |
-          cd frontend
-          docker build -f Dockerfile-base.e2e --tag ghcr.io/flagsmith/e2e-frontend-base:latest .
-          docker push ghcr.io/flagsmith/e2e-frontend-base:latest
+    name: Build E2E Frontend Base Image
+    uses: ./.github/workflows/.reusable-docker-build.yml
+    with:
+      file: frontend/Dockerfile-base.e2e
+      image-name: e2e-frontend-base
+      tags: latest

.github/workflows/platform-docker-build-test-publish.yml

@@ -62,6 +62,7 @@ jobs:
     needs: [docker-build-api, docker-build-private-cloud-api, docker-build-e2e]
     uses: ./.github/workflows/.reusable-docker-e2e-tests.yml
     with:
+      runs-on: ${{ matrix.runs-on }}
       e2e-image: ${{ needs.docker-build-e2e.outputs.image }}
       api-image: ${{ matrix.api-image }}
       concurrency: ${{ matrix.args.concurrency }}
@@ -70,6 +71,7 @@ jobs:
 
     strategy:
       matrix:
+        runs-on: [ubuntu-latest, ARM64-2c]
         api-image:
           - ${{ needs.docker-build-api.outputs.image }}
           - ${{ needs.docker-build-private-cloud-api.outputs.image }}

.github/workflows/platform-pull-request.yml

@@ -72,49 +72,54 @@ jobs:
     name: Build Unified Image
     uses: ./.github/workflows/.reusable-docker-build.yml
     with:
-      ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+      ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
       target: oss-unified
       image-name: flagsmith
+      comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
   docker-build-api:
     if: github.event.pull_request.draft == false
     needs: check-permissions
     name: Build API Image
     uses: ./.github/workflows/.reusable-docker-build.yml
     with:
-      ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+      ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
       target: oss-api
       image-name: flagsmith-api
+      comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
   docker-build-frontend:
     if: github.event.pull_request.draft == false
     needs: check-permissions
     name: Build Frontend Image
     uses: ./.github/workflows/.reusable-docker-build.yml
     with:
-      ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+      ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
       target: oss-frontend
       image-name: flagsmith-frontend
+      comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
   docker-build-e2e:
     if: github.event.pull_request.draft == false
     needs: check-permissions
     name: Build E2E Image
     uses: ./.github/workflows/.reusable-docker-build.yml
     with:
-      ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+      ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
       file: frontend/Dockerfile.e2e
       image-name: flagsmith-e2e
       scan: false
+      comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
   docker-build-private-cloud:
-    if: github.event.pull_request.draft == false && needs.check-permissions.outputs.can-write
+    if: github.event.pull_request.draft == false && needs.check-permissions.outputs.can-write == 'true'
     needs: check-permissions
     name: Build Private Cloud Image
     uses: ./.github/workflows/.reusable-docker-build.yml
     with:
       target: private-cloud-unified
       image-name: flagsmith-private-cloud
+      comment: true
     secrets:
       secrets: |
         github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }}
@@ -123,6 +128,7 @@ jobs:
     needs: [docker-build-api, docker-build-e2e]
     uses: ./.github/workflows/.reusable-docker-e2e-tests.yml
     with:
+      runs-on: ${{ matrix.runs-on }}
       e2e-image: ${{ needs.docker-build-e2e.outputs.image }}
       api-image: ${{ needs.docker-build-api.outputs.image }}
       concurrency: ${{ matrix.args.concurrency }}
@@ -131,6 +137,7 @@ jobs:
 
     strategy:
       matrix:
+        runs-on: [ubuntu-latest, ARM64-2c]
         args:
           - tests: segment-part-1 environment
             concurrency: 1