Feature/177 ghcr container publishing (#251)

DavidEdell · David Linko · BrianSipos · web-flow · commit 5ba1186afaaf · 2025-09-25T14:22:55.000-04:00
* Added workflow to test publishing of built containers to ghcr.io
* Second take (GPT-assisted refinements)
* Fixed GHCR container naming.
* Fixed default .env path
* Updating quickstart to pull prebuilt containers by default
* Pin puppet-lint to compatible version
* Updated README.

---------

Co-authored-by: David Linko &lt;david.linko@jhuapl.edu&gt;
Co-authored-by: Brian Sipos &lt;brian.sipos@jhuapl.edu&gt;
diff --git a/.env b/.env
@@ -15,7 +15,7 @@ COMPOSE_PROFILES=full,dev
 #MQTT_PORT=11883
 
 
-DOCKER_IMAGE_PREFIX=localhost/
+DOCKER_IMAGE_PREFIX=ghcr.io/nasa-ammos/anms/
 DOCKER_IMAGE_TAG=latest
 
 ANMS_VERSION=0
diff --git a/.github/workflows/publish_images.yaml b/.github/workflows/publish_images.yaml
@@ -0,0 +1,48 @@
+# On merge to main publish with the 'latest' label
+# Publish with release label when a releaes is published.
+name: Build and publish containers
+on:
+  push:
+    branches:
+    - main
+  release:
+    types: [published]
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set prefix
+        run: |
+          echo "DOCKER_IMAGE_PREFIX=${REGISTRY}/${REPO,,}/" >>${GITHUB_ENV}
+        env:
+          REPO: '${{ github.repository }}'
+      - name: Set image tag
+        id: vars
+        run: |
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "DOCKER_IMAGE_TAG=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
+          else
+            echo "DOCKER_IMAGE_TAG=latest" >> $GITHUB_ENV
+          fi
+
+      - name: Build and push base images via compose
+        run: |
+          docker compose build --push
+      - name: Build and push testenv images via compose
+        run: |
+          docker compose -f testenv-compose.yml build --push
diff --git a/.github/workflows/puppet.yaml b/.github/workflows/puppet.yaml
@@ -47,7 +47,7 @@ jobs:
           bundler-cache: true
 
       - name: Install puppet-lint
-        run: gem install puppet-lint
+        run: gem install puppet-lint -v 4.3.0
 
       - name: Run puppet-lint
         run: puppet-lint puppet --sarif --ignore-paths 'puppet/modules/anms/files/*' > puppet-lint-results.sarif
diff --git a/README.md b/README.md
@@ -79,7 +79,9 @@ docker stop $(docker ps -q); docker rm $(docker ps --all -q); docker system prun
 
 `./quickstart.sh`
 
-The quickstart script will configure, build, and start the ANMS system for the first time.  See comments in the script for additional details, including optional ENV variables to override default behavior.
+The quickstart script will configure, pull, and start the ANMS system for the first time.  See comments in the script for additional details, including optional ENV variables to override default behavior.
+
+NOTICE: By default, quick start will pull pre-built containers from the github registry (ghcr.io). To force a rebuild, run it as `FORCE_REBULD=y ./quickstart.sh`. See the script header for details.
 
 To stop the system use `podman compose -f testenv-compose.yml -f docker-compose.yml down`.
 
@@ -104,6 +106,7 @@ Choose the appropriate docker, podman or podman-compose commands in the directio
 - Clone this repository recursively (`git clone --recursive https://github.com/NASA-AMMOS/anms.git`)
 - Setup Volume containing PKI configuration (certificate chains and private keys):
   - `./create_volume.sh ./puppet/modules/apl_test/files/anms/tls`
+- OPTIONAL: The next 2 steps  will build all ANMS containers. If desired, these steps can be replaced with 'pull'ing prebuilt containers from ghcr.
 - Build Core Images using one of the following:
   - `docker compose -f docker-compose.yml build`
   - `podman compose -f docker-compose.yml build`
@@ -228,6 +231,8 @@ Refer to the `.env` file for port binding overrides, or `docker-compose.yml` for
 
 ### ANMS-UI is not visible at hostname
 
+Ensure that you are running with the 'full' profile. This is the default option when using the `.env` file, however some older versions of podman-compose may not parse the COMPOSE_PROFILES ENV variable correctly. If this is the case, specify the profile explicitly in your compose up commands. For example, `podman compose --profile full up`.
+
 Check the startup logs for any errors. If using podman, some port numbers may need to be remapped using the `.env` file to higher numbered ports, or the system configuration modified to adjust permissions (not recommended).
 
 If you go to your browser and hostname:9030 (replace hostname with the server's hostname) and you see the ANMS UI,
diff --git a/anms-core/anms/routes/ARIs/reports.py b/anms-core/anms/routes/ARIs/reports.py
@@ -102,7 +102,7 @@ async def report_def_by_id(agent_id: int):
                             final_res.append(addition)
             except Exception as e:
                 logger.error(f"Error {e}, while processing nonce:{nonce_cbor} for agent: {agent_id_str}")
-    
+
     return final_res
 
 
@@ -215,4 +215,4 @@ async def report_ac(agent_id: int, nonce_cbor: str):
                             logger.error(err)            
     
     return list(exec_set_dir.values())
-    
+    
diff --git a/quickstart.sh b/quickstart.sh
@@ -25,6 +25,9 @@
 # is not specified the #AUTHNZ_* lines in .env will be uncommented to
 # use ports that do not require root permissions.
 #
+# FORCE_BUILD=y  If 'y', all ANMS-specific containers will be built locally.
+#    Otherwise, prebuilt containers will be pulled from ghcr for quicker startup.
+#
 # Note: This script was created with assistance from openai/gpt-oss-120b
 set -e
 
@@ -81,8 +84,12 @@ cp docker-compose.no-security-override.yml docker-compose.override.yml
 ./create_volume.sh ./puppet/modules/apl_test/files/anms/tls
 
 # Build system
-${DOCKER_CMD} compose build
-
+if [[ ${FORCE_BUILD:-} == y ]]; then
+    ${DOCKER_CMD} compose --profile full --profile dev build
+else
+    ${DOCKER_CMD} compose --profile full --profile dev pull
+fi
+    
 # Start testenv (unless disabled)
 if [[ ${USE_TESTENV:-} != n ]]; then
     ${DOCKER_CMD} compose -f testenv-compose.yml up -d
diff --git a/testenv.Containerfile b/testenv.Containerfile
@@ -128,6 +128,7 @@ RUN dnf -y install container-tools
 # Container service config
 RUN systemctl disable dnf-makecache.timer
 
+COPY --chmod=755 deps/dtnma-tools/systemd/service_is_running.sh /usr/local/bin/service_is_running
 
 # Image for the test environment manager transport with ION node and the
 # ion-app-proxy daemon
