制品管理
概览
实施全面的制品管理策略,用于存储、版本控制和跨环境分发构建的二进制文件、Docker镜像和包。
何时使用
- Docker镜像注册表管理
- 包发布和版本控制
- 构建制品存储和检索
- 容器镜像优化
- 制品保留策略
- 多注册表分发
- 依赖缓存
实施示例
1. Docker注册表配置
# 用于优化的多阶段构建Dockerfile
FROM node:18-alpine AS dependencies
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:18-alpine AS runtime
WORKDIR /app
COPY --from=dependencies /app/node_modules ./node_modules
COPY --from=builder /app/dist ./dist
COPY package*.json ./
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
CMD node healthcheck.js
CMD ["node", "dist/server.js"]
LABEL org.opencontainers.image.version="1.0.0" \
org.opencontainers.image.description="生产应用程序" \
org.opencontainers.image.authors="DevOps团队"
2. GitHub容器注册表(GHCR)推送
# .github/workflows/publish-image.yml
name: 发布到GHCR
on:
push:
tags: ['v*']
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v3
- name: 设置Docker Buildx
uses: docker/setup-buildx-action@v2
- name: 登录注册表
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: 提取元数据
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
- name: 构建和推送
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile.prod
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
3. npm包发布
{
"name": "@myorg/awesome-library",
"version": "1.2.3",
"description": "开发者的卓越库",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"files": [
"dist",
"README.md",
"LICENSE"
],
"publishConfig": {
"registry": "https://npm.pkg.github.com",
"access": "public"
},
"repository": {
"type": "git",
"url": "https://github.com/myorg/awesome-library.git"
},
"scripts": {
"prepublishOnly": "npm run build && npm run test",
"prepack": "npm run build"
}
}
4. 制品保留策略
# .github/workflows/cleanup-artifacts.yml
name: 清理旧制品
on:
schedule:
- cron: '0 2 * * *' # 每天凌晨2点
workflow_dispatch:
jobs:
cleanup:
runs-on: ubuntu-latest
steps:
- name: 删除30天以上的制品
uses: geekyeggo/delete-artifact@v2
with:
name: '*'
minCreatedTime: 30d
failOnError: false
5. 制品版本控制
#!/bin/bash
# artifact-version.sh
BUILD_DATE=$(date -u +'%Y%m%d')
GIT_HASH=$(git rev-parse --short HEAD)
VERSION=$(grep '"version"' package.json | sed 's/.*"version": "\([^"]*\)".*/\1/')
# 完整版本标签
FULL_VERSION="${VERSION}-${BUILD_DATE}.${GIT_HASH}"
# 创建带版本的制品
docker build -t myapp:${FULL_VERSION} .
docker tag myapp:${FULL_VERSION} myapp:latest
echo "构建的制品版本: ${FULL_VERSION}"
10. GitLab包注册表
# .gitlab-ci.yml
publish-package:
stage: publish
script:
- npm config set @myorg:registry https://gitlab.example.com/api/v4/packages/npm/
- npm config set '//gitlab.example.com/api/v4/packages/npm/:_authToken' "${CI_JOB_TOKEN}"
- npm publish
only:
- tags
最佳实践
✅ 应该做
- 对制品使用语义版本控制
- 在部署前实施镜像扫描
- 为旧制品设置保留策略
- 对Docker镜像使用多阶段构建
- 签名和验证制品
- 实施制品不可变性
- 文档化制品元数据
- 使用特定的基础镜像版本
- 实施漏洞扫描
- 积极缓存层
- 用提交SHA标记镜像
- 压缩制品以存储
❌ 不应该做
- 将
latest标签作为唯一的标识符 - 在制品中存储机密
- 未经扫描就推送制品
- 使用不可信的基础镜像
- 跳过制品验证
- 覆盖已发布的制品
- 混合二进制和源制品
- 忽略镜像层优化
- 将敏感数据存储在构建日志中
制品存储标准
# 命名约定
{registry}/{org}/{repo}/{service}:{version}-{build}-{commit}
# 示例
docker.io/myorg/web-app:1.2.3-123-abc1234
ghcr.io/myorg/api-service:2.0.0-456-def5678
artifactory.example.com/releases/core:3.1.0-789-ghi9012