forked from project-zot/zot
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: add script to build/publish zot multiarch images and modify the p…
…ublish pipeline to use it Example usage: scripts/build_mutiarch_image.sh --registry ghcr.io/project-zot --source-tag v2.0.0 --file build/multiarch-zot.json --destination-tags="v2.0.0 latest" Signed-off-by: Andrei Aaron <[email protected]>
- Loading branch information
Showing
6 changed files
with
332 additions
and
113 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,12 +7,11 @@ name: publish | |
| permissions: read-all | ||
|
|
||
| jobs: | ||
| push-image: | ||
| name: Push OCI images to GitHub Packages | ||
| push-singlearch-image: | ||
| name: Push single arch OCI images to GitHub Packages | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| packages: write | ||
| strategy: | ||
| matrix: | ||
|
|
@@ -41,38 +40,6 @@ jobs: | |
| tags: ${{ github.event.release.tag_name }} latest | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run zot container image with docker | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| docker kill $(docker ps -q) | ||
| fi | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| - name: Run zot container image with podman | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| podman kill --all | ||
| fi | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| - name: Build and push zot-minimal container image | ||
| uses: project-stacker/stacker-build-push-action@main | ||
| with: | ||
|
|
@@ -88,38 +55,6 @@ jobs: | |
| tags: ${{ github.event.release.tag_name }} latest | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run zot-minimal container image with docker | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| docker kill $(docker ps -q) | ||
| fi | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| - name: Run zot-minimal container image with podman | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| podman kill --all | ||
| fi | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| - name: Build and push zot-exporter container image | ||
| uses: project-stacker/stacker-build-push-action@main | ||
| with: | ||
|
|
@@ -134,38 +69,6 @@ jobs: | |
| tags: ${{ github.event.release.tag_name }} latest | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run zot-exporter container image with docker | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| docker run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5001/metrics' | ||
| docker kill $(docker ps -q) | ||
| fi | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| - name: Run zot-exporter container image with podman | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| podman run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5001/metrics' | ||
| podman kill --all | ||
| fi | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| - name: Build and push zb container image | ||
| uses: project-stacker/stacker-build-push-action@main | ||
| with: | ||
|
|
@@ -180,26 +83,182 @@ jobs: | |
| tags: ${{ github.event.release.tag_name }} latest | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| push-multiarch-image: | ||
| name: Push multiarch OCI images to GitHub Packages | ||
| needs: push-singlearch-image | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| strategy: | ||
| matrix: | ||
| image: [zot, zot-minimal, zxp, zb] | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
| - name: Log in to GitHub Docker Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run build | ||
| run: | | ||
| echo "Building multiarch image for ${{ matrix.image }}" | ||
| cd $GITHUB_WORKSPACE | ||
| make check-blackbox-prerequisites | ||
| export PATH=${PATH}:${GITHUB_WORKSPACE}/hack/tools/bin | ||
| ./scripts/build_multiarch_image.sh --registry ghcr.io/${{ github.repository_owner }} \ | ||
| --source-tag ${{ github.event.release.tag_name }} \ | ||
| --destination-tags "${{ github.event.release.tag_name }} latest" \ | ||
| --file build/multiarch-${{ matrix.image }}.json | ||
| test-image: | ||
| name: Test OCI images published to GitHub Packages | ||
| needs: push-multiarch-image | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| packages: read | ||
| steps: | ||
| - name: Log in to GitHub Docker Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run zot container image with docker | ||
| run: | | ||
| docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| docker kill $(docker ps -q) | ||
| - name: Run zot container image with podman | ||
| run: | | ||
| podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| podman kill --all | ||
| - name: Run zot-minimal container image with docker | ||
| run: | | ||
| docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| docker kill $(docker ps -q) | ||
| - name: Run zot-minimal container image with podman | ||
| run: | | ||
| podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5000/v2/' | ||
| podman kill --all | ||
| - name: Run zot-exporter container image with docker | ||
| run: | | ||
| docker run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5001/metrics' | ||
| docker kill $(docker ps -q) | ||
| - name: Run zot-exporter container image with podman | ||
| run: | | ||
| podman run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp:${{ github.event.release.tag_name }} | ||
| sleep 2 | ||
| curl --connect-timeout 5 \ | ||
| --max-time 10 \ | ||
| --retry 12 \ | ||
| --retry-max-time 360 \ | ||
| --retry-connrefused \ | ||
| 'http://localhost:5001/metrics' | ||
| podman kill --all | ||
| - name: Run zb container image with docker | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| docker run ghcr.io/${{ github.repository_owner }}/zb-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} --help | ||
| fi | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| docker run ghcr.io/${{ github.repository_owner }}/zb:${{ github.event.release.tag_name }} --help | ||
| - name: Run zb container image with podman | ||
| run: | | ||
| if [[ $OS == "linux" && $ARCH == "amd64" ]]; then | ||
| podman run ghcr.io/${{ github.repository_owner }}/zb-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }} --help | ||
| fi | ||
| podman run ghcr.io/${{ github.repository_owner }}/zb:${{ github.event.release.tag_name }} --help | ||
| scan-image: | ||
| name: Run Trivy scan on OCI images published to GitHub Packages | ||
| needs: push-singlearch-image | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| packages: read | ||
| strategy: | ||
| matrix: | ||
| os: [linux, darwin] | ||
| arch: [amd64, arm64] | ||
| steps: | ||
| - name: Log in to GitHub Docker Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}' | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| env: | ||
| OS: ${{ matrix.os }} | ||
| ARCH: ${{ matrix.arch }} | ||
| TRIVY_USERNAME: ${{ github.actor }} | ||
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run Trivy vulnerability scanner (minimal) | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}' | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| env: | ||
| TRIVY_USERNAME: ${{ github.actor }} | ||
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/[email protected] | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' | ||
|
|
||
| scan-multiarch-image: | ||
| name: Run Trivy scan on OCI multiarch images published to GitHub Packages | ||
| needs: push-multiarch-image | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| packages: read | ||
| steps: | ||
| - name: Log in to GitHub Docker Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: 'ghcr.io/${{ github.repository }}-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}' | ||
| image-ref: 'ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }}' | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| env: | ||
|
|
@@ -208,7 +267,7 @@ jobs: | |
| - name: Run Trivy vulnerability scanner (minimal) | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: 'ghcr.io/${{ github.repository }}-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}' | ||
| image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }}' | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| env: | ||
|
|
@@ -221,7 +280,7 @@ jobs: | |
|
|
||
| update-helm-chart: | ||
| if: github.event_name == 'release' && github.event.action== 'published' | ||
| needs: push-image | ||
| needs: push-singlearch-image | ||
| name: Update Helm Chart | ||
| permissions: | ||
| contents: write | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "target_repo": "zb", | ||
| "source_repos": [ | ||
| "zb-linux-amd64", | ||
| "zb-linux-arm64", | ||
| "zb-darwin-amd64", | ||
| "zb-darwin-arm64" | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "target_repo": "zot-minimal", | ||
| "source_repos": [ | ||
| "zot-minimal-linux-amd64", | ||
| "zot-minimal-linux-arm64", | ||
| "zot-minimal-darwin-amd64", | ||
| "zot-minimal-darwin-arm64" | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "target_repo": "zot", | ||
| "source_repos": [ | ||
| "zot-linux-amd64", | ||
| "zot-linux-arm64", | ||
| "zot-darwin-amd64", | ||
| "zot-darwin-arm64" | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "target_repo": "zxp", | ||
| "source_repos": [ | ||
| "zxp-linux-amd64", | ||
| "zxp-linux-arm64", | ||
| "zxp-darwin-amd64", | ||
| "zxp-darwin-arm64" | ||
| ] | ||
| } |
Oops, something went wrong.