tracingpoilcy: add creationTimestamp in metadata #4756

Workflow file for this run

.github/workflows/build-images-ci.yml at 091fbcb

	name: Image CI Build

	on:
	pull_request_target:
	types:
	- opened
	- synchronize
	- reopened
	paths-ignore:
	- 'docs/**'
	push:
	branches:
	- main
	paths-ignore:
	- 'docs/**'

	permissions:
	# To be able to access the repository with `actions/checkout`
	contents: read
	# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
	id-token: write

	jobs:
	build-and-push-prs:
	runs-on: ubuntu-20.04
	strategy:
	matrix:
	include:
	- name: tetragon
	dockerfile: ./Dockerfile

	- name: tetragon-operator
	dockerfile: ./Dockerfile.operator

	steps:
	# https://github.com/docker/setup-qemu-action
	- name: Set up QEMU
	uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
	with:
	platforms: arm64

	# https://github.com/docker/setup-buildx-action
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1

	- name: Login to quay.io for CI
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME_CI }}
	password: ${{ secrets.QUAY_PASSWORD_CI }}

	- name: Getting image tag
	id: tag
	run: \|
	if [ ${{ github.event.pull_request.head.sha }} != "" ]; then
	echo "tag=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
	else
	echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT
	fi

	- name: Checkout Source Code
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
	with:
	persist-credentials: false
	ref: ${{ steps.tag.outputs.tag }}
	fetch-depth: 0

	- name: Get version
	run: \|
	echo "TETRAGON_VERSION=$(make version)" >> $GITHUB_ENV

	- name: Install Cosign
	uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v3.0.5

	- name: Install Bom
	shell: bash
	run: \|
	curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom
	sudo mv ./bom /usr/local/bin/bom
	sudo chmod +x /usr/local/bin/bom

	# main branch pushes
	- name: CI Build (main)
	if: github.event_name == 'push'
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
	id: docker_build_ci_main
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64,linux/arm64
	build-args: \|
	TETRAGON_VERSION=${{ env.TETRAGON_VERSION }}
	tags: \|
	quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest

	- name: Sign Container Image
	if: github.event_name == 'push'
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	cosign sign quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }}

	- name: Generate SBOM
	if: github.event_name == 'push'
	shell: bash
	# To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479
	run: \|
	bom generate -o sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--dirs=. \
	--image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}

	- name: Attach SBOM to container images
	if: github.event_name == 'push'
	run: \|
	cosign attach sbom --sbom sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }}

	- name: Sign SBOM Image
	if: github.event_name == 'push'
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	docker_build_ci_main_digest="${{ steps.docker_build_ci_main.outputs.digest }}"
	image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_main_digest/:/-}.sbom"
	docker_build_ci_main_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_main_sbom_digest}"

	- name: CI Image Releases digests (main)
	if: github.event_name == 'push'
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt

	# PR updates
	- name: CI Build (PR)
	if: github.event_name == 'pull_request_target' \|\| github.event_name == 'pull_request'
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
	id: docker_build_ci_pr
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64,linux/arm64
	build-args: \|
	TETRAGON_VERSION=${{ env.TETRAGON_VERSION }}
	tags: \|
	quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}

	- name: Sign Container Image
	if: github.event_name == 'pull_request_target' \|\| github.event_name == 'pull_request'
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	cosign sign quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}

	- name: Generate SBOM
	if: github.event_name == 'pull_request_target' \|\| github.event_name == 'pull_request'
	shell: bash
	# To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479
	run: \|
	bom generate --format json -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--dirs=. \
	--image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}

	- name: Attach SBOM to container images
	if: github.event_name == 'pull_request_target' \|\| github.event_name == 'pull_request'
	run: \|
	cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}

	- name: Sign SBOM Image
	if: github.event_name == 'pull_request_target' \|\| github.event_name == 'pull_request'
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}"
	image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom"
	docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}"

	- name: CI Image Releases digests (PR)
	if: github.event_name == 'pull_request_target' \|\| github.event_name == 'pull_request'
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt

	# Upload artifact digests
	- name: Upload artifact digests
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: image-digest ${{ matrix.name }}
	path: image-digest
	retention-days: 1

	image-digests:
	if: ${{ always() }}
	name: Display Digests
	runs-on: ubuntu-20.04
	needs: [build-and-push-prs]
	steps:
	- name: Downloading Image Digests
	shell: bash
	run: \|
	mkdir -p image-digest/

	- name: Download digests of all images built
	uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	with:
	path: image-digest/

	- name: Image Digests Output
	shell: bash
	run: \|
	cd image-digest/
	find -type f \| sort \| xargs -d '\n' cat

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tracingpoilcy: add creationTimestamp in metadata #4756

Workflow file

tracingpoilcy: add creationTimestamp in metadata #4756

Jobs

Run details

Workflow file for this run