-
Notifications
You must be signed in to change notification settings - Fork 360
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
DO NOT MERGE: test building the operator image
Signed-off-by: Michi Mutsuzaki <[email protected]>
- Loading branch information
1 parent
3d91cb3
commit 875d669
Showing
1 changed file
with
217 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,217 @@ | ||
| name: Image CI Operator Build | ||
|
|
||
| on: | ||
| pull_request: | ||
| push: | ||
| branches: | ||
| - main | ||
| paths-ignore: | ||
| - 'docs/**' | ||
|
|
||
| permissions: | ||
| # To be able to access the repository with `actions/checkout` | ||
| contents: read | ||
| # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| build-and-push-prs: | ||
| runs-on: ubuntu-20.04 | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - name: tetragon-operator | ||
| dockerfile: ./tetragonpod/Dockerfile | ||
|
|
||
| steps: | ||
| # https://github.com/docker/setup-qemu-action | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | ||
| with: | ||
| platforms: arm64 | ||
|
|
||
| # https://github.com/docker/setup-buildx-action | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 | ||
|
|
||
| - name: Login to quay.io for CI | ||
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | ||
| with: | ||
| registry: quay.io | ||
| username: ${{ secrets.QUAY_USERNAME_CI }} | ||
| password: ${{ secrets.QUAY_PASSWORD_CI }} | ||
|
|
||
| - name: Getting image tag | ||
| id: tag | ||
| run: | | ||
| if [ ${{ github.event.pull_request.head.sha }} != "" ]; then | ||
| echo "tag=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT | ||
| fi | ||
| - name: Checkout Source Code | ||
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
| with: | ||
| persist-credentials: false | ||
| ref: ${{ steps.tag.outputs.tag }} | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Get version | ||
| run: | | ||
| echo "TETRAGON_VERSION=$(make version)" >> $GITHUB_ENV | ||
| - name: Install Cosign | ||
| uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v3.0.5 | ||
|
|
||
| - name: Install Bom | ||
| shell: bash | ||
| run: | | ||
| curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom | ||
| sudo mv ./bom /usr/local/bin/bom | ||
| sudo chmod +x /usr/local/bin/bom | ||
| # main branch pushes | ||
| - name: CI Build (main) | ||
| if: github.event_name == 'push' | ||
| uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 | ||
| id: docker_build_ci_main | ||
| with: | ||
| provenance: false | ||
| context: . | ||
| file: ${{ matrix.dockerfile }} | ||
| push: true | ||
| platforms: linux/amd64,linux/arm64 | ||
| build-args: | | ||
| TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} | ||
| tags: | | ||
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | ||
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest | ||
| - name: Sign Container Image | ||
| if: github.event_name == 'push' | ||
| env: | ||
| COSIGN_EXPERIMENTAL: 'true' | ||
| run: | | ||
| cosign sign quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} | ||
| - name: Generate SBOM | ||
| if: github.event_name == 'push' | ||
| shell: bash | ||
| # To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479 | ||
| run: | | ||
| bom generate -o sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | ||
| --dirs=. \ | ||
| --image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | ||
| - name: Attach SBOM to container images | ||
| if: github.event_name == 'push' | ||
| run: | | ||
| cosign attach sbom --sbom sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} | ||
| - name: Sign SBOM Image | ||
| if: github.event_name == 'push' | ||
| env: | ||
| COSIGN_EXPERIMENTAL: 'true' | ||
| run: | | ||
| docker_build_ci_main_digest="${{ steps.docker_build_ci_main.outputs.digest }}" | ||
| image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_main_digest/:/-}.sbom" | ||
| docker_build_ci_main_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | ||
| cosign sign "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_main_sbom_digest}" | ||
| - name: CI Image Releases digests (main) | ||
| if: github.event_name == 'push' | ||
| shell: bash | ||
| run: | | ||
| mkdir -p image-digest/ | ||
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | ||
| # This is to check if the matrix build is | ||
| - name: Check if building tetragonpod controller image | ||
| id: suffix | ||
| run: | | ||
| echo "value=-podinfo" >> $GITHUB_OUTPUT | ||
| # PR updates | ||
| - name: CI Build (PR) | ||
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | ||
| uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 | ||
| id: docker_build_ci_pr | ||
| with: | ||
| provenance: false | ||
| context: . | ||
| file: ${{ matrix.dockerfile }} | ||
| push: true | ||
| platforms: linux/amd64,linux/arm64 | ||
| build-args: | | ||
| TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} | ||
| tags: | | ||
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}} | ||
| - name: Sign Container Image | ||
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | ||
| env: | ||
| COSIGN_EXPERIMENTAL: 'true' | ||
| run: | | ||
| cosign sign quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | ||
| - name: Generate SBOM | ||
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | ||
| shell: bash | ||
| # To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479 | ||
| run: | | ||
| bom generate --format json -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}}.spdx \ | ||
| --dirs=. \ | ||
| --image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}} | ||
| - name: Attach SBOM to container images | ||
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | ||
| run: | | ||
| cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | ||
| - name: Sign SBOM Image | ||
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | ||
| env: | ||
| COSIGN_EXPERIMENTAL: 'true' | ||
| run: | | ||
| docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}" | ||
| image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom" | ||
| docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | ||
| cosign sign "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}" | ||
| - name: CI Image Releases digests (PR) | ||
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | ||
| shell: bash | ||
| run: | | ||
| mkdir -p image-digest/ | ||
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}}@${{ steps.docker_build_ci_pr.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | ||
| # Upload artifact digests | ||
| - name: Upload artifact digests | ||
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
| with: | ||
| name: image-digest ${{ matrix.name }} | ||
| path: image-digest | ||
| retention-days: 1 | ||
|
|
||
| image-digests: | ||
| if: ${{ always() }} | ||
| name: Display Digests | ||
| runs-on: ubuntu-20.04 | ||
| needs: [build-and-push-prs] | ||
| steps: | ||
| - name: Downloading Image Digests | ||
| shell: bash | ||
| run: | | ||
| mkdir -p image-digest/ | ||
| - name: Download digests of all images built | ||
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | ||
| with: | ||
| path: image-digest/ | ||
|
|
||
| - name: Image Digests Output | ||
| shell: bash | ||
| run: | | ||
| cd image-digest/ | ||
| find -type f | sort | xargs -d '\n' cat |