From ab184be8f29e02392a1dad9496a9efa738bcaf3e Mon Sep 17 00:00:00 2001 From: Siddhesh Mhadnak Date: Sun, 6 Oct 2024 15:11:29 +0530 Subject: [PATCH] ci(container-build-push): replace `darbiadev`'s' workflow with `bot`'s --- .github/workflows/container-build-push.yaml | 141 +++++++++++++++++++- 1 file changed, 136 insertions(+), 5 deletions(-) diff --git a/.github/workflows/container-build-push.yaml b/.github/workflows/container-build-push.yaml index 8d297ac0..dd253e7f 100644 --- a/.github/workflows/container-build-push.yaml +++ b/.github/workflows/container-build-push.yaml @@ -1,3 +1,4 @@ +--- name: Container Build and Push on: @@ -8,15 +9,145 @@ on: - v* pull_request: +defaults: + run: + shell: bash + permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio. + # This is used to complete the identity challenge with sigstore/fulcio. id-token: write +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + jobs: build-push: - uses: darbiadev/.github/.github/workflows/docker-build-push.yaml@e3ebedcaeee8d40bdb7ef569dacd74829ab0c368 # v14.0.0 - with: - file-name: Dockerfile + strategy: + fail-fast: false + matrix: + platform: + - linux/amd64 + + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + + - name: Install cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 + with: + platforms: ${{ matrix.platform }} + + - name: Log in to container registry (${{ env.REGISTRY }}) + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: docker_meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=edge + # FIXME: Remove explicit `latest` tag once we start tagging releases + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=tag + type=sha,format=long + + - name: Build and push Docker image + id: docker_build_push + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + with: + builder: ${{ steps.buildx.outputs.name }} + build-args: | + git_sha=${{ github.sha }} + cache-from: type=gha,scope=${{ matrix.platform }} + cache-to: type=gha,mode=max,scope=${{ matrix.platform }} + labels: ${{ steps.docker_meta.outputs.labels }} + platforms: ${{ matrix.platform }} + push: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }} + tags: ${{ steps.docker_meta.outputs.tags }} + + # Sign the resulting Docker image digest. + # This will only write to the public Rekor transparency log when the Docker repository is public to avoid leaking + # data. If you would like to publish transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }} + # This step uses the identity token to provision an ephemeral certificate against the sigstore community Fulcio + # instance. + run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker_build_push.outputs.digest }} + + - name: Export digest + if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }} + run: | + mkdir -p /tmp/digests + digest='${{ steps.docker_build_push.outputs.digest }}' + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }} + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + if-no-files-found: error + name: digests + path: /tmp/digests/* + retention-days: 1 + + merge: + if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }} + needs: + - build-push + + runs-on: ubuntu-24.04 + steps: + - name: Download digests + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: digests + path: /tmp/digests + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 + + - name: Log in to container registry (${{ env.REGISTRY }}) + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: docker_meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=edge + # FIXME: Remove explicit `latest` tag once we start tagging releases + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=tag + type=sha,format=long + + - name: Create manifest list and push + working-directory: /tmp/digests + run: > + docker buildx imagetools create \ + $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "${DOCKER_METADATA_OUTPUT_JSON}") \ + $(printf ' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) + + - name: Inspect image + run: >- + docker buildx imagetools inspect \ + '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.docker_meta.outputs.version }}'