/
envoy.istio
/
cilium
GigaCode
beta
ОбзорЦентр заботыВойти

cilium

Форк
0
Ветки: 597Коммиты: 27637Теги: 607
cilium
/.github
/workflows
/
build-images-ci.yaml 
454 строки · 25.2 Кб
1
name: Image CI Build
2


3
# Any change in triggers needs to be reflected in the concurrency group.
4
on:
5
  pull_request_target:
6
    types:
7
      - opened
8
      - synchronize
9
      - reopened
10
  push:
11
    branches:
12
      - main
13
      - ft/main/**
14


15
  # If the cache was cleaned we should re-build the cache with the latest commit
16
  workflow_run:
17
    workflows:
18
     - "Image CI Cache Cleaner"
19
    branches:
20
     - main
21
     - ft/main/**
22
    types:
23
     - completed
24


25
permissions:
26
  # To be able to access the repository with `actions/checkout`
27
  contents: read
28
  # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
29
  id-token: write
30


31
concurrency:
32
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
33
  cancel-in-progress: true
34


35
jobs:
36
  build-and-push-prs:
37
    timeout-minutes: 45
38
    name: Build and Push Images
39
    runs-on: ubuntu-22.04
40
    strategy:
41
      matrix:
42
        include:
43
          - name: cilium
44
            dockerfile: ./images/cilium/Dockerfile
45


46
          - name: operator-aws
47
            dockerfile: ./images/operator/Dockerfile
48


49
          - name: operator-azure
50
            dockerfile: ./images/operator/Dockerfile
51


52
          - name: operator-alibabacloud
53
            dockerfile: ./images/operator/Dockerfile
54


55
          - name: operator-generic
56
            dockerfile: ./images/operator/Dockerfile
57


58
          - name: hubble-relay
59
            dockerfile: ./images/hubble-relay/Dockerfile
60


61
          - name: clustermesh-apiserver
62
            dockerfile: ./images/clustermesh-apiserver/Dockerfile
63


64
          - name: docker-plugin
65
            dockerfile: ./images/cilium-docker-plugin/Dockerfile
66


67
    steps:
68
      - name: Checkout default branch (trusted)
69
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
70
        with:
71
          ref: ${{ github.event.repository.default_branch }}
72
          persist-credentials: false
73


74
      - name: Set Environment Variables
75
        uses: ./.github/actions/set-env-variables
76


77
      - name: Set up Docker Buildx
78
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
79


80
      - name: Login to quay.io for CI
81
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
82
        with:
83
          registry: quay.io
84
          username: ${{ secrets.QUAY_USERNAME_CI }}
85
          password: ${{ secrets.QUAY_PASSWORD_CI }}
86


87
      - name: Getting image tag
88
        id: tag
89
        run: |
90
          if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then
91
            echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT
92
          else
93
            echo tag=${{ github.sha }} >> $GITHUB_OUTPUT
94
          fi
95
          if [ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]; then
96
            echo floating_tag=latest >> $GITHUB_OUTPUT
97
          else
98
            echo floating_tag=${{ github.ref_name }} >> $GITHUB_OUTPUT
99
          fi
100


101
      # Warning: since this is a privileged workflow, subsequent workflow job
102
      # steps must take care not to execute untrusted code.
103
      - name: Checkout pull request branch (NOT TRUSTED)
104
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
105
        with:
106
          persist-credentials: false
107
          ref: ${{ steps.tag.outputs.tag }}
108


109
      # Load Golang cache build from GitHub
110
      - name: Load ${{ matrix.name }} Golang cache build from GitHub
111
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
112
        id: cache
113
        with:
114
          path: /tmp/.cache/${{ matrix.name }}
115
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }}
116
          restore-keys: |
117
            ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-
118
            ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-
119
            ${{ runner.os }}-go-
120


121
      - name: Create ${{ matrix.name }} cache directory
122
        if: ${{ steps.cache.outputs.cache-hit != 'true' }}
123
        shell: bash
124
        run: |
125
          mkdir -p /tmp/.cache/${{ matrix.name }}
126


127
      # Import GitHub's cache build to docker cache
128
      - name: Copy ${{ matrix.name }} Golang cache to docker cache
129
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
130
        with:
131
          provenance: false
132
          context: /tmp/.cache/${{ matrix.name }}
133
          file: ./images/cache/Dockerfile
134
          push: false
135
          platforms: linux/amd64
136
          target: import-cache
137


138
      - name: Install Cosign
139
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
140


141
      - name: Install Bom
142
        shell: bash
143
        env:
144
          # renovate: datasource=github-releases depName=kubernetes-sigs/bom
145
          BOM_VERSION: v0.6.0
146
        run: |
147
          curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
148
          sudo mv ./bom /usr/local/bin/bom
149
          sudo chmod +x /usr/local/bin/bom
150


151
      # main branch pushes
152
      - name: CI Build ${{ matrix.name }}
153
        if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
154
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
155
        id: docker_build_ci
156
        with:
157
          provenance: false
158
          context: .
159
          file: ${{ matrix.dockerfile }}
160
          # Only push when the event name was a GitHub push, this is to avoid
161
          # re-pushing the image tags when we only want to re-create the Golang
162
          # docker cache after the workflow "Image CI Cache Cleaner" was terminated.
163
          push: ${{ github.event_name == 'push' }}
164
          platforms: linux/amd64,linux/arm64
165
          tags: |
166
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}
167
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
168
          target: release
169
          build-args: |
170
            OPERATOR_VARIANT=${{ matrix.name }}
171


172
      - name: CI race detection Build ${{ matrix.name }}
173
        if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
174
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
175
        id: docker_build_ci_detect_race_condition
176
        with:
177
          provenance: false
178
          context: .
179
          file: ${{ matrix.dockerfile }}
180
          # Only push when the event name was a GitHub push, this is to avoid
181
          # re-pushing the image tags when we only want to re-create the Golang
182
          # docker cache after the workflow "Image CI Cache Cleaner" was terminated.
183
          push: ${{ github.event_name == 'push' }}
184
          platforms: linux/amd64
185
          tags: |
186
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race
187
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
188
          target: release
189
          build-args: |
190
            BASE_IMAGE=quay.io/cilium/cilium-runtime:272c2080c5c3fc32c2a6ca6b5727daeb12836164@sha256:408484a9f3aaafc41f875254d52af1354822c2d0a694799e90372e0765b27d99
191
            LOCKDEBUG=1
192
            RACE=1
193
            OPERATOR_VARIANT=${{ matrix.name }}
194


195
      - name: CI Unstripped Binaries Build ${{ matrix.name }}
196
        if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
197
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
198
        id: docker_build_ci_unstripped
199
        with:
200
          provenance: false
201
          context: .
202
          file: ${{ matrix.dockerfile }}
203
          # Only push when the event name was a GitHub push, this is to avoid
204
          # re-pushing the image tags when we only want to re-create the Golang
205
          # docker cache after the workflow "Image CI Cache Cleaner" was terminated.
206
          push: ${{ github.event_name == 'push' }}
207
          platforms: linux/amd64
208
          tags: |
209
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped
210
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
211
          target: release
212
          build-args: |
213
            NOSTRIP=1
214
            OPERATOR_VARIANT=${{ matrix.name }}
215


216
      - name: Sign Container Images
217
        # Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
218
        # In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
219
        # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
220
        # neither push nor load are set in the docker/build-push-action action.
221
        if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
222
        run: |
223
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }}
224
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}
225
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }}
226


227
      - name: Generate SBOM
228
        # Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
229
        # In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
230
        # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
231
        # neither push nor load are set in the docker/build-push-action action.
232
        if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
233
        shell: bash
234
        # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
235
        # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
236
        run: |
237
          bom generate -o sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
238
          --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
239
          bom generate -o sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
240
          --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
241
          bom generate -o sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
242
          --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
243


244
      - name: Attach SBOM to Container Images
245
        # Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
246
        # In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
247
        # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
248
        # neither push nor load are set in the docker/build-push-action action.
249
        if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
250
        run: |
251
          cosign attach sbom --sbom sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }}
252
          cosign attach sbom --sbom sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}
253
          cosign attach sbom --sbom sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }}
254


255
      - name: Sign SBOM Images
256
        # Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
257
        # In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
258
        # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
259
        # neither push nor load are set in the docker/build-push-action action.
260
        if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
261
        run: |
262
          docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
263
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_digest/:/-}.sbom"
264
          docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
265
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_sbom_digest}"
266


267
          docker_build_ci_detect_race_condition_digest="${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}"
268
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_detect_race_condition_digest/:/-}.sbom"
269
          docker_build_ci_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
270
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_detect_race_condition_sbom_digest}"
271


272
          docker_build_ci_unstripped_digest="${{ steps.docker_build_ci_unstripped.outputs.digest }}"
273
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_unstripped_digest/:/-}.sbom"
274
          docker_build_ci_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
275
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_unstripped_sbom_digest}"
276


277
      - name: CI Image Releases digests
278
        # Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
279
        # In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
280
        # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
281
        # neither push nor load are set in the docker/build-push-action action.
282
        if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
283
        shell: bash
284
        run: |
285
          mkdir -p image-digest/
286
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
287
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
288
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
289
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
290
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
291
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
292


293
      # PR or feature branch updates
294
      - name: CI Build ${{ matrix.name }}
295
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
296
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
297
        id: docker_build_ci_pr
298
        with:
299
          provenance: false
300
          context: .
301
          file: ${{ matrix.dockerfile }}
302
          push: true
303
          platforms: linux/amd64,linux/arm64
304
          tags: |
305
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
306
          target: release
307
          build-args: |
308
            OPERATOR_VARIANT=${{ matrix.name }}
309


310
      - name: CI race detection Build ${{ matrix.name }}
311
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
312
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
313
        id: docker_build_ci_pr_detect_race_condition
314
        with:
315
          provenance: false
316
          context: .
317
          file: ${{ matrix.dockerfile }}
318
          push: true
319
          platforms: linux/amd64
320
          tags: |
321
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
322
          target: release
323
          build-args: |
324
            BASE_IMAGE=quay.io/cilium/cilium-runtime:272c2080c5c3fc32c2a6ca6b5727daeb12836164@sha256:408484a9f3aaafc41f875254d52af1354822c2d0a694799e90372e0765b27d99
325
            LOCKDEBUG=1
326
            RACE=1
327
            OPERATOR_VARIANT=${{ matrix.name }}
328


329
      - name: CI Unstripped Binaries Build ${{ matrix.name }}
330
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
331
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
332
        id: docker_build_ci_pr_unstripped
333
        with:
334
          provenance: false
335
          context: .
336
          file: ${{ matrix.dockerfile }}
337
          push: true
338
          platforms: linux/amd64
339
          tags: |
340
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
341
          target: release
342
          build-args: |
343
            NOSTRIP=1
344
            OPERATOR_VARIANT=${{ matrix.name }}
345


346
      - name: Sign Container Images
347
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
348
        run: |
349
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
350
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
351
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}
352


353
      - name: Generate SBOM
354
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
355
        shell: bash
356
        # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
357
        # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
358
        run: |
359
          bom generate -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
360
          --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
361
          bom generate -o sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
362
          --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
363
          bom generate -o sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
364
          --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
365


366
      - name: Attach SBOM to Container Images
367
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
368
        run: |
369
          cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
370
          cosign attach sbom --sbom sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
371
          cosign attach sbom --sbom sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}
372


373
      - name: Sign SBOM Images
374
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
375
        run: |
376
          docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}"
377
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom"
378
          docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
379
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}"
380


381
          docker_build_ci_pr_detect_race_condition_digest="${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}"
382
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_detect_race_condition_digest/:/-}.sbom"
383
          docker_build_ci_pr_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
384
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_detect_race_condition_sbom_digest}"
385


386
          docker_build_ci_pr_unstripped_digest="${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}"
387
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_unstripped_digest/:/-}.sbom"
388
          docker_build_ci_pr_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
389
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_unstripped_sbom_digest}"
390


391
      - name: CI Image Releases digests
392
        if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
393
        shell: bash
394
        run: |
395
          mkdir -p image-digest/
396
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
397
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
398
          echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
399


400
      # Upload artifact digests
401
      - name: Upload artifact digests
402
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
403
        with:
404
          name: image-digest ${{ matrix.name }}
405
          path: image-digest
406
          retention-days: 1
407


408
      # Store docker's golang's cache build locally only on the main branch
409
      - name: Store ${{ matrix.name }} Golang cache build locally
410
        if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }}
411
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
412
        with:
413
          provenance: false
414
          context: .
415
          file: ./images/cache/Dockerfile
416
          push: false
417
          outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }}
418
          platforms: linux/amd64
419
          target: export-cache
420


421
      # Store docker's golang's cache build locally only on the main branch
422
      - name: Store ${{ matrix.name }} Golang cache in GitHub cache path
423
        if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }}
424
        shell: bash
425
        run: |
426
          mkdir -p /tmp/.cache/${{ matrix.name }}/
427
          if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then
428
            cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/
429
          fi
430
          if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then
431
            cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/
432
          fi
433


434
  image-digests:
435
    if: ${{ always() }}
436
    name: Display Digests
437
    runs-on: ubuntu-22.04
438
    needs: build-and-push-prs
439
    steps:
440
      - name: Downloading Image Digests
441
        shell: bash
442
        run: |
443
          mkdir -p image-digest/
444


445
      - name: Download digests of all images built
446
        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
447
        with:
448
          path: image-digest/
449


450
      - name: Image Digests Output
451
        shell: bash
452
        run: |
453
          cd image-digest/
454
          find -type f | sort | xargs -d '\n' cat
455

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.