18
- "Image CI Cache Cleaner"
32
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
33
cancel-in-progress: true
38
name: Build and Push Images
44
dockerfile: ./images/cilium/Dockerfile
47
dockerfile: ./images/operator/Dockerfile
49
- name: operator-azure
50
dockerfile: ./images/operator/Dockerfile
52
- name: operator-alibabacloud
53
dockerfile: ./images/operator/Dockerfile
55
- name: operator-generic
56
dockerfile: ./images/operator/Dockerfile
59
dockerfile: ./images/hubble-relay/Dockerfile
61
- name: clustermesh-apiserver
62
dockerfile: ./images/clustermesh-apiserver/Dockerfile
65
dockerfile: ./images/cilium-docker-plugin/Dockerfile
68
- name: Checkout default branch (trusted)
69
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
71
ref: ${{ github.event.repository.default_branch }}
72
persist-credentials: false
74
- name: Set Environment Variables
75
uses: ./.github/actions/set-env-variables
77
- name: Set up Docker Buildx
78
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
80
- name: Login to quay.io for CI
81
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
84
username: ${{ secrets.QUAY_USERNAME_CI }}
85
password: ${{ secrets.QUAY_PASSWORD_CI }}
87
- name: Getting image tag
90
if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then
91
echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT
93
echo tag=${{ github.sha }} >> $GITHUB_OUTPUT
95
if [ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]; then
96
echo floating_tag=latest >> $GITHUB_OUTPUT
98
echo floating_tag=${{ github.ref_name }} >> $GITHUB_OUTPUT
103
- name: Checkout pull request branch (NOT TRUSTED)
104
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
106
persist-credentials: false
107
ref: ${{ steps.tag.outputs.tag }}
110
- name: Load ${{ matrix.name }} Golang cache build from GitHub
111
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
114
path: /tmp/.cache/${{ matrix.name }}
115
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }}
117
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-
118
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-
121
- name: Create ${{ matrix.name }} cache directory
122
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
125
mkdir -p /tmp/.cache/${{ matrix.name }}
128
- name: Copy ${{ matrix.name }} Golang cache to docker cache
129
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
132
context: /tmp/.cache/${{ matrix.name }}
133
file: ./images/cache/Dockerfile
135
platforms: linux/amd64
138
- name: Install Cosign
139
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
147
curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
148
sudo mv ./bom /usr/local/bin/bom
149
sudo chmod +x /usr/local/bin/bom
152
- name: CI Build ${{ matrix.name }}
153
if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
154
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
159
file: ${{ matrix.dockerfile }}
163
push: ${{ github.event_name == 'push' }}
164
platforms: linux/amd64,linux/arm64
166
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}
167
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
170
OPERATOR_VARIANT=${{ matrix.name }}
172
- name: CI race detection Build ${{ matrix.name }}
173
if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
174
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
175
id: docker_build_ci_detect_race_condition
179
file: ${{ matrix.dockerfile }}
183
push: ${{ github.event_name == 'push' }}
184
platforms: linux/amd64
186
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race
187
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
190
BASE_IMAGE=quay.io/cilium/cilium-runtime:272c2080c5c3fc32c2a6ca6b5727daeb12836164@sha256:408484a9f3aaafc41f875254d52af1354822c2d0a694799e90372e0765b27d99
193
OPERATOR_VARIANT=${{ matrix.name }}
195
- name: CI Unstripped Binaries Build ${{ matrix.name }}
196
if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
197
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
198
id: docker_build_ci_unstripped
202
file: ${{ matrix.dockerfile }}
206
push: ${{ github.event_name == 'push' }}
207
platforms: linux/amd64
209
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped
210
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
214
OPERATOR_VARIANT=${{ matrix.name }}
216
- name: Sign Container Images
221
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
223
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }}
224
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}
225
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }}
227
- name: Generate SBOM
232
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
237
bom generate -o sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
238
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
239
bom generate -o sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
240
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
241
bom generate -o sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
242
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
244
- name: Attach SBOM to Container Images
249
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
251
cosign attach sbom --sbom sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }}
252
cosign attach sbom --sbom sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}
253
cosign attach sbom --sbom sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }}
255
- name: Sign SBOM Images
260
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
262
docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
263
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_digest/:/-}.sbom"
264
docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
265
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_sbom_digest}"
267
docker_build_ci_detect_race_condition_digest="${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}"
268
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_detect_race_condition_digest/:/-}.sbom"
269
docker_build_ci_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
270
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_detect_race_condition_sbom_digest}"
272
docker_build_ci_unstripped_digest="${{ steps.docker_build_ci_unstripped.outputs.digest }}"
273
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_unstripped_digest/:/-}.sbom"
274
docker_build_ci_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
275
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_unstripped_sbom_digest}"
277
- name: CI Image Releases digests
282
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
285
mkdir -p image-digest/
286
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
287
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
288
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
289
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
290
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
291
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
294
- name: CI Build ${{ matrix.name }}
295
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
296
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
297
id: docker_build_ci_pr
301
file: ${{ matrix.dockerfile }}
303
platforms: linux/amd64,linux/arm64
305
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
308
OPERATOR_VARIANT=${{ matrix.name }}
310
- name: CI race detection Build ${{ matrix.name }}
311
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
312
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
313
id: docker_build_ci_pr_detect_race_condition
317
file: ${{ matrix.dockerfile }}
319
platforms: linux/amd64
321
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
324
BASE_IMAGE=quay.io/cilium/cilium-runtime:272c2080c5c3fc32c2a6ca6b5727daeb12836164@sha256:408484a9f3aaafc41f875254d52af1354822c2d0a694799e90372e0765b27d99
327
OPERATOR_VARIANT=${{ matrix.name }}
329
- name: CI Unstripped Binaries Build ${{ matrix.name }}
330
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
331
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
332
id: docker_build_ci_pr_unstripped
336
file: ${{ matrix.dockerfile }}
338
platforms: linux/amd64
340
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
344
OPERATOR_VARIANT=${{ matrix.name }}
346
- name: Sign Container Images
347
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
349
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
350
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
351
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}
353
- name: Generate SBOM
354
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
359
bom generate -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
360
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
361
bom generate -o sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
362
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
363
bom generate -o sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
364
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
366
- name: Attach SBOM to Container Images
367
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
369
cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
370
cosign attach sbom --sbom sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
371
cosign attach sbom --sbom sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}
373
- name: Sign SBOM Images
374
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
376
docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}"
377
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom"
378
docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
379
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}"
381
docker_build_ci_pr_detect_race_condition_digest="${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}"
382
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_detect_race_condition_digest/:/-}.sbom"
383
docker_build_ci_pr_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
384
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_detect_race_condition_sbom_digest}"
386
docker_build_ci_pr_unstripped_digest="${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}"
387
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_unstripped_digest/:/-}.sbom"
388
docker_build_ci_pr_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
389
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_unstripped_sbom_digest}"
391
- name: CI Image Releases digests
392
if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
395
mkdir -p image-digest/
396
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
397
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
398
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
401
- name: Upload artifact digests
402
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
404
name: image-digest ${{ matrix.name }}
409
- name: Store ${{ matrix.name }} Golang cache build locally
410
if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }}
411
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
415
file: ./images/cache/Dockerfile
417
outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }}
418
platforms: linux/amd64
422
- name: Store ${{ matrix.name }} Golang cache in GitHub cache path
423
if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }}
426
mkdir -p /tmp/.cache/${{ matrix.name }}/
427
if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then
428
cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/
430
if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then
431
cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/
436
name: Display Digests
437
runs-on: ubuntu-22.04
438
needs: build-and-push-prs
440
- name: Downloading Image Digests
443
mkdir -p image-digest/
445
- name: Download digests of all images built
446
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
450
- name: Image Digests Output
454
find -type f | sort | xargs -d '\n' cat