/
envoy.istio
/
cilium
GigaCode
beta
ОбзорЦентр заботыВойти

cilium

Форк
0
Ветки: 597Коммиты: 27637Теги: 607
cilium
/.github
/workflows
/
build-images-hotfixes.yaml 
185 строк · 7.5 Кб
1
name: Hot Fix Image Release Build
2


3
on:
4
  push:
5
    branches:
6
      - hf/main/**
7


8
permissions:
9
  # To be able to access the repository with `actions/checkout`
10
  contents: read
11
  # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
12
  id-token: write
13


14
jobs:
15
  build-and-push:
16
    timeout-minutes: 45
17
    name: Build and Push Images
18
    environment: release-developer-images
19
    runs-on: ubuntu-22.04
20
    strategy:
21
      matrix:
22
        include:
23
          - name: cilium
24
            dockerfile: ./images/cilium/Dockerfile
25


26
          - name: operator
27
            dockerfile: ./images/operator/Dockerfile
28


29
          - name: operator-aws
30
            dockerfile: ./images/operator/Dockerfile
31


32
          - name: operator-azure
33
            dockerfile: ./images/operator/Dockerfile
34


35
          - name: operator-alibabacloud
36
            dockerfile: ./images/operator/Dockerfile
37


38
          - name: operator-generic
39
            dockerfile: ./images/operator/Dockerfile
40


41
          - name: hubble-relay
42
            dockerfile: ./images/hubble-relay/Dockerfile
43


44
          - name: clustermesh-apiserver
45
            dockerfile: ./images/clustermesh-apiserver/Dockerfile
46


47
          - name: docker-plugin
48
            dockerfile: ./images/cilium-docker-plugin/Dockerfile
49


50
    steps:
51
      - name: Checkout main branch to access local actions
52
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
53
        with:
54
          ref: ${{ github.event.repository.default_branch }}
55
          persist-credentials: false
56


57
      - name: Set Environment Variables
58
        uses: ./.github/actions/set-env-variables
59


60
      - name: Set up Docker Buildx
61
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
62


63
      - name: Login to quay.io
64
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
65
        with:
66
          registry: quay.io
67
          username: ${{ secrets.QUAY_DEVELOPER_USERNAME }}
68
          password: ${{ secrets.QUAY_DEVELOPER_PASSWORD }}
69


70
      - name: Getting image tag
71
        id: tag
72
        run: |
73
          echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT
74


75
      - name: Checking if tag already exists
76
        id: tag-in-repositories
77
        shell: bash
78
        run: |
79
          if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} &>/dev/null; then
80
            echo "Tag already exists!"
81
            exit 1
82
          fi
83


84
      - name: Checkout Source Code
85
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
86
        with:
87
          persist-credentials: false
88


89
      - name: Release Build ${{ matrix.name }}
90
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
91
        id: docker_build_release
92
        with:
93
          provenance: false
94
          context: .
95
          file: ${{ matrix.dockerfile }}
96
          push: true
97
          platforms: linux/amd64,linux/arm64
98
          tags: |
99
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}
100
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }}
101
          target: release
102
          build-args: |
103
            OPERATOR_VARIANT=${{ matrix.name }}
104


105
      - name: Install Cosign
106
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
107


108
      - name: Sign Container Image
109
        run: |
110
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }}
111
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }}
112


113
      - name: Install Bom
114
        shell: bash
115
        env:
116
          # renovate: datasource=github-releases depName=kubernetes-sigs/bom
117
          BOM_VERSION: v0.6.0
118
        run: |
119
          curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
120
          sudo mv ./bom /usr/local/bin/bom
121
          sudo chmod +x /usr/local/bin/bom
122


123
      - name: Generate SBOM
124
        shell: bash
125
        # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
126
        # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
127
        run: |
128
          bom generate -o sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
129
          --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}
130


131
      - name: Attach SBOM to Container Images
132
        run: |
133
          cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }}
134
          cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }}
135


136
      - name: Sign SBOM Image
137
        run: |
138
          docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}"
139
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${docker_build_release_digest/:/-}.sbom"
140
          docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
141
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${docker_build_release_sbom_digest}"
142


143
          docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}"
144
          image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_release_digest/:/-}.sbom"
145
          docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
146
          cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_release_sbom_digest}"
147


148
      - name: Image Release Digest
149
        shell: bash
150
        run: |
151
          mkdir -p image-digest/
152
          echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt
153
          echo "" >> image-digest/${{ matrix.name }}.txt
154
          echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
155
          echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
156
          echo "" >> image-digest/${{ matrix.name }}.txt
157


158
      # Upload artifact digests
159
      - name: Upload artifact digests
160
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
161
        with:
162
          name: image-digest ${{ matrix.name }}
163
          path: image-digest
164
          retention-days: 1
165


166
  image-digests:
167
    name: Display Digests
168
    runs-on: ubuntu-22.04
169
    needs: build-and-push
170
    steps:
171
      - name: Downloading Image Digests
172
        shell: bash
173
        run: |
174
          mkdir -p image-digest/
175


176
      - name: Download digests of all images built
177
        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
178
        with:
179
          path: image-digest/
180


181
      - name: Image Digests Output
182
        shell: bash
183
        run: |
184
          cd image-digest/
185
          find -type f | sort | xargs -d '\n' cat
186

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.