1
name: Hot Fix Image Release Build
17
name: Build and Push Images
18
environment: release-developer-images
24
dockerfile: ./images/cilium/Dockerfile
27
dockerfile: ./images/operator/Dockerfile
30
dockerfile: ./images/operator/Dockerfile
32
- name: operator-azure
33
dockerfile: ./images/operator/Dockerfile
35
- name: operator-alibabacloud
36
dockerfile: ./images/operator/Dockerfile
38
- name: operator-generic
39
dockerfile: ./images/operator/Dockerfile
42
dockerfile: ./images/hubble-relay/Dockerfile
44
- name: clustermesh-apiserver
45
dockerfile: ./images/clustermesh-apiserver/Dockerfile
48
dockerfile: ./images/cilium-docker-plugin/Dockerfile
51
- name: Checkout main branch to access local actions
52
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
54
ref: ${{ github.event.repository.default_branch }}
55
persist-credentials: false
57
- name: Set Environment Variables
58
uses: ./.github/actions/set-env-variables
60
- name: Set up Docker Buildx
61
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
63
- name: Login to quay.io
64
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
67
username: ${{ secrets.QUAY_DEVELOPER_USERNAME }}
68
password: ${{ secrets.QUAY_DEVELOPER_PASSWORD }}
70
- name: Getting image tag
73
echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT
75
- name: Checking if tag already exists
76
id: tag-in-repositories
79
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} &>/dev/null; then
80
echo "Tag already exists!"
84
- name: Checkout Source Code
85
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
87
persist-credentials: false
89
- name: Release Build ${{ matrix.name }}
90
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
91
id: docker_build_release
95
file: ${{ matrix.dockerfile }}
97
platforms: linux/amd64,linux/arm64
99
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}
100
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }}
103
OPERATOR_VARIANT=${{ matrix.name }}
105
- name: Install Cosign
106
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
108
- name: Sign Container Image
110
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }}
111
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }}
119
curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
120
sudo mv ./bom /usr/local/bin/bom
121
sudo chmod +x /usr/local/bin/bom
123
- name: Generate SBOM
128
bom generate -o sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
129
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}
131
- name: Attach SBOM to Container Images
133
cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }}
134
cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }}
136
- name: Sign SBOM Image
138
docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}"
139
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${docker_build_release_digest/:/-}.sbom"
140
docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
141
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${docker_build_release_sbom_digest}"
143
docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}"
144
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_release_digest/:/-}.sbom"
145
docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
146
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_release_sbom_digest}"
148
- name: Image Release Digest
151
mkdir -p image-digest/
152
echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt
153
echo "" >> image-digest/${{ matrix.name }}.txt
154
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
155
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
156
echo "" >> image-digest/${{ matrix.name }}.txt
159
- name: Upload artifact digests
160
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
162
name: image-digest ${{ matrix.name }}
167
name: Display Digests
168
runs-on: ubuntu-22.04
169
needs: build-and-push
171
- name: Downloading Image Digests
174
mkdir -p image-digest/
176
- name: Download digests of all images built
177
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
181
- name: Image Digests Output
185
find -type f | sort | xargs -d '\n' cat