diff --git a/.github/actions/build_apko/action.yml b/.github/actions/build_apko/action.yml new file mode 100644 index 000000000..3077ccb79 --- /dev/null +++ b/.github/actions/build_apko/action.yml @@ -0,0 +1,56 @@ +name: Build apko image +description: Build an apko image based on a supplied .yaml file + +inputs: + apkoConfig: + description: "Path to the apko .yaml config file. If left empty, all images will be built." + required: false + registry: + description: "Container registry to use" + default: "ghcr.io" + required: true + githubToken: + description: "GitHub authorization token" + required: true + +# Linux runner only (Docker required) +runs: + using: "composite" + steps: + - name: Log in to the Container registry + id: docker-login + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 + with: + registry: ${{ inputs.registry }} + username: ${{ github.actor }} + password: ${{ inputs.githubToken }} + + - name: Build apko images + shell: bash + run: | + # TODO: replace with apko publish + if [ -z "${{ inputs.apkoConfig }}" ]; then + echo "Building all images in image" + for imageConfig in image/apko/*.yaml; do + echo "Building image for $imageConfig" + + imageName=$(basename $imageConfig | cut -d. -f1 ) + registry=${{ inputs.registry }}/edgelesssys/apko-${imageName} + outTar=$imageName.tar + + docker run -v "$PWD":/work cgr.dev/chainguard/apko build $imageConfig $registry $outTar + docker load < $outTar + docker push $registry + + done + else + echo "Building image for ${{ inputs.apkoConfig }}" + + imageName=$(basename ${{ inputs.apkoConfig }} | cut -d. -f1 ) + registry=${{ inputs.registry }}/edgelesssys/apko-${imageName} + outTar=$imageName.tar + + docker run -v "$PWD":/work cgr.dev/chainguard/apko build ${{ inputs.apkoConfig }} $registry $outTar + docker load < $outTar + docker push $registry + fi diff --git a/.github/actions/build_ko/action.yml b/.github/actions/build_ko/action.yml new file mode 100644 index 000000000..983c603b6 --- /dev/null +++ b/.github/actions/build_ko/action.yml @@ -0,0 +1,111 @@ +name: Build micro service using Ko +description: Build and upload a go micro service using ko +inputs: + name: + description: "Name of the micro-service" + required: true + registry: + description: "Name of the registry to use" + required: false + default: "ghcr.io" + pseudoVersion: + description: "Check if pseudo-version should be generated" + default: "false" + required: true + koConfig: + description: "Path to the .ko.yaml config file" + required: false + default: ".ko.yaml" + koTarget: + description: "Go package to build with ko" + required: true + pushTag: + description: "Use this image tag" + required: false + githubToken: + description: "GitHub authorization token" + required: true + generateKoSBOM: + description: "Generate unsigned ko SBOM" + required: false + default: "false" + +outputs: + container_full: + description: "Full container reference" + value: ${{ steps.build.container_full }} + container_image: + description: "Container image" + value: ${{ steps.build.outputs.container_image }} + container_tag: + description: "Container tag" + value: ${{ steps.build.container_tag }} + + +# Linux runner only +runs: + using: "composite" + steps: + - name: Determine pseudo version + if: ${{ inputs.pseudoVersion == 'true' }} + id: pseudo-version + uses: ./.github/actions/pseudo_version + + - name: Set up ko + uses: imjasonh/setup-ko@v0.6 + + - name: Build and upload ko container image + shell: bash + id: build + env: + KO_USER: ${{ github.actor }} + KO_CONFIG_PATH: ${{ inputs.koConfig }} + KO_PASSWORD: ${{ inputs.githubToken }} + KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/${{ inputs.name }}-ko + run: | + tags="" + sbom="" + + if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then + tags="latest" + else: + tags="${{ github.sha }}" + fi + + if [ -n "${{ inputs.pushTag }}" ]; then + if [ -n "${tags}" ]; then + tags="${tags},${{ inputs.pushTag }}" + else + tags="${{ inputs.pushTag }}" + fi + fi + + if [ -n "${{ steps.pseudo-version.outputs.pseudoVersion }}" ]; then + if [ -n "${tags}" ]; then + tags="${tags},${{ steps.pseudo-version.outputs.pseudoVersion }}" + else + tags="${{ steps.pseudo-version.outputs.pseudoVersion }}" + fi + fi + + if [ "${{ inputs.generateKoSBOM }}" == "false" ]; then + sbom="--sbom=none" + fi + + container_full=$(ko build ${{ inputs.koTarget }} --bare --tags ${tags} ${sbom}) + container_image=$(echo $container_full | cut -d@ -f1) + container_tag=$(echo $container_full | cut -d: -f2) + + cat < container_data_ko.json + { + "container_full": "${container_full}", + "container_image": "${container_image}", + "container_tag": "${container_tag}" + } + EOF + + - name: Upload Container Data # since github censors hashes that may share data with secrets, we need to upload the data as an artifact + uses: actions/upload-artifact@v2 + with: + name: container_data_ko + path: container_data_ko.json diff --git a/.github/actions/build_micro_service_ko/action.yml b/.github/actions/build_micro_service_ko/action.yml new file mode 100644 index 000000000..e39149099 --- /dev/null +++ b/.github/actions/build_micro_service_ko/action.yml @@ -0,0 +1,78 @@ +name: Build micro service (KO) +description: Build and upload a container image for a Constellation micro-service +inputs: + name: + description: "Name of the micro-service" + required: true + koConfig: + description: "Path to the .ko.yaml config file" + default: ".ko.yaml" + required: false + pseudoVersion: + description: "Check if pseudo-version should be generated" + default: "false" + required: true + koTarget: + description: "Go package to build with ko" + required: true + pushTag: + description: "Use this image tag" + required: false + githubToken: + description: "GitHub authorization token" + required: true + generateKoSBOM: + description: "Generate unsigned ko SBOM" + required: false + default: "false" + cosignPublicKey: + description: "Cosign public key" + required: false + cosignPrivateKey: + description: "Cosign private key" + required: false + cosignPassword: + description: "Password for Cosign private key" + required: false + +# Linux runner only +runs: + using: "composite" + steps: + - name: Determine pseudo version + #if: ${{ inputs.pseudoVersion == 'true' }} + if: ${{ failure() }} + uses: ./.github/actions/pseudo_version + with: + constellationPath: ${{ inputs.constellationPath }} + + - name: Build and upload container image + id: build-and-upload + uses: ./.github/actions/build_ko + with: + name: ${{ inputs.name }} + koConfig: ${{ inputs.koConfig }} + pseudoVersion: ${{ inputs.pseudoVersion }} + koTarget: ${{ inputs.koTarget }} + githubToken: ${{ inputs.GITHUB_TOKEN }} + pushTag: ci-test + + - name: Download ko Container Data + id: download_container_data + uses: actions/download-artifact@v2 + with: + name: container_data_ko + path: CONTAINER_DATA_KO + - shell: bash + run: | + container_full=$(jq -r .container_full < container_data_ko.json) + echo CONTAINER_FULL=$container_full >> $GITHUB_ENV + + - name: Generate SBOM + uses: ./.github/actions/container_sbom + with: + containerReference: ${{ env.CONTAINER_FULL }} + cosignPublicKey: ${{ inputs.cosignPublicKey }} + cosignPrivateKey: ${{ inputs.cosignPrivateKey }} + cosignPassword: ${{ inputs.cosignPassword }} + if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false' }}