mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
ci: tag apko base images
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
parent
8268b6e23f
commit
32a540bff4
23
.github/actions/build_apko/action.yml
vendored
23
.github/actions/build_apko/action.yml
vendored
@ -5,14 +5,13 @@ inputs:
|
||||
apkoConfig:
|
||||
description: "Path to the apko .yaml config file. If left empty, all images will be built."
|
||||
required: false
|
||||
apkoTag:
|
||||
description: "Use this image tag"
|
||||
required: false
|
||||
default: latest
|
||||
apkoArch:
|
||||
description: "Use this image architecture"
|
||||
required: false
|
||||
default: amd64
|
||||
containerTags:
|
||||
description: "Tags for the resulting container image, space separated"
|
||||
required: true
|
||||
registry:
|
||||
description: "Container registry to use"
|
||||
default: "ghcr.io"
|
||||
@ -35,7 +34,7 @@ inputs:
|
||||
|
||||
# Linux runner only (docker required)
|
||||
runs:
|
||||
using: "composite"
|
||||
using: composite
|
||||
steps:
|
||||
- name: Install deps
|
||||
shell: bash
|
||||
@ -54,7 +53,10 @@ runs:
|
||||
password: ${{ inputs.githubToken }}
|
||||
|
||||
- name: Install Cosign
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||
if: |
|
||||
inputs.cosignPublicKey != '' &&
|
||||
inputs.cosignPrivateKey != '' &&
|
||||
inputs.cosignPassword != ''
|
||||
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
|
||||
|
||||
- name: Build apko images and sign them
|
||||
@ -65,13 +67,16 @@ runs:
|
||||
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
||||
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
||||
APKO_CONFIG: ${{ inputs.apkoConfig }}
|
||||
APKO_TAG: ${{ inputs.apkoTag }}
|
||||
APKO_ARCH: ${{ inputs.apkoArch }}
|
||||
CONTAINER_TAGS: ${{ inputs.containerTags }}
|
||||
REGISTRY: ${{ inputs.registry }}
|
||||
run: .github/actions/build_apko/build_and_sign.sh
|
||||
|
||||
- name: Sign sboms
|
||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||
if: |
|
||||
inputs.cosignPublicKey != '' &&
|
||||
inputs.cosignPrivateKey != '' &&
|
||||
inputs.cosignPassword != ''
|
||||
shell: bash
|
||||
env:
|
||||
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
||||
@ -91,8 +96,6 @@ runs:
|
||||
zip -r sboms.zip sboms
|
||||
|
||||
- name: Upload SBOMs
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
with:
|
||||
name: sboms
|
||||
|
30
.github/actions/build_apko/build_and_sign.sh
vendored
30
.github/actions/build_apko/build_and_sign.sh
vendored
@ -1,17 +1,19 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
set -exuo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
# buildImage <apko_config_path>
|
||||
function buildImage() {
|
||||
buildImage() {
|
||||
local imageConfig=$1
|
||||
|
||||
echo "Building image for ${imageConfig}"
|
||||
|
||||
local imageName
|
||||
imageName=$(basename "${imageConfig}" | cut -d. -f1)
|
||||
local registryPath
|
||||
registryPath="${REGISTRY}/edgelesssys/apko-${imageName}"
|
||||
local outTar
|
||||
outTar="${imageName}.tar"
|
||||
|
||||
mkdir -p "sboms/${imageName}"
|
||||
@ -19,7 +21,7 @@ function buildImage() {
|
||||
# build the image
|
||||
docker run \
|
||||
-v "${PWD}":/work \
|
||||
cgr.dev/chainguard/apko:"${APKO_TAG}" \
|
||||
cgr.dev/chainguard/apko@sha256:8952f4f3ce58052b7df5e46f230f7192b42b220d3e46c8b06178cc25fd700846 \
|
||||
build \
|
||||
"${imageConfig}" \
|
||||
--build-arch "${APKO_ARCH}" \
|
||||
@ -27,11 +29,23 @@ function buildImage() {
|
||||
"${registryPath}" \
|
||||
"${outTar}"
|
||||
|
||||
# push container
|
||||
docker load < "${outTar}"
|
||||
docker push "${registryPath}"
|
||||
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
|
||||
echo "${imageDigest}" >> "${GITHUB_STEP_SUMMARY}"
|
||||
|
||||
for tag in ${CONTAINER_TAGS}; do
|
||||
tagSanitized=${tag//\//-}
|
||||
|
||||
docker image tag "${registryPath}" "${registryPath}:${tagSanitized}"
|
||||
docker push "${registryPath}:${tagSanitized}"
|
||||
|
||||
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
|
||||
|
||||
# write full image as Markdown code block to step summary
|
||||
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
|
||||
\`\`\`
|
||||
${imageDigest%%@*}:${tagSanitized}@${imageDigest##*@}
|
||||
\`\`\`
|
||||
EOF
|
||||
done
|
||||
|
||||
# cosign the container and push to registry
|
||||
cosign sign \
|
||||
@ -43,8 +57,6 @@ function buildImage() {
|
||||
mv sbom-*.* "sboms/${imageName}/"
|
||||
}
|
||||
|
||||
mkdir "sboms"
|
||||
|
||||
if [[ -n ${APKO_CONFIG} ]]; then
|
||||
buildImage "${APKO_CONFIG}"
|
||||
exit 0
|
||||
|
10
.github/workflows/build-apko-image.yml
vendored
10
.github/workflows/build-apko-image.yml
vendored
@ -22,12 +22,16 @@ jobs:
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Get pseudo version
|
||||
id: pseudo-version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
- name: Build and upload apko image
|
||||
uses: ./.github/actions/build_apko
|
||||
with:
|
||||
apkoConfig: ""
|
||||
apkoTag: "latest"
|
||||
apkoArch: "amd64"
|
||||
containerTags: |
|
||||
${{ steps.pseudo-version.outputs.pseudoVersion }}
|
||||
${{ github.ref_name == 'main' && 'latest' || github.ref_name }}
|
||||
registry: ghcr.io
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
|
Loading…
Reference in New Issue
Block a user