ci: tag apko base images

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-01-25 15:58:53 +01:00
parent 8268b6e23f
commit 32a540bff4
3 changed files with 41 additions and 22 deletions

View File

@ -5,14 +5,13 @@ inputs:
apkoConfig:
description: "Path to the apko .yaml config file. If left empty, all images will be built."
required: false
apkoTag:
description: "Use this image tag"
required: false
default: latest
apkoArch:
description: "Use this image architecture"
required: false
default: amd64
containerTags:
description: "Tags for the resulting container image, space separated"
required: true
registry:
description: "Container registry to use"
default: "ghcr.io"
@ -35,7 +34,7 @@ inputs:
# Linux runner only (docker required)
runs:
using: "composite"
using: composite
steps:
- name: Install deps
shell: bash
@ -54,7 +53,10 @@ runs:
password: ${{ inputs.githubToken }}
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
if: |
inputs.cosignPublicKey != '' &&
inputs.cosignPrivateKey != '' &&
inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- name: Build apko images and sign them
@ -65,13 +67,16 @@ runs:
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
APKO_CONFIG: ${{ inputs.apkoConfig }}
APKO_TAG: ${{ inputs.apkoTag }}
APKO_ARCH: ${{ inputs.apkoArch }}
CONTAINER_TAGS: ${{ inputs.containerTags }}
REGISTRY: ${{ inputs.registry }}
run: .github/actions/build_apko/build_and_sign.sh
- name: Sign sboms
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
if: |
inputs.cosignPublicKey != '' &&
inputs.cosignPrivateKey != '' &&
inputs.cosignPassword != ''
shell: bash
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
@ -91,8 +96,6 @@ runs:
zip -r sboms.zip sboms
- name: Upload SBOMs
if: always()
continue-on-error: true
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: sboms

View File

@ -1,17 +1,19 @@
#!/usr/bin/env bash
set -euo pipefail
set -exuo pipefail
shopt -s inherit_errexit
# buildImage <apko_config_path>
function buildImage() {
buildImage() {
local imageConfig=$1
echo "Building image for ${imageConfig}"
local imageName
imageName=$(basename "${imageConfig}" | cut -d. -f1)
local registryPath
registryPath="${REGISTRY}/edgelesssys/apko-${imageName}"
local outTar
outTar="${imageName}.tar"
mkdir -p "sboms/${imageName}"
@ -19,7 +21,7 @@ function buildImage() {
# build the image
docker run \
-v "${PWD}":/work \
cgr.dev/chainguard/apko:"${APKO_TAG}" \
cgr.dev/chainguard/apko@sha256:8952f4f3ce58052b7df5e46f230f7192b42b220d3e46c8b06178cc25fd700846 \
build \
"${imageConfig}" \
--build-arch "${APKO_ARCH}" \
@ -27,11 +29,23 @@ function buildImage() {
"${registryPath}" \
"${outTar}"
# push container
docker load < "${outTar}"
docker push "${registryPath}"
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
echo "${imageDigest}" >> "${GITHUB_STEP_SUMMARY}"
for tag in ${CONTAINER_TAGS}; do
tagSanitized=${tag//\//-}
docker image tag "${registryPath}" "${registryPath}:${tagSanitized}"
docker push "${registryPath}:${tagSanitized}"
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
# write full image as Markdown code block to step summary
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
\`\`\`
${imageDigest%%@*}:${tagSanitized}@${imageDigest##*@}
\`\`\`
EOF
done
# cosign the container and push to registry
cosign sign \
@ -43,8 +57,6 @@ function buildImage() {
mv sbom-*.* "sboms/${imageName}/"
}
mkdir "sboms"
if [[ -n ${APKO_CONFIG} ]]; then
buildImage "${APKO_CONFIG}"
exit 0

View File

@ -22,12 +22,16 @@ jobs:
with:
ref: ${{ github.head_ref }}
- name: Get pseudo version
id: pseudo-version
uses: ./.github/actions/pseudo_version
- name: Build and upload apko image
uses: ./.github/actions/build_apko
with:
apkoConfig: ""
apkoTag: "latest"
apkoArch: "amd64"
containerTags: |
${{ steps.pseudo-version.outputs.pseudoVersion }}
${{ github.ref_name == 'main' && 'latest' || github.ref_name }}
registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}