ci: tag apko base images

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2024-10-01 01:36:09 -04:00 · 2023-01-25 15:58:53 +01:00 · 2023-01-25 15:58:53 +01:00 · 32a540bff4
commit 32a540bff4
parent 8268b6e23f
3 changed files with 41 additions and 22 deletions
--- a/.github/actions/build_apko/action.yml
+++ b/.github/actions/build_apko/action.yml
@ -5,14 +5,13 @@ inputs:
  apkoConfig:
    description: "Path to the apko .yaml config file. If left empty, all images will be built."
    required: false
-  apkoTag:
-    description: "Use this image tag"
-    required: false
-    default: latest
  apkoArch:
    description: "Use this image architecture"
    required: false
    default: amd64
+  containerTags:
+    description: "Tags for the resulting container image, space separated"
+    required: true
  registry:
    description: "Container registry to use"
    default: "ghcr.io"
@ -35,7 +34,7 @@ inputs:

 # Linux runner only (docker required)
 runs:
-  using: "composite"
+  using: composite
  steps:
    - name: Install deps
      shell: bash
@ -54,7 +53,10 @@ runs:
        password: ${{ inputs.githubToken }}

    - name: Install Cosign
-      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
+      if: |
+        inputs.cosignPublicKey != '' &&
+        inputs.cosignPrivateKey != '' &&
+        inputs.cosignPassword != ''
      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1

    - name: Build apko images and sign them
@ -65,13 +67,16 @@ runs:
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
        APKO_CONFIG: ${{ inputs.apkoConfig }}
-        APKO_TAG: ${{ inputs.apkoTag }}
        APKO_ARCH: ${{ inputs.apkoArch }}
+        CONTAINER_TAGS: ${{ inputs.containerTags }}
        REGISTRY: ${{ inputs.registry }}
      run: .github/actions/build_apko/build_and_sign.sh

    - name: Sign sboms
-      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
+      if: |
+        inputs.cosignPublicKey != '' &&
+        inputs.cosignPrivateKey != '' &&
+        inputs.cosignPassword != ''
      shell: bash
      env:
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
@ -91,8 +96,6 @@ runs:
        zip -r sboms.zip sboms

    - name: Upload SBOMs
-      if: always()
-      continue-on-error: true
      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
      with:
        name: sboms
--- a/.github/actions/build_apko/build_and_sign.sh
+++ b/.github/actions/build_apko/build_and_sign.sh
@ -1,17 +1,19 @@
 #!/usr/bin/env bash

-set -euo pipefail
+set -exuo pipefail
 shopt -s inherit_errexit

 # buildImage <apko_config_path>
-function buildImage() {
+buildImage() {
  local imageConfig=$1

  echo "Building image for ${imageConfig}"

  local imageName
  imageName=$(basename "${imageConfig}" | cut -d. -f1)
+  local registryPath
  registryPath="${REGISTRY}/edgelesssys/apko-${imageName}"
+  local outTar
  outTar="${imageName}.tar"

  mkdir -p "sboms/${imageName}"
@ -19,7 +21,7 @@ function buildImage() {
  # build the image
  docker run \
    -v "${PWD}":/work \
-    cgr.dev/chainguard/apko:"${APKO_TAG}" \
+    cgr.dev/chainguard/apko@sha256:8952f4f3ce58052b7df5e46f230f7192b42b220d3e46c8b06178cc25fd700846 \
    build \
    "${imageConfig}" \
    --build-arch "${APKO_ARCH}" \
@ -27,11 +29,23 @@ function buildImage() {
    "${registryPath}" \
    "${outTar}"

-  # push container
  docker load < "${outTar}"
-  docker push "${registryPath}"
-  imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
-  echo "${imageDigest}" >> "${GITHUB_STEP_SUMMARY}"
+
+  for tag in ${CONTAINER_TAGS}; do
+    tagSanitized=${tag//\//-}
+
+    docker image tag "${registryPath}" "${registryPath}:${tagSanitized}"
+    docker push "${registryPath}:${tagSanitized}"
+
+    imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
+
+    # write full image as Markdown code block to step summary
+    cat << EOF >> "${GITHUB_STEP_SUMMARY}"
+\`\`\`
+${imageDigest%%@*}:${tagSanitized}@${imageDigest##*@}
+\`\`\`
+EOF
+  done

  # cosign the container and push to registry
  cosign sign \
@ -43,8 +57,6 @@ function buildImage() {
  mv sbom-*.* "sboms/${imageName}/"
 }

-mkdir "sboms"
-
 if [[ -n ${APKO_CONFIG} ]]; then
  buildImage "${APKO_CONFIG}"
  exit 0
--- a/.github/workflows/build-apko-image.yml
+++ b/.github/workflows/build-apko-image.yml
@ -22,12 +22,16 @@ jobs:
        with:
          ref: ${{ github.head_ref }}

+      - name: Get pseudo version
+        id: pseudo-version
+        uses: ./.github/actions/pseudo_version
+
      - name: Build and upload apko image
        uses: ./.github/actions/build_apko
        with:
-          apkoConfig: ""
-          apkoTag: "latest"
-          apkoArch: "amd64"
+          containerTags: |
+            ${{ steps.pseudo-version.outputs.pseudoVersion }}
+            ${{ github.ref_name == 'main' && 'latest' || github.ref_name }}
          registry: ghcr.io
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}