From 17cd2b0216922f408e8f201468f3c675d634ff7f Mon Sep 17 00:00:00 2001 From: Yajith Dayarathna Date: Wed, 25 Sep 2024 22:22:09 +1200 Subject: [PATCH] workflow updates (#23) * updating tag logic * updating tag logic * updating tag logic * testing * testing * testing * testing * testing * updated build and push approach * workflow trigger update --- .github/workflows/kubectl-shell.yaml | 150 ++++++++++++++++++++------- 1 file changed, 112 insertions(+), 38 deletions(-) diff --git a/.github/workflows/kubectl-shell.yaml b/.github/workflows/kubectl-shell.yaml index 6a63926..b70d11a 100644 --- a/.github/workflows/kubectl-shell.yaml +++ b/.github/workflows/kubectl-shell.yaml @@ -4,22 +4,37 @@ on: workflow_dispatch: push: branches: - - develop + - 'develop' + - 'release/*' paths: - 'kubectl-shell/**' pull_request: + types: + - 'opened' + - 'reopened' + - 'synchronize' + - 'ready_for_review' branches: - - develop + - 'develop' + - 'release/*' paths: - 'kubectl-shell/**' env: DOCKER_HUB_REPO: portainerci/kubectl-shell - GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} jobs: build_images: + if: github.event.pull_request.draft == false runs-on: ubuntu-latest + strategy: + fail-fast: true + matrix: + config: + - { platform: linux, arch: amd64 } + - { platform: linux, arch: arm64 } + - { platform: linux, arch: arm } + - { platform: linux, arch: ppc64le } steps: - name: "[preparation] checkout" uses: actions/checkout@v4.1.1 @@ -35,7 +50,6 @@ jobs: with: endpoint: builders driver-opts: image=moby/buildkit:v0.16.0 - platforms: linux/amd64,linux/arm64,linux/arm,linux/ppc64le - name: "[preparation] docker login" uses: docker/login-action@v3.3.0 @@ -43,43 +57,103 @@ jobs: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - name: "set image tag for pull request" - run: | - echo "IMAGE_TAG=pr${{ github.event.pull_request.number }}" >> $GITHUB_ENV - if: ${{ github.event_name == 'pull_request' }} - - - name: "set image tag for develop" - run: | - echo "IMAGE_TAG=latest" >> $GITHUB_ENV - if: ${{ github.event_name == 'push' }} + - name: "[metadata] generate image tags" + id: meta + uses: docker/metadata-action@v5.5.1 + with: + images: ${{ env.DOCKER_HUB_REPO }} - - name: "build and push images" + - name: "[build] build and push by digest" + id: build uses: docker/build-push-action@v6.7.0 with: - context: kubectl-shell/ - tags: ${{ env.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }} + context: kubectl-shell/ + platforms: ${{ matrix.config.platform }}/${{ matrix.config.arch }} build-args: | - KUBERNETES_RELEASE=v1.31.0 - ALPINE=alpine:latest HELM_VERSION=v3.15.4 - platforms: | - linux/amd64 - linux/arm64 - linux/arm - linux/ppc64le - sbom: true - provenance: true - push: true - - - name: "docker scout scan" - id: docker-scout - if: ${{ github.event_name == 'pull_request' }} - uses: docker/scout-action@v1 + KUBERNETES_RELEASE=v1.31.0 + labels: ${{ steps.meta.outputs.labels }} + outputs: type=image,name=${{ env.DOCKER_HUB_REPO }},push-by-digest=true,name-canonical=true,push=true + cache-from: type=gha + cache-to: type=gha,mode=max + attests: | + type=sbom + type=provenance,mode=max + + - name: "[build] export digest" + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: "[build] upload digest" + uses: actions/upload-artifact@v4 + with: + name: digests-${{ matrix.config.platform }}-${{ matrix.config.arch }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + build_manifests: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + needs: [build_images] + steps: + - name: "[preparation] download digests" + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: "[preparation] setup manifest name" + run: | + if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then + # use the release branch name as the tag for release branches + # for instance, release/2.19 becomes 2.19 + CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2) + elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then + # use pr${{ github.event.number }} as the tag for pull requests + # for instance, pr123 + CONTAINER_IMAGE_TAG="pr${{ github.event.number }}" + else + # replace / with - in the branch name + # for instance, feature/1.0.0 -> feature-1.0.0 + CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g') + fi + + # export the tag to the environment + echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}" >> $GITHUB_ENV + + - name: "[metadata] generate image tags" + id: meta + uses: docker/metadata-action@v5.5.1 with: - command: cves - image: ${{ env.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }} - to: portainer/base:latest - ignore-unchanged: true - only-severities: critical,high - write-comment: true - github-token: ${{ secrets.GITHUB_TOKEN }} + images: ${{ env.DOCKER_HUB_REPO }} + tags: | + type=raw,value=${{ env.CONTAINER_IMAGE_TAG }} + + - name: "[preparation] set up docker context for buildx" + run: docker context create builders + + - name: "[preparation] set up docker buildx" + uses: docker/setup-buildx-action@v3.0.0 + with: + endpoint: builders + driver-opts: image=moby/buildkit:v0.16.0 + + - name: "[preparation] docker login" + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + - name: "[build] create manifest list and push" + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.DOCKER_HUB_REPO }}@sha256:%s ' *) + + - name: "[validate] inspect image" + run: | + docker buildx imagetools inspect ${{ env.DOCKER_HUB_REPO }}:${{ steps.meta.outputs.version }}