saltstack · s0undt3ch · Nov 24, 2023 · Nov 24, 2023 · Nov 24, 2023
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,13 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of string
+  labels:
+    - bastion
+    - x86_64
+    - arm64
+    - aarch64
+    - amd64
+    - repo-nightly
+    - repo-staging
+    - repo-release
+    - medium
+    - large
diff --git a/.github/actions/action.yml b/.github/actions/action.yml
@@ -0,0 +1,33 @@
+---
+name: setup-actionlint
+description: Setup actionlint
+inputs:
+  version:
+    description: The version of actionlint
+    default: 1.6.24
+  cache-seed:
+    required: true
+    type: string
+    description: Seed used to invalidate caches
+
+runs:
+  using: composite
+  steps:
+
+    - name: Cache actionlint Binary
+      uses: actions/cache@v3
+      with:
+        path: /usr/local/bin/actionlint
+        key: ${{ inputs.cache-seed }}|${{ runner.os }}|${{ runner.arch }}|actionlint|${{ inputs.version }}
+
+    - name: Setup actionlint
+      shell: bash
+      run: |
+        if ! command -v actionlint; then
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) ${{ inputs.version }}
+          mv ./actionlint /usr/local/bin/actionlint
+        fi
+    - name: Show actionlint Version
+      shell: bash
+      run: |
+        actionlint --version
diff --git a/.github/actions/setup-actionlint/action.yml b/.github/actions/setup-actionlint/action.yml
@@ -0,0 +1,33 @@
+---
+name: setup-actionlint
+description: Setup actionlint
+inputs:
+  version:
+    description: The version of actionlint
+    default: 1.6.24
+  cache-seed:
+    required: true
+    type: string
+    description: Seed used to invalidate caches
+
+runs:
+  using: composite
+  steps:
+
+    - name: Cache actionlint Binary
+      uses: actions/cache@v3
+      with:
+        path: /usr/local/bin/actionlint
+        key: ${{ inputs.cache-seed }}|${{ runner.os }}|${{ runner.arch }}|actionlint|${{ inputs.version }}
+
+    - name: Setup actionlint
+      shell: bash
+      run: |
+        if ! command -v actionlint; then
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) ${{ inputs.version }}
+          mv ./actionlint /usr/local/bin/actionlint
+        fi
+    - name: Show actionlint Version
+      shell: bash
+      run: |
+        actionlint --version
diff --git a/.github/actions/setup-shellcheck/action.yml b/.github/actions/setup-shellcheck/action.yml
@@ -0,0 +1,35 @@
+---
+name: setup-shellcheck
+description: Setup shellcheck
+inputs:
+  version:
+    description: The version of shellcheck
+    default: v0.9.0
+  cache-seed:
+    required: true
+    type: string
+    description: Seed used to invalidate caches
+
+runs:
+  using: composite
+  steps:
+
+    - name: Cache shellcheck Binary
+      uses: actions/cache@v3
+      with:
+        path: /usr/local/bin/shellcheck
+        key: ${{ inputs.cache-seed }}|${{ runner.os }}|${{ runner.arch }}|shellcheck|${{ inputs.version }}
+
+    - name: Setup shellcheck
+      shell: bash
+      run: |
+        if ! command -v shellcheck; then
+          wget https://github.com/koalaman/shellcheck/releases/download/${{ inputs.version }}/shellcheck-${{ inputs.version }}.${{ runner.os }}.x86_64.tar.xz
+          tar xf shellcheck-${{ inputs.version }}.${{ runner.os }}.x86_64.tar.xz
+          mv shellcheck-${{ inputs.version }}/shellcheck /usr/local/bin/shellcheck
+          rm -rf shellcheck-${{ inputs.version }}.${{ runner.os }}.x86_64.tar.xz shellcheck-${{ inputs.version }}
+        fi
+    - name: Show shellcheck Version
+      shell: bash
+      run: |
+        shellcheck --version
diff --git a/.github/workflows/.container.template.j2 b/.github/workflows/.container.template.j2
@@ -22,23 +22,22 @@ env:
 
 
 concurrency:
-  # Concurrency is defined in a way that concurrent builds against branches do
-  # not cancel previous builds.
-  # However, for every new build against the same pull request source branch,
-  # all older builds against that same branch get canceled.
-  group: <{ repository_path }>-${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.run_id }}
+  # New builds always cancel previous, still running, builds
+  group: <{ repository_path }>-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   matrix-generator:
-    name: "Mirror Matrix Generator"
+    name: Generate Matrix
     runs-on: ubuntu-latest
     outputs:
+      tags: ${{ steps.set-matrix.outputs.tags }}
+      name: ${{ steps.set-matrix.outputs.name }}
       dockerinfo: ${{ steps.set-matrix.outputs.dockerinfo }}
     steps:
       - name: "Throttle Builds"
         run: |
-          t=$(shuf -i 5-30 -n 1); echo "Sleeping $t seconds"; sleep $t
+          t="$(shuf -i 5-30 -n 1)"; echo "Sleeping $t seconds"; sleep "$t"
 
       - name: "Fetching Repository Contents"
         uses: actions/checkout@v4
@@ -64,10 +63,10 @@ jobs:
         run: |
           inv containers.matrix --from-workflow ${{ env.PATH_IN_REPO }}
 
-  mirror-image:
+  build:
     runs-on: ubuntu-latest
     needs: matrix-generator
-    name: "${{ matrix.dockerinfo.name }}${{ matrix.dockerinfo.platform && format(' ({0})', matrix.dockerinfo.platform) || ''}}"
+    name: "Build ${{ matrix.dockerinfo.name }}:${{ matrix.dockerinfo.tag }}${{ matrix.dockerinfo.platform && format(' ({0})', matrix.dockerinfo.platform) || ''}}"
     strategy:
       fail-fast: false
       max-parallel: 10
@@ -98,16 +97,18 @@ jobs:
 
       - name: "Throttle concurrent pushes"
         run: |
-          t=$(shuf -i 5-30 -n 1); echo "Sleeping $t seconds"; sleep $t
+          t="$(shuf -i 5-30 -n 1)"; echo "Sleeping $t seconds"; sleep "$t"
 
-      - name: "Setup DockerFile"
-        run: |
-          echo " " >> ./${{matrix.dockerinfo.file}}
-          echo "LABEL org.opencontainers.image.source=\"https://github.com/${GITHUB_REPOSITORY}/\"" >> ${{matrix.dockerinfo.file}}
-          echo "LABEL org.opencontainers.image.url=\"https://github.com/${GITHUB_REPOSITORY}/\"" >> ${{matrix.dockerinfo.file}}
-          echo "LABEL org.opencontainers.image.documentation=\"https://github.com/${GITHUB_REPOSITORY}/\"" >> ${{matrix.dockerinfo.file}}
-          echo "LABEL org.opencontainers.image.vendor=\"Unofficial Docker Hub Mirror\"" >> ${{matrix.dockerinfo.file}}
-          cat ./${{matrix.dockerinfo.file}}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}/${{ matrix.dockerinfo.name }}
+          tags: |
+            type=raw,value=${{ matrix.dockerinfo.tag }}
+          flavor: |
+            latest=false
 
       - name: "Docker QEMU"
         uses: docker/setup-qemu-action@v3
@@ -133,10 +134,90 @@ jobs:
 
       - name: "Build & Publish"
         uses: docker/build-push-action@v5
+        id: build
         with:
           file: ${{ matrix.dockerinfo.file }}
           context: ${{ env.PATH_IN_REPO }}
           platforms: ${{ matrix.dockerinfo.platform }}
-          push: ${{ github.repository == 'saltstack/salt-ci-containers' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=ghcr.io/${{ github.repository }}/${{ matrix.dockerinfo.name }}:${{ steps.meta.outputs.version }},push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v3
+        with:
+          name: digests-${{ matrix.dockerinfo.name }}-${{ matrix.dockerinfo.tag }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    name: "Merge ${{ needs.matrix-generator.outputs.name }}:${{ matrix.tag }}"
+
+    strategy:
+      fail-fast: false
+      max-parallel: 10
+      matrix:
+        tag: ${{ fromJson(needs.matrix-generator.outputs.tags) }}
+
+    needs:
+      - matrix-generator
+      - build
+
+    permissions:
+      actions: read
+      checks: write
+      issues: read
+      packages: write
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v3
+        with:
+          name: digests-${{ needs.matrix-generator.outputs.name }}-${{ matrix.tag }}
+          path: /tmp/digests
+
+      - name: Show digests
+        run: |
+          tree -a /tmp/digest
+          cat /tmp/digests/*
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}/${{ needs.matrix-generator.outputs.name }}
           tags: |
-            ghcr.io/${{ github.repository }}/${{ matrix.dockerinfo.name }}
+            type=raw,value=${{ matrix.tag }}
+          flavor: |
+            latest=false
+
+      - name: "Log into GitHub Container Registry"
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create "$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")" \
+            "$(printf 'ghcr.io/${{ github.repository }}/${{ needs.matrix-generator.outputs.name }}@sha256:%s ' *)"
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ghcr.io/${{ github.repository }}/${{ needs.matrix-generator.outputs.name }}:${{ steps.meta.outputs.version }}