Merge pull request #256 from wallarm/DEVOPS-2049 #59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build release images | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| paths: | |
| - 'NGINX_BASE' | |
| - 'TAG' | |
| permissions: | |
| contents: read | |
| jobs: | |
| changes: | |
| name: Changes | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| runs-on: ubuntu-latest | |
| outputs: | |
| base: ${{ steps.filter.outputs.base }} | |
| controller: ${{ steps.filter.outputs.controller }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.2 | |
| - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 | |
| id: filter | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| filters: | | |
| base: | |
| - 'NGINX_BASE' | |
| controller: | |
| - 'TAG' | |
| build: | |
| name: Build and push images | |
| runs-on: self-hosted-8cpu | |
| if: | | |
| (needs.changes.outputs.base == 'true' || needs.changes.outputs.controller == 'true') | |
| needs: | |
| - changes | |
| outputs: | |
| matrix: ${{ steps.items.outputs.matrix }} | |
| steps: | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@cb841f2c86fb6d07cff94fda240828c1abc5ba43 # v2.7.3 | |
| id: secrets | |
| with: | |
| exportEnv: false | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| secrets: | | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
| kv-gitlab-ci/data/github/shared/node-repo-key key | NODE_REPO_KEY ; | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.2 | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.0.0 | |
| with: | |
| version: latest | |
| use: false | |
| - name: Docker login | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
| with: | |
| username: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Build and push base image | |
| if: needs.changes.outputs.base == 'true' | |
| run: | | |
| eval $(ssh-agent -s) | |
| echo "${{ steps.secrets.outputs.NODE_REPO_KEY }}" | tr -d '\r' | ssh-add - | |
| make -C images/nginx push | |
| - name: Build and push controller images | |
| env: | |
| ARCH: amd64 | |
| USER: runner | |
| if: needs.changes.outputs.controller == 'true' | |
| run: make release | |
| - name: Prepare list of images to sign | |
| id: items | |
| run: | | |
| cat <<EOF > matrix.json | |
| { | |
| "include": [ | |
| { | |
| "item": "base", | |
| "image": "$(cat NGINX_BASE)" | |
| }, | |
| { | |
| "item": "controller", | |
| "image": "wallarm/ingress-controller:$(cat TAG)" | |
| }, | |
| { | |
| "item": "controller-chroot", | |
| "image": "wallarm/ingress-controller-chroot:$(cat TAG)" | |
| } | |
| ] | |
| } | |
| EOF | |
| if [ ! ${{ needs.changes.outputs.controller }} = true ]; then | |
| cat <<< $(jq 'del(.include[] | select (.item =="controller" or .item =="controller-chroot"))' matrix.json) > matrix.json | |
| fi | |
| if [ ! ${{ needs.changes.outputs.base }} = true ]; then | |
| cat <<< $(jq 'del(.include[] | select (.item =="base"))' matrix.json) > matrix.json | |
| fi | |
| cat matrix.json | |
| echo "matrix=$(cat matrix.json | jq -c '.')" >> $GITHUB_OUTPUT | |
| sign: | |
| name: Sign images | |
| runs-on: self-hosted-1cpu | |
| needs: | |
| - changes | |
| - build | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.build.outputs.matrix) }} | |
| steps: | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@cb841f2c86fb6d07cff94fda240828c1abc5ba43 # v2.7.3 | |
| id: secrets | |
| with: | |
| exportEnv: false | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| secrets: | | |
| kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ; | |
| kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
| - name: Docker login | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
| with: | |
| username: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Sign image ${{ matrix.image }} | |
| id: sign | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ steps.secrets.outputs.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ steps.secrets.outputs.COSIGN_PASSWORD }} | |
| run: | | |
| IMAGE_NAME="${{ matrix.image }}" | |
| docker pull -q ${IMAGE_NAME} | |
| IMAGE_TAG=$(echo ${IMAGE_NAME} | awk -F':' '{print $2}') | |
| IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME}) | |
| IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/') | |
| SBOM_SPDX="${{ matrix.item }}_${IMAGE_TAG}_spdx.json" | |
| syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX} | |
| cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST} | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom" | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST} | |
| echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce | |
| with: | |
| retention-days: 30 | |
| name: ${{ steps.sign.outputs.sbom }} | |
| path: ${{ steps.sign.outputs.sbom }} | |