-
Notifications
You must be signed in to change notification settings - Fork 2
145 lines (144 loc) · 6.96 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# NOTE refs
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script
name: build
on:
push:
paths:
- .github/workflows/build.yml
- "images/**"
- config.yaml
schedule:
- cron: "0 0 * * MON"
workflow_dispatch: {}
permissions:
id-token: write
packages: write
contents: write
concurrency:
group: ${{ github.run_id }}
cancel-in-progress: false
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
matrix-docker: ${{ steps.set.outputs.matrix-docker }}
matrix-apko: ${{ steps.set.outputs.matrix-apko }}
matrix-arm: ${{ steps.set.outputs.matrix-arm }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: set
env:
REF: ${{ github.ref }}
run: |
echo "matrix-docker=$(jq --arg REF "$REF" -rMc '.build[] | select(.source | contains("Dockerfile")) | select(.buildOnMainOnly == null or $REF == "refs/heads/main") | . as $config | .destination | capture("(?<registry>.*)/(?<imageName>.*):(?<tag>.*)") | . as $imgSplit | $config | .source | capture("(?<context>.*)/Dockerfile") | . as $context | $config + $imgSplit + $context' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT
echo "matrix-apko=$(jq -rMc '.build[] | select(.source | contains("image.yaml"))' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT
echo "matrix-arm=$(jq --arg REF "$REF" -rMc '.build[] | select(.source | contains("Dockerfile")) | select(.buildOnArm == true) | . as $config | .destination | capture("(?<registry>.*)/(?<imageName>.*):(?<tag>.*)") | . as $imgSplit | $config | .source | capture("(?<context>.*)/Dockerfile") | . as $context | $config + $imgSplit + $context' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT
- name: check output
run: |
jq . <<< '${{ steps.set.outputs.matrix-docker }}'
jq . <<< '${{ steps.set.outputs.matrix-apko }}'
jq . <<< '${{ steps.set.outputs.matrix-arm }}'
build-docker:
needs: prepare
if: fromJSON(needs.prepare.outputs.matrix-docker) != null
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare.outputs.matrix-docker) }}
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: ${{ fromJSON(toJSON(matrix)).context }}
dockerfile: ${{ fromJSON(toJSON(matrix)).source }}
imageName: ${{ fromJSON(toJSON(matrix)).imageName }}
tags: ${{ fromJSON(toJSON(matrix)).tag }}
platforms: linux/amd64
push: ${{ github.ref == 'refs/heads/main' }}
build-arm64:
needs: prepare
if: fromJSON(needs.prepare.outputs.matrix-arm) != null
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare.outputs.matrix-arm) }}
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: ${{ fromJSON(toJSON(matrix)).context }}
dockerfile: ${{ fromJSON(toJSON(matrix)).source }}
imageName: ${{ fromJSON(toJSON(matrix)).imageName }}
tags: ${{ fromJSON(toJSON(matrix)).tag }}
platforms: linux/arm64
push: ${{ github.ref == 'refs/heads/main' }}
build-apko:
needs: prepare
if: fromJSON(needs.prepare.outputs.matrix-apko) != null
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare.outputs.matrix-apko) }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main
- id: apko-options
env:
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
REF: ${{ github.ref }}
run: |
TAG="$DESTINATION"
if [ ! "$REF" = "refs/heads/main" ]; then
TAG="${DESTINATION//ghcr.io\/geonet/localhost}"
fi
echo "tag=$TAG" >> $GITHUB_OUTPUT
- uses: GeoNet/chainguard-images-actions/apko-publish@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main
if: ${{ github.ref == 'refs/heads/main' }}
id: build
name: apko build
with:
tag: ${{ fromJSON(toJSON(matrix)).destination }}
config: ${{ fromJSON(toJSON(matrix)).source }}
source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }}
apko-image: "ghcr.io/wolfi-dev/apko@sha256:ed7bbf853ec77fa4b5ad4840fd42c1391a0341b86541063217277b678e324686"
- uses: GeoNet/chainguard-images-actions/apko-build@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main
if: ${{ github.ref != 'refs/heads/main' }}
id: build-local
name: apko build local
with:
tag: ${{ steps.apko-options.outputs.tag }}
config: ${{ fromJSON(toJSON(matrix)).source }}
source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }}
apko-image: "ghcr.io/wolfi-dev/apko@sha256:ed7bbf853ec77fa4b5ad4840fd42c1391a0341b86541063217277b678e324686"
- name: crane get-digests
id: get-digests
if: ${{ github.ref == 'refs/heads/main' }}
env:
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
run: |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)"
(
echo "DESTINATION_DIGEST"
echo "${DESTINATION_DIGEST}"
) | column -t
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT
- name: cosign sign image with a key
if: ${{ github.ref == 'refs/heads/main' }}
env:
COSIGN_YES: "true"
run: |
cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y
- uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
name: sbom generate
if: ${{ steps.determine-type.outputs.typeIsDocker == 'true' && github.ref == 'refs/heads/main' }}
with:
image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }}
artifact-name: sbom-spdx.json
output-file: /tmp/sbom-spdx.json
- name: cosign download unsigned sbom
if: ${{ steps.determine-type.outputs.typeIsDocker != 'true' && github.ref == 'refs/heads/main' }}
run: |
cosign download sbom ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} > /tmp/sbom-spdx.json
- name: cosign publish sbom blob as blob
if: ${{ github.ref == 'refs/heads/main' }}
env:
COSIGN_YES: "true"
run: |
cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y