Skip to content

Commit

Permalink
Publish multi-platform images
Browse files Browse the repository at this point in the history
  • Loading branch information
@iamjoemccormick
iamjoemccormick committed Feb 23, 2024
1 parent 719a5bc commit 12149fc
Showing 1 changed file with 38 additions and 47 deletions.
85 changes: 38 additions & 47 deletions .github/workflows/build-test-publish.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,32 +122,6 @@ jobs:
# Reference: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#adding-a-description-to-multi-arch-images
outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=The BeeGFS Container Storage Interface (CSI) driver provides high performing and scalable storage for workloads running in Kubernetes,org.opencontainers.image.source=https://github.com/ThinkParQ/beegfs-csi-driver,org.opencontainers.image.licenses=Apache-2.0


- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: "v2.1.1"

# Adapted from:
# https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/
# https://github.com/sigstore/cosign-installer#usage
- name: Sign CSI driver images for each platform with Cosign
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --key env://COSIGN_PRIVATE_KEY \
-a "repo=${{ github.repository }}" \
-a "run=${{ github.run_id }}" \
-a "ref=${{ github.sha }}" \
${images}
env:
TAGS: ${{ steps.meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

# TODO: Cache this dependency for reuse here and in e2e tests.
# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go#caching-dependencies
# Adapted from https://sdk.operatorframework.io/docs/installation/#install-from-github-release
Expand Down Expand Up @@ -466,15 +440,16 @@ jobs:
# We only run e2e tests for PRs and we only publish-images when we aren't on a PR.
# This means publish-images has to be wired to build-and-unit-test otherwise it will always get skipped.
needs: [build-and-unit-test]
if: github.event_name != 'pull_request'
# TODO: Remove - temporarily publish images from PRs for testing.
# if: github.event_name != 'pull_request'
permissions:
packages: write
contents: read
steps:
- uses: actions/checkout@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3

- name: Install Cosign
uses: sigstore/[email protected]
Expand All @@ -488,9 +463,11 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Pull tested CSI driver image from ghcr.io
run: |
docker pull ${{ env.TEST_IMAGE_NAME }}:${{ github.sha }}
- name: Download previously built/tested BeeGFS CSI driver artifacts
uses: actions/download-artifact@v4
with:
name: beegfs-csi-driver-artifacts
path: bin/

# This uses the semantic versioning option for https://github.com/docker/metadata-action#semver
- name: Extract metadata for CSI driver container image
Expand All @@ -505,32 +482,46 @@ jobs:
type=semver,pattern={{version}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
# TODO: Consider adding labels available as steps.meta.output.labels.
- name: Tag and push the CSI driver image to GitHub Container Registry
run: |
tags=$(echo "${{ steps.meta.outputs.tags }}" | tr '\n' ' ')
for tag in $tags; do
docker tag ${{ env.TEST_IMAGE_NAME }}:${{ github.sha }} $tag
docker push $tag
done
# It would be nice if we could just reuse the already built test images, but this is tricky to
# do with multi-arch images because they are usually built and pushed in one step. Probably
# there is a way it can be done, but
- name: Build and push container images for each supported platform
uses: docker/[email protected]
id: build-and-push
with:
context: .
platforms: "${{ env.DOCKER_BUILDX_BUILD_PLATFORMS }}"
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# If provenance is not set to false then the manifest list will contain unknown platform
# entries that are also displayed in GitHub. Some detail on why this is needed in:
# https://github.com/docker/buildx/issues/1509 and
# https://github.com/docker/build-push-action/issues/755#issuecomment-1607792956.
provenance: false
# Reference: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#adding-a-description-to-multi-arch-images
outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=The BeeGFS Container Storage Interface (CSI) driver provides high performing and scalable storage for workloads running in Kubernetes,org.opencontainers.image.source=https://github.com/ThinkParQ/beegfs-csi-driver,org.opencontainers.image.licenses=Apache-2.0

# Adapted from:
# https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/
# https://github.com/sigstore/cosign-installer#usage
# Note we only sign the multi-platform image manifest, not the individual platform specific images.
- name: Sign CSI driver image with Cosign
run: |
tags=$(echo "${{ steps.meta.outputs.tags }}" | tr '\n' ' ')
for tag in $tags; do
DIGEST=$(docker image inspect $tag --format '{{index .RepoDigests 0}}')
cosign sign --yes --key env://COSIGN_PRIVATE_KEY \
-a "repo=${{ github.repository }}" \
-a "run=${{ github.run_id }}" \
-a "ref=${{ github.sha }}" \
$DIGEST
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --key env://COSIGN_PRIVATE_KEY \
-a "repo=${{ github.repository }}" \
-a "run=${{ github.run_id }}" \
-a "ref=${{ github.sha }}" \
${images}
env:
TAGS: ${{ steps.meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}

- name: Pull tested operator image from ghcr.io
run: |
Expand Down

0 comments on commit 12149fc

Please sign in to comment.