-
Notifications
You must be signed in to change notification settings - Fork 0
184 lines (165 loc) · 6.74 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
name: Build cspo Image
# yamllint disable rule:line-length
on: # yamllint disable-line rule:truthy
push:
branches:
- main
# If the cache was cleaned we should re-build the cache with the latest commit
workflow_run:
workflows:
- "cspo Image Cache Cleaner"
branches:
- main
types:
- completed
workflow_dispatch:
env:
REGISTRY: ghcr.io/sovereigncloudstack
metadata_flavor: latest=true
metadata_tags: type=sha,prefix=sha-,format=short
permissions:
contents: read
packages: write
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
id-token: write
jobs:
manager-image:
name: Build and push manager image
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
- name: Generate metadata cspo
id: metacspo
uses: ./.github/actions/metadata
env:
IMAGE_NAME: cspo-staging
with:
metadata_flavor: ${{ env.metadata_flavor }}
metadata_tags: ${{ env.metadata_tags }}
- name: Login to ghcr.io for CI
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
- name: Install Bom
shell: bash
run: |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.5.1/bom-amd64-linux -o bom
sudo mv ./bom /usr/local/bin/bom
sudo chmod +x /usr/local/bin/bom
- name: Setup Env
run: |
echo 'DOCKER_BUILD_LDFLAGS<<EOF' >> $GITHUB_ENV
echo $DOCKER_BUILD_LDFLAGS >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
# Load Golang cache build from GitHub
- name: Load cspo Golang cache build from GitHub
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: cache
with:
path: /tmp/.cache/cspo
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-cspo-${{ github.sha }}
restore-keys: |
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-cspo-
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-
${{ runner.os }}-go-
- name: Create cspo cache directory
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
shell: bash
run: |
mkdir -p /tmp/.cache/cspo
# Import GitHub's cache build to docker cache
- name: Copy cspo Golang cache to docker cache
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
provenance: false
context: /tmp/.cache/cspo
file: ./images/cache/Dockerfile
push: false
platforms: linux/amd64
target: import-cache
- name: Build and push cspo image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
id: docker_build_release_cspo
with:
provenance: false
context: .
file: ./images/cspo/Dockerfile
push: true
build-args: |
LDFLAGS=${{ env.DOCKER_BUILD_LDFLAGS }}
tags: ${{ steps.metacspo.outputs.tags }}
labels: ${{ steps.metacspo.outputs.labels }}
platforms: linux/amd64
- name: Sign Container Images
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes ghcr.io/sovereigncloudstack/cspo-staging@${{ steps.docker_build_release_cspo.outputs.digest }}
- name: Generate SBOM
shell: bash
run: |
bom generate -o sbom_ci_main_cspo_${{ steps.metacspo.outputs.version }}.spdx \
--image=ghcr.io/sovereigncloudstack/cspo-staging:${{ steps.metacspo.outputs.version }}
- name: Attach SBOM to Container Images
run: |
cosign attach sbom --sbom sbom_ci_main_cspo_${{ steps.metacspo.outputs.version }}.spdx ghcr.io/sovereigncloudstack/cspo-staging@${{ steps.docker_build_release_cspo.outputs.digest }}
- name: Sign SBOM Images
run: |
docker_build_release_cspo_digest="${{ steps.docker_build_release_cspo.outputs.digest }}"
image_name="ghcr.io/sovereigncloudstack/cspo-staging:${docker_build_release_cspo_digest/:/-}.sbom"
docker_build_release_cspo_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign --yes "ghcr.io/sovereigncloudstack/cspo-staging@${docker_build_release_cspo_sbom_digest}"
- name: Image Releases digests cspo
shell: bash
run: |
mkdir -p image-digest/
echo "ghcr.io/sovereigncloudstack/cspo-staging:{{ steps.metacspo.outputs.tags }}@${{ steps.docker_build_release_cspo.outputs.digest }}" >> image-digest/cspo.txt
# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: image-digest
path: image-digest
retention-days: 90
# Store docker's golang's cache build locally only on the main branch
- name: Store cspo Golang cache build locally
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
provenance: false
context: .
file: ./images/cache/Dockerfile
push: false
outputs: type=local,dest=/tmp/docker-cache-cspo
platforms: linux/amd64
target: export-cache
# Store docker's golang's cache build locally only on the main branch
- name: Store cspo Golang cache in GitHub cache path
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
shell: bash
run: |
mkdir -p /tmp/.cache/cspo/
if [ -f /tmp/docker-cache-cspo/tmp/go-build-cache.tar.gz ]; then
cp /tmp/docker-cache-cspo/tmp/go-build-cache.tar.gz /tmp/.cache/cspo/
fi
if [ -f /tmp/docker-cache-cspo/tmp/go-pkg-cache.tar.gz ]; then
cp /tmp/docker-cache-cspo/tmp/go-pkg-cache.tar.gz /tmp/.cache/cspo/
fi
- name: Image Digests Output
shell: bash
run: |
cd image-digest/
find -type f | sort | xargs -d '\n' cat