From 9a441103138853d8b0c0e1f65d592655047f52af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Wed, 5 Feb 2025 15:03:16 +0100 Subject: [PATCH] CI: Rename github workflow for multi-arch images publication --- .github/workflows/multi_arch_build.yml | 162 ---------------- .github/workflows/release-container-image.yml | 179 ++++++++++++++---- 2 files changed, 142 insertions(+), 199 deletions(-) delete mode 100644 .github/workflows/multi_arch_build.yml diff --git a/.github/workflows/multi_arch_build.yml b/.github/workflows/multi_arch_build.yml deleted file mode 100644 index 5b34721..0000000 --- a/.github/workflows/multi_arch_build.yml +++ /dev/null @@ -1,162 +0,0 @@ -name: Multi-arch build - -on: - push: - -env: - REGISTRY: ghcr.io/${{ github.repository_owner }} - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - IMAGE_NAME: dangerzone/dangerzone - -jobs: - build: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - platform: - - linux/amd64 - - linux/arm64 - steps: - - uses: actions/checkout@v4 - - - name: Get current date - id: date - run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - context: ./dangerzone/ - file: Dockerfile - build-args: | - DEBIAN_ARCHIVE_DATE=${{ steps.date.outputs.date }} - ## Remove potentially incorrect Docker provenance. - #provenance: false - platforms: ${{ matrix.platform }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,"name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}",push-by-digest=true,name-canonical=true,push=true - - - name: Export digest - run: | - mkdir -p ${{ runner.temp }}/digests - digest="${{ steps.build.outputs.digest }}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/digests/* - if-no-files-found: error - retention-days: 1 - - merge: - runs-on: ubuntu-latest - needs: - - build - outputs: - digest: ${{ steps.image.outputs.digest }} - image: ${{ steps.image.outputs.image }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Compute image tag - id: tag - run: | - DATE=$(date +'%Y%m%d') - TAG=$(git describe --long --first-parent | tail -c +2) - echo "tag=${DATE}-${TAG}" >> $GITHUB_OUTPUT - - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: ${{ runner.temp }}/digests - pattern: digests-* - merge-multiple: true - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - #- name: Docker meta - # id: meta - # uses: docker/metadata-action@v5 - # with: - # images: | - # ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # tags: | - # type=ref,event=branch - # type=ref,event=pr - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - - - name: Create manifest list and push - working-directory: ${{ runner.temp }}/digests - run: | - IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }} - DIGESTS=$(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) - docker buildx imagetools create -t ${IMAGE} ${DIGESTS} - - - name: Inspect image - id: image - run: | - # NOTE: Set the image as an output because the `env` context is not - # available to the inputs of a reusable workflow call. - image_name="${REGISTRY}/${IMAGE_NAME}" - echo "image=$image_name" >> "$GITHUB_OUTPUT" - docker buildx imagetools inspect ${image_name}:${{ steps.tag.outputs.tag }} - digest=$(docker buildx imagetools inspect ${image_name}:${{ steps.tag.outputs.tag }} --format "{{json .Manifest}}" | jq -r '.digest') - echo "digest=$digest" >> "$GITHUB_OUTPUT" - - # This step calls the container workflow to generate provenance and push it to - # the container registry. - provenance: - needs: - - merge - permissions: - actions: read # for detecting the Github Actions environment. - id-token: write # for creating OIDC tokens for signing. - packages: write # for uploading attestations. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - digest: ${{ needs.merge.outputs.digest }} - image: ${{ needs.merge.outputs.image }} - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-container-image.yml b/.github/workflows/release-container-image.yml index 13e0d00..55593d0 100644 --- a/.github/workflows/release-container-image.yml +++ b/.github/workflows/release-container-image.yml @@ -1,17 +1,7 @@ -name: Release container image -on: - push: - tags: - - "container-image/**" - branches: - - "test/image-**" - workflow_dispatch: +name: Release multi-arch container image -permissions: - id-token: write - packages: write - contents: read - attestations: write +on: + workflow_dispatch: env: REGISTRY: ghcr.io/${{ github.repository_owner }} @@ -20,38 +10,153 @@ env: IMAGE_NAME: dangerzone/dangerzone jobs: - build-container-image: - runs-on: ubuntu-24.04 + build: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + platform: + - linux/amd64 + - linux/arm64 + steps: + - uses: actions/checkout@v4 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT + + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push by digest + id: build + uses: docker/build-push-action@v6 + with: + context: ./dangerzone/ + file: Dockerfile + build-args: | + DEBIAN_ARCHIVE_DATE=${{ steps.date.outputs.date }} + ## Remove potentially incorrect Docker provenance. + #provenance: false + platforms: ${{ matrix.platform }} + labels: ${{ steps.meta.outputs.labels }} + outputs: type=image,"name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}",push-by-digest=true,name-canonical=true,push=true + + - name: Export digest + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ steps.build.outputs.digest }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + runs-on: ubuntu-latest + needs: + - build + outputs: + digest: ${{ steps.image.outputs.digest }} + image: ${{ steps.image.outputs.image }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Login to GitHub Container Registry + - name: Compute image tag + id: tag + run: | + DATE=$(date +'%Y%m%d') + TAG=$(git describe --long --first-parent | tail -c +2) + echo "tag=${DATE}-${TAG}" >> $GITHUB_OUTPUT + + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/digests + pattern: digests-* + merge-multiple: true + + - name: Login to GHCR uses: docker/login-action@v3 with: - registry: ${{ env.REGISTRY }} - username: USERNAME - password: ${{ github.token }} + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push the dangerzone image - id: build-image + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + #- name: Docker meta + # id: meta + # uses: docker/metadata-action@v5 + # with: + # images: | + # ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # tags: | + # type=ref,event=branch + # type=ref,event=pr + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests run: | - sudo apt-get install -y python3-poetry - python3 ./install/common/build-image.py - echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin + IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }} + DIGESTS=$(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) + docker buildx imagetools create -t ${IMAGE} ${DIGESTS} - # Load the image with the final name directly - gunzip -c share/container.tar.gz | podman load - FINAL_IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" - TAG=$(git describe --long --first-parent | tail -c +2) - podman tag dangerzone.rocks/dangerzone:$TAG "$FINAL_IMAGE_NAME" - podman push "$FINAL_IMAGE_NAME" --digestfile=digest - echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT" + - name: Inspect image + id: image + run: | + # NOTE: Set the image as an output because the `env` context is not + # available to the inputs of a reusable workflow call. + image_name="${REGISTRY}/${IMAGE_NAME}" + echo "image=$image_name" >> "$GITHUB_OUTPUT" + docker buildx imagetools inspect ${image_name}:${{ steps.tag.outputs.tag }} + digest=$(docker buildx imagetools inspect ${image_name}:${{ steps.tag.outputs.tag }} --format "{{json .Manifest}}" | jq -r '.digest') + echo "digest=$digest" >> "$GITHUB_OUTPUT" - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - subject-digest: "${{ steps.build-image.outputs.digest }}" - push-to-registry: true + # This step calls the container workflow to generate provenance and push it to + # the container registry. + provenance: + needs: + - merge + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + digest: ${{ needs.merge.outputs.digest }} + image: ${{ needs.merge.outputs.image }} + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }}