-
Notifications
You must be signed in to change notification settings - Fork 88
244 lines (216 loc) · 9.58 KB
/
Copy pathpublish.yml
File metadata and controls
244 lines (216 loc) · 9.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
name: Build and publish images for container registries
on:
release:
types: [published]
permissions: {}
jobs:
prepare:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
# [{"target":"<target name>","platform":"<arch name>"},...]
matrix: ${{ steps.plan.outputs.matrix }}
# ["<target name>",...]
targets: ${{ steps.plan.outputs.targets }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # ratchet:actions/checkout@v7.0.0
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # ratchet:docker/setup-buildx-action@v4.2.0
- name: Resolve bake configuration
id: plan
run: |
set -euo pipefail
docker buildx bake --print default > bake-metadata.json
# [{"target":"<target name>","platform":"<arch name>"},...]
matrix="$(jq -c '[
.target | to_entries[] | .key as $target | .value.platforms[] |
{target: $target, platform: .}
]' bake-metadata.json)"
# ["<target name>",...]
targets="$(jq -c '.target | keys' bake-metadata.json)"
echo "matrix=${matrix}" >> "${GITHUB_OUTPUT}"
echo "targets=${targets}" >> "${GITHUB_OUTPUT}"
- name: Upload bake metadata
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7.0.1
with:
name: bake-metadata
path: bake-metadata.json
retention-days: 1
build:
name: Build ${{ matrix.target }} (${{ matrix.platform }})
runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
needs:
- prepare
permissions:
contents: read
packages: write
strategy:
matrix:
include: ${{ fromJson(needs.prepare.outputs.matrix) }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # ratchet:actions/checkout@v7.0.0
with:
fetch-depth: 1
persist-credentials: false
- name: Download bake metadata
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8.0.1
with:
name: bake-metadata
# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # ratchet:docker/setup-qemu-action@v4.2.0
with:
image: tonistiigi/binfmt:qemu-v9.2.0
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # ratchet:docker/setup-buildx-action@v4.2.0
with:
driver-opts: image=moby/buildkit:master
- name: Login to DockerHub
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # ratchet:docker/login-action@v4.4.0
with:
username: ${{ secrets.dockerhub_user }}
password: ${{ secrets.dockerhub_token }}
- name: Login to GitHub Container Registry
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # ratchet:docker/login-action@v4.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Determine push-by-digest repository
id: repo
env:
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
repo="$(jq -r --arg t "${TARGET}" '.target[$t].tags[0] | split(":")[0]' bake-metadata.json)"
echo "repo=${repo}" >> "${GITHUB_OUTPUT}"
# tags= clears the target's tags so this per-platform build doesn't push them; we tag
# everything at the end in the merge job, once all architectures have been built, to
# avoid a race condition where only the last-built platform would keep the tag
- name: 'Build and push ${{ matrix.target }} (${{ matrix.platform }}) by digest'
id: build-and-push
uses: docker/bake-action@d3418bd7d0e9324001bca92fa8ba175ea7e6dc9b # ratchet:docker/bake-action@v7.3.0
with:
files: |
./docker-bake.hcl
targets: ${{ matrix.target }}
set: |
${{ matrix.target }}.platform=${{ matrix.platform }}
${{ matrix.target }}.tags=
${{ matrix.target }}.output=type=image,name=${{ steps.repo.outputs.repo }},push-by-digest=true,name-canonical=true,push=true
provenance: true
sbom: true
- name: Export digest
env:
METADATA: ${{ steps.build-and-push.outputs.metadata }}
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
digest="$(echo "${METADATA}" | jq -r --arg t "${TARGET}" '.[$t]."containerimage.digest"')"
mkdir -p /tmp/digests
touch "/tmp/digests/${digest#sha256:}"
- name: Platform slug
id: slug
run: echo "slug=$(echo '${{ matrix.platform }}' | tr '/' '-')" >> "$GITHUB_OUTPUT"
- name: Upload digest
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7.0.1
with:
name: digests-${{ matrix.target }}-${{ steps.slug.outputs.slug }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge:
name: Merge ${{ matrix.target }}
runs-on: ubuntu-latest
needs:
- prepare
- build
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
strategy:
# cap concurrent merge jobs so they don't collectively burst past GHCR's
# manifest-push rate limit (all 12 targets pushing at once has triggered
# 429 Too Many Requests on ghcr.io)
max-parallel: 4
matrix:
target: ${{ fromJson(needs.prepare.outputs.targets) }}
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # ratchet:sigstore/cosign-installer@v4.1.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # ratchet:docker/setup-buildx-action@v4.2.0
- name: Login to DockerHub
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # ratchet:docker/login-action@v4.4.0
with:
username: ${{ secrets.dockerhub_user }}
password: ${{ secrets.dockerhub_token }}
- name: Login to GitHub Container Registry
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # ratchet:docker/login-action@v4.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download bake metadata
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8.0.1
with:
name: bake-metadata
- name: Download digests
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8.0.1
with:
path: /tmp/digests
pattern: digests-${{ matrix.target }}-*
merge-multiple: true
- name: 'Create and push manifest list for ${{ matrix.target }}'
id: manifest
env:
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
repo=$(jq -r --arg t "$TARGET" '.target[$t].tags[0] | split(":")[0]' bake-metadata.json)
# tags[0] is a floating tag (e.g. "nginx") shared by the latest/lts/previous-lts
# variants of the same target, so inspecting it after the push is racy: a sibling
# merge job can overwrite it before we read it back, and we'd sign the wrong
# digest. The last tag always embeds the exact CRS version, which differs across
# variants, so it's unique to this target.
unique_tag=$(jq -r --arg t "$TARGET" '.target[$t].tags[-1]' bake-metadata.json)
tag_args=()
while IFS= read -r tag; do
tag_args+=(-t "$tag")
done < <(jq -r --arg t "$TARGET" '.target[$t].tags[]' bake-metadata.json)
sources=()
for digest_file in /tmp/digests/*; do
sources+=("${repo}@sha256:$(basename "$digest_file")")
done
max_attempts=5
attempt=1
until docker buildx imagetools create "${tag_args[@]}" "${sources[@]}"; do
if [ "${attempt}" -ge "${max_attempts}" ]; then
echo "imagetools create failed after ${max_attempts} attempts" >&2
exit 1
fi
sleep_seconds=$((attempt * 5))
echo "imagetools create failed (attempt ${attempt}/${max_attempts}); retrying in ${sleep_seconds}s" >&2
sleep "${sleep_seconds}"
attempt=$((attempt + 1))
done
digest=$(docker buildx imagetools inspect "$unique_tag" --format '{{json .Manifest}}' | jq -r '.digest')
echo "digest=$digest" >> "$GITHUB_OUTPUT"
- name: 'Sign the manifest for ${{ matrix.target }} with GitHub OIDC Token'
env:
DIGEST: ${{ steps.manifest.outputs.digest }}
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
images=()
while IFS= read -r tag; do
images+=("${tag}@${DIGEST}")
done < <(jq -r --arg t "${TARGET}" '.target[$t].tags[]' bake-metadata.json)
cosign sign --yes "${images[@]}"