feat(docker-build-images): optimize caching and signing

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>

Author: hoverkraft-bot[bot]

.github/workflows/__test-workflow-docker-build-images.yml

@@ -105,6 +105,11 @@ jobs:
               )
             );
 
+            assert.equal(applicationMultiArchImage.platforms.length, 3);
+            assert(applicationMultiArchImage.platforms.includes("linux/amd64"));
+            assert(applicationMultiArchImage.platforms.includes("linux/arm64"));
+            assert(applicationMultiArchImage.platforms.includes("linux/arm/v7"));
+
             const applicationMonoArchImage = builtImages["test-mono-arch"];
 
             assert.equal(applicationMonoArchImage.name, "test-mono-arch");
@@ -121,6 +126,8 @@ jobs:
               applicationMonoArchImage.images[0],
               `ghcr.io/hoverkraft-tech/ci-github-container/test-mono-arch:0.1.0@${applicationMonoArchImage.digest}`
             );
+            assert.equal(applicationMonoArchImage.platforms.length, 1);
+            assert(applicationMonoArchImage.platforms.includes("linux/amd64"));
 
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
@@ -194,6 +201,8 @@ jobs:
 
       - name: Assert - signed multi-arch docker image
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          COSIGN_EXPERIMENTAL: "1"
         with:
           script: |
             const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images) }};
@@ -202,7 +211,9 @@ jobs:
               await exec.exec(
                 'cosign',
                 [
-                  'verify', image,
+                  'verify',
+                  '--registry-referrers-mode', 'oci-1-1',
+                  image,
                   '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
                   '--certificate-identity-regexp', 'https://github.com/hoverkraft-tech/ci-github-container',
                 ]
@@ -256,6 +267,8 @@ jobs:
 
       - name: Assert - signed mono-arch docker image
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          COSIGN_EXPERIMENTAL: "1"
         with:
           script: |
             const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images) }};
@@ -264,7 +277,9 @@ jobs:
               await exec.exec(
                 'cosign',
                 [
-                  'verify', image,
+                  'verify',
+                  '--registry-referrers-mode', 'oci-1-1',
+                  image,
                   '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
                   '--certificate-identity-regexp', 'https://github.com/hoverkraft-tech/ci-github-container',
                 ]
@@ -278,8 +293,8 @@ jobs:
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
       build-secrets: |
-        SECRET_REPOSITORY_OWNER=${{ github.repository_owner }}
-        SECRET_REPOSITORY=${{ github.repository }}
+        SECRET_TEST=test-secret
+        SECRET_ANOTHER_TEST=another-test-secret
       build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
     with:
       cache-type: registry
@@ -293,12 +308,12 @@ jobs:
             "platforms": ["linux/amd64","linux/arm64"],
             "build-args": {
               "BUILD_RUN_ID": "${{ github.run_id }}",
-              "BUILD_REPOSITORY_OWNER": "${{ github.repository_owner }}",
-              "BUILD_REPOSITORY": "${{ github.repository }}"
+              "BUILD_ARG_TEST": "test-arg",
+              "BUILD_ARG_ANOTHER_TEST": "another-test-arg"
             },
             "secret-envs": {
-              "SECRET_ENV_REPOSITORY_OWNER": "GITHUB_REPOSITORY_OWNER",
-              "SECRET_ENV_REPOSITORY": "GITHUB_REPOSITORY"
+              "SECRET_ENV_TEST": "GITHUB_ACTION",
+              "SECRET_ENV_ANOTHER_TEST": "GITHUB_JOB"
             }
           }
         ]

.github/workflows/docker-build-images.yml

@@ -6,31 +6,6 @@ name: Docker build images
 
 on: # yamllint disable-line rule:truthy
   workflow_call:
-    outputs:
-      built-images:
-        description: |
-          Built images data.
-          Example:
-          ```json
-          {
-            "application": {
-              "name": "application",
-              "registry": "ghcr.io",
-              "repository": "my-org/my-repo/application",
-              "tags": ["pr-63-5222075","pr-63"],
-              "images": [
-                "ghcr.io/my-org/my-repo/application:pr-63-5222075@sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d",
-                "ghcr.io/my-org/my-repo/application:pr-63@sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d"
-              ],
-              "digest": "sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d",
-              "annotations": {
-                "org.opencontainers.image.created": "2021-09-30T14:00:00Z",
-                "org.opencontainers.image.description": "Application image"
-              }
-            }
-          }
-          ```
-        value: ${{ jobs.publish-manifests.outputs.built-images }}
     inputs:
       runs-on:
         description: |
@@ -141,6 +116,32 @@ on: # yamllint disable-line rule:truthy
           GitHub App private key to generate GitHub token to be passed as build secret env.
           See https://github.com/actions/create-github-app-token.
         required: false
+    outputs:
+      built-images:
+        description: |
+          Built images data.
+          Example:
+          ```json
+          {
+            "application": {
+              "name": "application",
+              "registry": "ghcr.io",
+              "repository": "my-org/my-repo/application",
+              "tags": ["pr-63-5222075","pr-63"],
+              "images": [
+                "ghcr.io/my-org/my-repo/application:pr-63-5222075@sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d",
+                "ghcr.io/my-org/my-repo/application:pr-63@sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d"
+              ],
+              "digest": "sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d",
+              "annotations": {
+                "org.opencontainers.image.created": "2021-09-30T14:00:00Z",
+                "org.opencontainers.image.description": "Application image"
+              },
+              "platforms": ["linux/amd64", "linux/arm64"]
+            }
+          }
+          ```
+        value: ${{ jobs.publish-manifests.outputs.built-images }}
 
 permissions:
   contents: read
@@ -474,15 +475,17 @@ jobs:
             // Group by image name
             const images = {};
             builtImages.forEach(builtImage => {
-              const { name, image, ...rest } = builtImage;
+              const { name, image, platform, ...rest } = builtImage;
               if (!images[name]) {
                 images[name] = {
                   name,
                   images: [image],
+                  platforms: [platform],
                   ...rest,
                 };
               } else {
                 images[name].images = [...new Set([...images[name].images, image])];
+                images[name].platforms = [...new Set([...images[name].platforms, platform])];
               }
             });
 
@@ -512,6 +515,7 @@ jobs:
           built-images: ${{ steps.built-images.outputs.built-images }}
 
       - id: get-images-to-sign
+        if: inputs.sign
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
@@ -527,7 +531,7 @@ jobs:
             const imagesToSign = Object.values(builtImages).map(image => image.images).flat();
             core.setOutput('images-to-sign', JSON.stringify(imagesToSign));
       - uses: ./self-workflow/actions/docker/sign-images
-        if: inputs.sign
+        if: steps.get-images-to-sign.outputs.images-to-sign
         with:
           images: ${{ steps.get-images-to-sign.outputs.images-to-sign }}
           github-token: ${{ secrets.GITHUB_TOKEN }}