Skip to content

Commit 6e08542

Browse files
rjaegersrjaegers
committed
chore: remove flavor knowledge from build-push
1 parent 779875d commit 6e08542

2 files changed

Lines changed: 29 additions & 24 deletions

File tree

.github/workflows/build-push.yml

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ name: Build & Push
33

44
on:
55
workflow_call:
6+
inputs:
7+
flavor:
8+
required: true
9+
type: string
610

711
permissions:
812
contents: read
@@ -14,7 +18,6 @@ jobs:
1418
build-push:
1519
strategy:
1620
matrix:
17-
flavor: ["cpp", "rust"]
1821
runner: ["ubuntu-latest", "ubuntu-24.04-arm"]
1922
runs-on: ${{ matrix.runner }}
2023
permissions:
@@ -37,10 +40,10 @@ jobs:
3740
DOCKER_METADATA_SET_OUTPUT_ENV: false
3841
id: metadata
3942
with:
40-
images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
43+
images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}
4144
# Generate image LABEL for devcontainer.metadata
4245
# the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"])
43-
- run: echo "metadata=$(jq -cj '[.]' .devcontainer/${{ matrix.flavor }}/devcontainer-metadata-vscode.json | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT"
46+
- run: echo "metadata=$(jq -cj '[.]' .devcontainer/${{ inputs.flavor }}/devcontainer-metadata-vscode.json | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT"
4447
id: devcontainer-metadata
4548
- run: echo "git-commit-epoch=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
4649
id: devcontainer-epoch
@@ -51,33 +54,30 @@ jobs:
5154
env:
5255
SOURCE_DATE_EPOCH: ${{ steps.devcontainer-epoch.outputs.git-commit-epoch }}
5356
with:
54-
file: .devcontainer/${{ matrix.flavor }}/Dockerfile
57+
file: .devcontainer/${{ inputs.flavor }}/Dockerfile
5558
push: true
56-
tags: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
59+
tags: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}
5760
labels: |
5861
${{ steps.metadata.outputs.labels }}
5962
devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }}
6063
annotations: ${{ steps.metadata.outputs.annotations }}
6164
sbom: true
6265
outputs: type=image,push-by-digest=true,name-canonical=true
63-
cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }}-${{ matrix.runner }}
64-
cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }}-${{ matrix.runner }}
66+
cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ inputs.flavor }}-${{ matrix.runner }}
67+
cache-from: type=gha,scope=${{ github.repository }}-${{ inputs.flavor }}-${{ matrix.runner }}
6568
- name: Export digest
6669
run: |
6770
mkdir -p ${{ runner.temp }}/digests
6871
digest="${{ steps.build-and-push.outputs.digest }}"
6972
touch "${{ runner.temp }}/digests/${digest#sha256:}"
7073
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
7174
with:
72-
name: digests-${{ matrix.flavor }}-${{ steps.devcontainer-arch.outputs.arch }}
75+
name: digests-${{ inputs.flavor }}-${{ steps.devcontainer-arch.outputs.arch }}
7376
path: ${{ runner.temp }}/digests/*
7477
if-no-files-found: error
7578
retention-days: 1
7679

7780
merge-image:
78-
strategy:
79-
matrix:
80-
flavor: ["cpp", "rust"]
8181
runs-on: ubuntu-latest
8282
needs: build-push
8383
permissions:
@@ -98,7 +98,7 @@ jobs:
9898
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
9999
with:
100100
path: ${{ runner.temp }}/digests
101-
pattern: digests-${{ matrix.flavor }}-*
101+
pattern: digests-${{ inputs.flavor }}-*
102102
merge-multiple: true
103103
- uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
104104
- uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -112,7 +112,7 @@ jobs:
112112
DOCKER_METADATA_ANNOTATIONS_LEVELS: index
113113
DOCKER_METADATA_SET_OUTPUT_ENV: false
114114
with:
115-
images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
115+
images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}
116116
# Generate Docker tags based on the following events/attributes
117117
tags: |
118118
type=edge
@@ -128,27 +128,27 @@ jobs:
128128
# shellcheck disable=SC2046
129129
docker buildx imagetools create \
130130
$(echo '${{ steps.metadata.outputs.json }}' | jq -r '.tags | map("--tag " + .) | join(" ")') \
131-
$(printf '${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@sha256:%s ' *)
131+
$(printf '${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@sha256:%s ' *)
132132
- name: Inspect manifest and extract digest
133133
id: inspect-manifest
134134
run: |
135135
set -Eeuo pipefail
136-
output=$(docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:${{ steps.metadata.outputs.version }} --format '{{json .}}')
136+
output=$(docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:${{ steps.metadata.outputs.version }} --format '{{json .}}')
137137
digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')
138138
echo "digest=$digest" >> "$GITHUB_OUTPUT"
139139
- uses: ./.github/actions/container-size-diff
140140
id: container-size-diff
141141
with:
142-
from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:latest
143-
to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:${{ steps.metadata.outputs.version }}
142+
from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:edge
143+
to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:${{ steps.metadata.outputs.version }}
144144
- uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
145145
with:
146-
header: container-size-diff-${{ matrix.flavor }}
146+
header: container-size-diff-${{ inputs.flavor }}
147147
message: |
148148
${{ steps.container-size-diff.outputs.size-diff-markdown }}
149149
- uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
150150
with:
151-
image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
151+
image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
152152
dependency-snapshot: true
153153
- uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
154154
if: github.event_name == 'pull_request'
@@ -157,29 +157,29 @@ jobs:
157157
fail-on-severity: critical
158158
- uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
159159
with:
160-
subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
160+
subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}
161161
subject-digest: ${{ steps.inspect-manifest.outputs.digest }}
162162
push-to-registry: true
163163
- name: Verify attestation
164164
env:
165165
GH_TOKEN: ${{ github.token }}
166166
run: |
167-
gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
167+
gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
168168
- name: Upload provenance to release
169169
if: startsWith(github.ref, 'refs/tags/')
170170
env:
171171
GH_TOKEN: ${{ github.token }}
172172
run: |
173173
RAW_SHA=${{ steps.inspect-manifest.outputs.digest }}
174174
FORMATTED_SHA=${RAW_SHA//:/_}
175-
gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.inspect-manifest.outputs.digest }} --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ matrix.flavor }}_${FORMATTED_SHA}.intoto.jsonl"
175+
gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@${{ steps.inspect-manifest.outputs.digest }} --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ inputs.flavor }}_${FORMATTED_SHA}.intoto.jsonl"
176176
gh release upload ${{ github.ref_name }} ./*.intoto.jsonl
177177
- name: Update package details in release
178178
if: startsWith(github.ref, 'refs/tags/')
179179
env:
180180
GH_TOKEN: ${{ github.token }}
181181
run: |
182182
UPDATED_NOTES=$(gh release view ${{ github.ref_name }} --json body -q '.body')
183-
UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-version }}'/'${{ github.ref_name }}'}
184-
UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-sha }}'/'${{ steps.inspect-manifest.outputs.digest }}'}
183+
UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ inputs.flavor }}-version }}'/'${{ github.ref_name }}'}
184+
UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ inputs.flavor }}-sha }}'/'${{ steps.inspect-manifest.outputs.digest }}'}
185185
gh release edit ${{ github.ref_name }} --notes "${UPDATED_NOTES}"

.github/workflows/continuous-integration.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ permissions:
1717

1818
jobs:
1919
build-push:
20+
strategy:
21+
matrix:
22+
flavor: [cpp, rust]
2023
uses: ./.github/workflows/build-push.yml
2124
secrets: inherit
2225
permissions:
@@ -25,6 +28,8 @@ jobs:
2528
id-token: write
2629
packages: write
2730
pull-requests: write
31+
with:
32+
flavor: ${{ matrix.flavor }}
2833

2934
integration-test:
3035
strategy:

0 commit comments

Comments
 (0)