zabbix-docker/.github/workflows/images_build.yml

725 lines
27 KiB
YAML
Raw Normal View History

2021-09-14 17:37:31 +02:00
name: Build images (DockerHub)
2021-09-13 19:36:12 +02:00
on:
release:
types:
- published
push:
branches:
2021-10-14 23:27:40 +02:00
- '5.0'
2022-02-15 11:03:28 +01:00
- '6.0'
2023-03-07 09:03:00 +01:00
- '6.4'
2021-09-13 19:36:12 +02:00
- 'trunk'
2021-10-08 00:13:22 +02:00
paths:
- 'Dockerfiles/**'
2021-10-28 02:05:53 +02:00
- 'build.json'
2021-10-16 00:11:57 +02:00
- '!**/README.md'
2021-10-08 00:13:22 +02:00
- '!Dockerfiles/*/rhel/*'
- '!Dockerfiles/*/windows/*'
- '.github/workflows/images_build.yml'
2021-09-13 19:36:12 +02:00
defaults:
run:
shell: bash
2021-09-14 11:41:09 +02:00
env:
DOCKER_REPOSITORY: "zabbix"
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
2021-09-14 12:32:06 +02:00
BASE_BUILD_NAME: "build-base"
2024-02-07 18:51:30 +01:00
MATRIX_FILE: "build.json"
2024-02-08 05:16:27 +01:00
DOCKERFILES_DIRECTORY: "./Dockerfiles"
2021-09-14 11:41:09 +02:00
2021-09-13 19:36:12 +02:00
jobs:
2021-09-14 02:17:14 +02:00
init_build:
name: Initialize build
runs-on: ubuntu-latest
2024-02-08 05:35:09 +01:00
permissions:
contents: read
2021-09-14 02:17:14 +02:00
outputs:
2021-09-14 03:10:41 +02:00
os: ${{ steps.os.outputs.list }}
database: ${{ steps.database.outputs.list }}
components: ${{ steps.components.outputs.list }}
2021-10-18 18:12:43 +02:00
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
2024-02-07 18:51:30 +01:00
current_branch: ${{ steps.branch_info.outputs.current_branch }}
2024-02-08 16:44:14 +01:00
sha_short: ${{ steps.branch_info.outputs.sha_short }}
2021-09-14 02:17:14 +02:00
steps:
2024-02-08 05:16:27 +01:00
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
2024-02-07 15:45:06 +01:00
with:
2024-02-08 05:16:27 +01:00
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
2024-02-07 15:45:06 +01:00
2021-09-14 12:32:06 +02:00
- name: Checkout repository
2024-02-05 05:16:42 +01:00
uses: actions/checkout@v4
2021-09-14 11:41:09 +02:00
with:
fetch-depth: 1
2024-02-07 18:53:43 +01:00
sparse-checkout: ${{ env.MATRIX_FILE }}
2021-09-14 11:41:09 +02:00
2021-09-17 01:47:46 +02:00
- name: Check build.json file
2021-09-14 12:32:06 +02:00
id: build_exists
2024-02-08 17:59:21 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2021-09-14 03:10:41 +02:00
run: |
2024-02-08 17:59:21 +01:00
if [[ ! -f "$MATRIX_FILE" ]]; then
echo "::error::File $MATRIX_FILE is missing"
2021-09-14 12:32:06 +02:00
exit 1
2021-09-14 11:41:09 +02:00
fi
2021-09-14 12:32:06 +02:00
- name: Prepare Operating System list
id: os
2024-02-08 17:59:21 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2021-09-14 12:32:06 +02:00
run: |
2024-02-08 17:59:21 +01:00
os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
2021-09-14 12:32:06 +02:00
2023-02-08 09:41:04 +01:00
echo "list=$os_list" >> $GITHUB_OUTPUT
2021-09-14 03:10:41 +02:00
2021-09-14 12:32:06 +02:00
- name: Prepare Platform list
id: platform_list
2024-02-08 17:59:21 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2021-09-14 12:32:06 +02:00
run: |
2024-02-08 17:59:21 +01:00
platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE")
2021-09-14 12:32:06 +02:00
2023-02-08 09:41:04 +01:00
echo "list=$platform_list" >> $GITHUB_OUTPUT
2021-09-14 12:32:06 +02:00
- name: Prepare Database engine list
2021-09-14 03:10:41 +02:00
id: database
2024-02-08 17:59:21 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2021-09-14 03:10:41 +02:00
run: |
2024-02-08 17:59:21 +01:00
database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE")
2021-09-14 12:32:06 +02:00
2023-02-08 09:41:04 +01:00
echo "list=$database_list" >> $GITHUB_OUTPUT
2021-09-14 03:10:41 +02:00
2021-09-14 12:32:06 +02:00
- name: Prepare Zabbix component list
2021-09-14 03:10:41 +02:00
id: components
2024-02-08 17:59:21 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2021-09-14 03:10:41 +02:00
run: |
2024-02-08 17:59:21 +01:00
component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
2021-09-14 12:32:06 +02:00
2023-02-08 09:41:04 +01:00
echo "list=$component_list" >> $GITHUB_OUTPUT
2021-09-14 03:10:41 +02:00
2021-10-08 00:13:22 +02:00
- name: Get branch info
id: branch_info
2024-02-08 17:59:21 +01:00
env:
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
github_ref: ${{ github.ref }}
2021-10-18 18:12:43 +02:00
run: |
result=false
if [[ "$github_ref" == "refs/tags/"* ]]; then
github_ref=${github_ref%.*}
fi
github_ref=${github_ref##*/}
2024-02-08 17:59:21 +01:00
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
2021-10-18 18:12:43 +02:00
result=true
fi
2024-02-08 07:56:34 +01:00
2024-02-07 18:51:30 +01:00
echo "is_default_branch=$result" >> $GITHUB_OUTPUT
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
2024-02-08 16:44:14 +01:00
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
2021-10-08 00:13:22 +02:00
2021-09-13 19:36:12 +02:00
build_base:
2021-10-29 03:16:24 +02:00
timeout-minutes: 30
2021-09-14 12:32:06 +02:00
name: Build base on ${{ matrix.os }}
2021-09-14 02:18:47 +02:00
needs: init_build
2021-09-13 19:36:12 +02:00
strategy:
2021-09-14 03:10:41 +02:00
fail-fast: false
2021-09-13 19:36:12 +02:00
matrix:
2021-09-14 02:17:14 +02:00
os: ${{ fromJson(needs.init_build.outputs.os) }}
2021-09-13 19:36:12 +02:00
2021-09-14 03:10:41 +02:00
runs-on: ubuntu-latest
2024-02-08 05:16:27 +01:00
permissions:
contents: read
2024-02-08 08:43:43 +01:00
id-token: write
2021-09-13 19:36:12 +02:00
steps:
2024-02-07 19:32:12 +01:00
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
2024-02-07 15:45:06 +01:00
with:
2024-02-08 05:35:09 +01:00
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
archive.ubuntu.com:80
2024-02-08 10:36:35 +01:00
auth.docker.io:443
2024-02-08 05:37:02 +01:00
cdn03.quay.io:443
2024-02-08 07:56:34 +01:00
centos-stream-distro.1gservers.com:443
centos-stream-distro.1gservers.com:80
2024-02-08 10:36:35 +01:00
dl-cdn.alpinelinux.org:443
2024-02-08 07:56:34 +01:00
ftp-nyc.osuosl.org:80
ftp-osl.osuosl.org:80
ftpmirror.your.org:80
2024-02-08 10:36:35 +01:00
fulcio.sigstore.dev:443
2024-02-08 19:32:12 +01:00
oauth2.sigstore.dev:443
2024-02-08 10:36:35 +01:00
github.com:443
index.docker.io:443
2024-02-08 07:56:34 +01:00
mirror.dogado.de:443
mirror.dogado.de:80
mirror.netzwerge.de:443
mirror.pilotfiber.com:443
mirror.pilotfiber.com:80
2024-02-08 05:35:09 +01:00
mirror.rackspace.com:443
2024-02-08 07:56:34 +01:00
mirror.rackspace.com:80
mirror.servaxnet.com:80
mirror.siena.edu:80
mirror.team-cymru.com:80
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.iu13.net:80
mirrors.ocf.berkeley.edu:443
mirrors.xtom.de:80
2024-02-08 10:36:35 +01:00
objects.githubusercontent.com:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
quay.io:443
registry-1.docker.io:443
rekor.sigstore.dev:443
security.ubuntu.com:80
tuf-repo-cdn.sigstore.dev:443
yum.oracle.com:443
2024-02-07 15:45:06 +01:00
2021-09-14 12:32:06 +02:00
- name: Checkout repository
2024-02-05 05:16:42 +01:00
uses: actions/checkout@v4
2021-09-14 02:17:14 +02:00
with:
fetch-depth: 1
2021-09-13 19:36:12 +02:00
2024-02-08 08:34:58 +01:00
- name: Install cosign
2024-02-08 08:43:43 +01:00
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
2024-02-08 08:34:58 +01:00
with:
2024-02-08 08:43:43 +01:00
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
2024-02-08 08:34:58 +01:00
2021-09-13 19:36:12 +02:00
- name: Set up QEMU
2024-02-05 05:16:42 +01:00
uses: docker/setup-qemu-action@v3
2021-10-28 00:45:54 +02:00
with:
image: tonistiigi/binfmt:latest
platforms: all
2021-09-13 19:36:12 +02:00
- name: Set up Docker Buildx
2024-02-05 05:16:42 +01:00
uses: docker/setup-buildx-action@v3
2021-10-28 00:45:54 +02:00
with:
driver-opts: image=moby/buildkit:master
2021-09-13 19:36:12 +02:00
- name: Login to DockerHub
2024-02-05 05:16:42 +01:00
uses: docker/login-action@v3
2021-09-13 19:36:12 +02:00
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
2021-09-14 12:32:06 +02:00
- name: Prepare Platform list
2021-09-15 13:31:56 +02:00
id: platform
2024-02-08 18:56:49 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2021-09-13 19:36:12 +02:00
run: |
2024-02-08 18:56:49 +01:00
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "$MATRIX_FILE")
2021-10-27 21:28:33 +02:00
platform_list="${platform_list%,}"
2021-09-13 19:36:12 +02:00
2023-02-08 09:41:04 +01:00
echo "list=$platform_list" >> $GITHUB_OUTPUT
2021-09-13 19:36:12 +02:00
2024-02-07 19:27:02 +01:00
- name: Generate tags
id: meta
2024-02-05 05:16:42 +01:00
uses: docker/metadata-action@v5
2021-09-14 14:36:19 +02:00
with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ env.BASE_BUILD_NAME }}
tags: |
2024-02-07 19:27:02 +01:00
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
2021-09-14 15:22:13 +02:00
flavor: |
2024-02-07 19:27:02 +01:00
latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
2021-09-13 21:04:05 +02:00
2024-02-07 19:15:07 +01:00
- name: Build ${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} and push
id: docker_build
uses: docker/build-push-action@v5
with:
2024-02-08 05:16:27 +01:00
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}
file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile
2024-02-07 19:15:07 +01:00
platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }}
2024-02-07 19:32:12 +01:00
tags: ${{ steps.meta.outputs.tags }}
2024-02-07 19:15:07 +01:00
labels: |
2024-02-07 19:27:02 +01:00
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
2024-02-08 13:37:15 +01:00
cache-from: |
2024-02-08 14:30:11 +01:00
type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
2024-02-08 14:03:56 +01:00
type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }}
2024-02-08 12:44:57 +01:00
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
2024-02-08 05:16:27 +01:00
2024-02-08 08:34:58 +01:00
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
2024-02-08 14:03:56 +01:00
- name: Image digest
2024-02-08 17:59:21 +01:00
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
2024-02-08 14:03:56 +01:00
run: |
2024-02-08 17:59:21 +01:00
echo "$DIGEST"
echo "$DIGEST" > $CACHE_FILE_NAME
2024-02-08 14:03:56 +01:00
2024-02-08 13:37:15 +01:00
- name: Cache image digest
uses: actions/cache@v4
with:
2024-02-08 14:03:56 +01:00
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
2024-02-08 17:59:21 +01:00
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
2024-02-08 13:37:15 +01:00
2024-02-08 05:16:27 +01:00
build_base_database:
timeout-minutes: 180
needs: [ "build_base", "init_build"]
name: Build ${{ matrix.build }} base on ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
build: ${{ fromJson(needs.init_build.outputs.database) }}
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
permissions:
contents: read
2024-02-08 10:36:35 +01:00
id-token: write
2024-02-08 05:16:27 +01:00
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
2024-02-08 10:36:35 +01:00
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
git.zabbix.com:443
github.com:443
go.googlesource.com:443
go.mongodb.org:443
golang.org:443
google.golang.org:443
gopkg.in:443
index.docker.io:443
noto-website.storage.googleapis.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
registry-1.docker.io:443
storage.googleapis.com:443
2024-02-08 12:12:39 +01:00
fulcio.sigstore.dev:443
2024-02-08 19:32:12 +01:00
oauth2.sigstore.dev:443
2024-02-08 12:12:39 +01:00
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
2024-02-08 13:37:15 +01:00
rekor.sigstore.dev:443
2024-02-08 05:16:27 +01:00
- name: Checkout repository
uses: actions/checkout@v4
2024-02-08 05:35:09 +01:00
with:
fetch-depth: 1
2024-02-08 05:16:27 +01:00
2024-02-08 10:36:35 +01:00
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
2024-02-08 05:16:27 +01:00
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:latest
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:master
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Prepare Platform list
id: platform
2024-02-08 18:56:49 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2024-02-08 05:16:27 +01:00
run: |
2024-02-08 18:56:49 +01:00
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "$MATRIX_FILE")
2024-02-08 05:16:27 +01:00
platform_list="${platform_list%,}"
echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
flavor: |
latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
2024-02-08 17:59:21 +01:00
- name: Download SHA256 tag of build-base:${{ matrix.os }}
2024-02-08 14:03:56 +01:00
uses: actions/cache@v4
with:
path: build-base_${{ matrix.os }}
2024-02-08 17:59:21 +01:00
key: build-base-${{ matrix.os }}-${{ github.run_id }}
2024-02-08 14:03:56 +01:00
2024-02-08 05:16:27 +01:00
- name: Retrieve build-base:${{ matrix.os }} SHA256 tag
id: base_build
2024-02-08 18:56:49 +01:00
env:
MATRIX_OS: ${{ matrix.os }}
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
2024-02-08 05:16:27 +01:00
run: |
2024-02-08 18:56:49 +01:00
BASE_TAG=$(cat build-base_$MATRIX_OS)
BUILD_BASE_IMAGE=$DOCKER_REPOSITORY/zabbix-build-base@${BASE_TAG}
2024-02-08 05:16:27 +01:00
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
2024-02-08 17:59:21 +01:00
- name: Verify build-base:${{ matrix.os }} cosign
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
run: |
cosign verify \
--certificate-oidc-issuer-regexp "https://token.actions.githubusercontent.com" \
--certificate-identity-regexp "https://github.com/zabbix/zabbix-docker/.github/" \
"$BASE_IMAGE"
2024-02-08 05:16:27 +01:00
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
id: docker_build
uses: docker/build-push-action@v5
with:
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}
file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
2024-02-08 14:03:56 +01:00
cache-from: |
type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }}
2024-02-08 12:44:57 +01:00
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
2024-02-08 05:16:27 +01:00
2024-02-08 10:36:35 +01:00
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
2024-02-08 05:16:27 +01:00
- name: Image digest
2024-02-08 18:56:49 +01:00
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.os }}
2024-02-08 05:16:27 +01:00
run: |
2024-02-08 18:56:49 +01:00
echo "$DIGEST"
2024-02-08 19:05:30 +01:00
echo "$DIGEST" > $CACHE_FILE_NAME
2024-02-08 05:16:27 +01:00
2024-02-08 17:59:21 +01:00
- name: Caching SHA256 tag of the image
2024-02-08 16:44:14 +01:00
uses: actions/cache@v4
2024-02-08 05:16:27 +01:00
with:
2024-02-08 16:44:14 +01:00
path: ${{ matrix.build }}_${{ matrix.os }}
2024-02-08 17:59:21 +01:00
key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}
2024-02-08 05:16:27 +01:00
build_images:
timeout-minutes: 90
needs: [ "build_base_database", "init_build"]
name: Build ${{ matrix.build }} on ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
build: ${{ fromJson(needs.init_build.outputs.components) }}
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
permissions:
contents: read
2024-02-08 19:43:56 +01:00
id-token: write
2024-02-08 05:16:27 +01:00
steps:
2024-02-08 19:12:25 +01:00
- name: Block egress traffic
2024-02-08 17:16:52 +01:00
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
dl-cdn.alpinelinux.org:443
github.com:443
index.docker.io:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
api.github.com:443
atl.mirrors.knownhost.com:443
atl.mirrors.knownhost.com:80
auth.docker.io:443
cdn03.quay.io:443
centos-stream-distro.1gservers.com:443
centos-stream-distro.1gservers.com:80
d2lzkl7pfhq30w.cloudfront.net:443
epel.mirror.constant.com:80
forksystems.mm.fcix.net:80
ftp-nyc.osuosl.org:443
ftp-nyc.osuosl.org:80
ftp-osl.osuosl.org:443
ftp-osl.osuosl.org:80
ftp.plusline.net:80
ftpmirror.your.org:80
github.com:443
iad.mirror.rackspace.com:443
index.docker.io:443
ix-denver.mm.fcix.net:443
mirror-mci.yuki.net.uk:443
mirror.23m.com:80
mirror.arizona.edu:80
mirror.dal.nexril.net:80
mirror.de.leaseweb.net:80
mirror.dogado.de:80
mirror.facebook.net:80
mirror.hoobly.com:80
mirror.math.princeton.edu:80
mirror.netcologne.de:443
mirror.netzwerge.de:443
mirror.pilotfiber.com:443
mirror.pilotfiber.com:80
mirror.rackspace.com:443
mirror.rackspace.com:80
mirror.scaleuptech.com:443
mirror.servaxnet.com:443
mirror.servaxnet.com:80
mirror.sfo12.us.leaseweb.net:80
mirror.siena.edu:80
mirror.steadfastnet.com:80
mirror.team-cymru.com:443
mirror.team-cymru.com:80
mirror.umd.edu:443
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.fedoraproject.org:443
mirrors.iu13.net:443
mirrors.iu13.net:80
mirrors.ocf.berkeley.edu:443
mirrors.sonic.net:80
mirrors.syringanetworks.net:80
mirrors.vcea.wsu.edu:80
mirrors.wcupa.edu:80
mirrors.xtom.de:80
na.edge.kernel.org:443
nnenix.mm.fcix.net:80
ohioix.mm.fcix.net:80
production.cloudflare.docker.com:443
pubmirror1.math.uh.edu:443
pubmirror3.math.uh.edu:80
quay.io:443
registry-1.docker.io:443
repo.ialab.dsu.edu:80
repos.eggycrew.com:80
uvermont.mm.fcix.net:80
ziply.mm.fcix.net:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
2024-02-08 19:32:12 +01:00
oauth2.sigstore.dev:443
2024-02-08 17:16:52 +01:00
api.github.com:443
auth.docker.io:443
github.com:443
index.docker.io:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
yum.oracle.com:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
api.github.com:443
archive.ubuntu.com:80
auth.docker.io:443
deb.debian.org:80
github.com:443
index.docker.io:443
keyserver.ubuntu.com:11371
nginx.org:443
nginx.org:80
ports.ubuntu.com:80
production.cloudflare.docker.com:443
registry-1.docker.io:443
security.ubuntu.com:80
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
2024-02-08 05:16:27 +01:00
- name: Checkout repository
uses: actions/checkout@v4
2024-02-08 05:35:09 +01:00
with:
fetch-depth: 1
2024-02-08 05:16:27 +01:00
2024-02-08 16:44:14 +01:00
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
2024-02-08 05:16:27 +01:00
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:latest
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:master
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Prepare Platform list
id: platform
2024-02-08 18:56:49 +01:00
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_BUILD: ${{ matrix.build }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2024-02-08 05:16:27 +01:00
run: |
# Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms
if ([ "${{ matrix.os }}" == "alpine" ] || [ "${{ matrix.os }}" == "centos" ]) && [ "${{ matrix.build }}" == "web-service" ]; then
platform_list="linux/amd64,linux/arm64"
# Chromium on Ubuntu is not available on s390x platform
elif [ "${{ matrix.os }}" == "ubuntu" ] && [ "${{ matrix.build }}" == "web-service" ]; then
platform_list="linux/amd64,linux/arm/v7,linux/arm64"
else
2024-02-08 18:56:49 +01:00
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "$MATRIX_FILE")
2024-02-08 05:16:27 +01:00
fi
# Build only Agent and Agent2 on 386
if [ "${{ matrix.build }}" != "agent"* ]; then
platform_list="${platform_list#linux/386,}"
fi
platform_list="${platform_list%,}"
echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Detect Build Base Image
id: build_base_image
2024-02-08 18:56:49 +01:00
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
2024-02-08 05:16:27 +01:00
run: |
2024-02-08 18:56:49 +01:00
BUILD_BASE=$(jq -r '.components."${{ matrix.build }}"' "$MATRIX_FILE")
2024-02-08 05:16:27 +01:00
echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
flavor: |
latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
2024-02-08 17:59:21 +01:00
- name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
2024-02-08 16:44:14 +01:00
uses: actions/cache@v4
2024-02-08 05:16:27 +01:00
if: ${{ matrix.build != 'snmptraps' }}
with:
2024-02-08 16:44:14 +01:00
path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }}
2024-02-08 17:59:21 +01:00
key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }}
2024-02-08 05:16:27 +01:00
- name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag
id: base_build
if: ${{ matrix.build != 'snmptraps' }}
run: |
BASE_TAG=$(cat ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }})
BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-${{ steps.build_base_image.outputs.build_base }}@${BASE_TAG}
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
2024-02-08 17:59:21 +01:00
- name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
2024-02-08 19:54:04 +01:00
if: ${{ matrix.build != 'snmptraps' }}
2024-02-08 17:59:21 +01:00
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
run: |
cosign verify \
--certificate-oidc-issuer-regexp "https://token.actions.githubusercontent.com" \
--certificate-identity-regexp "https://github.com/zabbix/zabbix-docker/.github/" \
"$BASE_IMAGE"
2024-02-08 05:16:27 +01:00
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
id: docker_build
uses: docker/build-push-action@v5
with:
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}
file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
2024-02-08 12:44:57 +01:00
cache-from: type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
2024-02-08 05:16:27 +01:00
2024-02-08 16:44:14 +01:00
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
2024-02-08 05:16:27 +01:00
- name: Image digest
2024-02-08 17:59:21 +01:00
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
run: echo "$DIGEST"