extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-05-31 15:16:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Prepare universal workflow

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-02-09 16:43:29 +09:00
parent 9a3ff60ba5
commit 001d591b85
1 changed files with 115 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
.github/workflows/images_build_windows.yml vendored
View File

@ -20,45 +20,65 @@ defaults:
shell: pwsh
env:
AUTO_PUSH_IMAGES: ${{ secrets.AUTO_PUSH_IMAGES }}
DOCKER_REPOSITORY: "zabbix"
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
IMAGE_PREFIX: "zabbix-"
BASE_BUILD_NAME: "build-base"
COMPONENT_BASE_BUILD_NAME: "build-mysql"
AUTO_PUSH_IMAGES: ${{ secrets.AUTO_PUSH_IMAGES }}
MATRIX_FILE: "build.json"
DOCKERFILES_DIRECTORY: "./Dockerfiles"
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"
jobs:
init_build:
name: Initialize build
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
os: ${{ steps.os.outputs.list }}
components: ${{ steps.components.outputs.list }}
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
current_branch: ${{ steps.branch_info.outputs.current_branch }}
sha_short: ${{ steps.branch_info.outputs.sha_short }}
steps:
- uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
sparse-checkout: ${{ env.MATRIX_FILE }}
- name: Check build.json file
- name: Check ${{ env.MATRIX_FILE }} file
id: build_exists
shell: bash
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
if [[ ! -f "./build.json" ]]; then
echo "::error::File build.json is missing"
if [[ ! -f "$MATRIX_FILE" ]]; then
echo "::error::File $MATRIX_FILE is missing"
exit 1
fi
- name: Prepare Operating System list
id: os
shell: bash
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "./build.json")
os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
echo "list=$os_list" >> $GITHUB_OUTPUT
@ -73,8 +93,10 @@ jobs:
- name: Get branch info
id: branch_info
shell: bash
env:
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
github_ref: ${{ github.ref }}
run: |
github_ref="${{ github.ref }}"
result=false
if [[ "$github_ref" == "refs/tags/"* ]]; then
@ -83,10 +105,12 @@ jobs:
github_ref=${github_ref##*/}
if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
result=true
fi
echo "is_default_branch=$result" >> $GITHUB_OUTPUT
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
build_base:
timeout-minutes: 70
@ -102,7 +126,8 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
@ -111,6 +136,14 @@ jobs:
with:
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Login to DockerHub
run: |
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
@ -118,8 +151,11 @@ jobs:
- name: Base OS tag
id: base_os_tag
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
$os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}'
$os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'.'$Env:MATRIX_OS'
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
- name: Generate tags
@ -128,26 +164,39 @@ jobs:
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.BASE_BUILD_NAME }}
tags: |
type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
flavor: |
latest=false
- name: Build image
id: docker_build
env:
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
BASE_BUILD_NAME: ${{ env.BASE_BUILD_NAME }}
MATRIX_COMPONENT: ${{ matrix.component }}
TAGS: ${{ steps.meta.outputs.tags }}
BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
run: |
$context='.\Dockerfiles\${{ env.BASE_BUILD_NAME }}\windows\'
$dockerfile= $context + 'Dockerfile.${{ matrix.component }}'
$context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_BUILD_NAME\windows\"
$dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT
# Can not build on GitHub due existing symlink. Must be removed before build process
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
$tags_array=$( "$Env:TAGS".Split("`r`n") )
$tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
echo "docker build --file=$dockerfile $tags $context"
docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} `
--label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} `
--build-arg=BUILD_BASE_IMAGE=mcr.microsoft.com/windows/servercore:${{ steps.base_os_tag.outputs.os_tag }} `
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
--build-arg=BUILD_BASE_IMAGE=mcr.microsoft.com/windows/servercore:$Env:BASE_OS_TAG `
--file=$dockerfile `
$tags `
$context
@ -166,14 +215,18 @@ jobs:
- name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }}
env:
TAGS: ${{ steps.meta.outputs.tags }}
BASE_BUILD_ARTIFACT_FILE_SUFFIX: {{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
BASE_BUILD_NAME: ${{ env.BASE_BUILD_NAME }}
run: |
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
$tags_array=$( "$Env:TAGS".Split("`r`n") )
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
if (-not $?) {throw "Failed"}
echo $digest
$digest | Set-Content -Path ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
$digest | Set-Content -Path $Env:BASE_BUILD_NAME$Env:BASE_BUILD_ARTIFACT_FILE_SUFFIX
- name: Upload SHA256 tag
if: ${{ env.AUTO_PUSH_IMAGES }}
@ -203,12 +256,23 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Login to DockerHub
run: |
@ -227,8 +291,13 @@ jobs:
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.COMPONENT_BASE_BUILD_NAME }}
tags: |
type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
flavor: |
latest=false
@ -315,11 +384,23 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@v4
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Login to DockerHub
run: |
@ -338,8 +419,13 @@ jobs:
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ matrix.component }}
tags: |
type=ref,event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }}
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}
flavor: |
latest=false