diff --git a/.github/workflows/images_build_windows.yml b/.github/workflows/images_build_windows.yml index 322f93d3d..135b92918 100644 --- a/.github/workflows/images_build_windows.yml +++ b/.github/workflows/images_build_windows.yml @@ -20,45 +20,65 @@ defaults: shell: pwsh env: + AUTO_PUSH_IMAGES: ${{ secrets.AUTO_PUSH_IMAGES }} + DOCKER_REPOSITORY: "zabbix" LATEST_BRANCH: ${{ github.event.repository.default_branch }} IMAGE_PREFIX: "zabbix-" + BASE_BUILD_NAME: "build-base" COMPONENT_BASE_BUILD_NAME: "build-mysql" - AUTO_PUSH_IMAGES: ${{ secrets.AUTO_PUSH_IMAGES }} + + MATRIX_FILE: "build.json" + DOCKERFILES_DIRECTORY: "./Dockerfiles" + + OIDC_ISSUER: "https://token.actions.githubusercontent.com" + IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" jobs: init_build: name: Initialize build runs-on: ubuntu-latest + permissions: + contents: read outputs: os: ${{ steps.os.outputs.list }} components: ${{ steps.components.outputs.list }} is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} + current_branch: ${{ steps.branch_info.outputs.current_branch }} + sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: - - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 1 + sparse-checkout: ${{ env.MATRIX_FILE }} - - name: Check build.json file + - name: Check ${{ env.MATRIX_FILE }} file id: build_exists - shell: bash + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - if [[ ! -f "./build.json" ]]; then - echo "::error::File build.json is missing" + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" exit 1 fi - name: Prepare Operating System list id: os shell: bash + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "./build.json") + os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") echo "list=$os_list" >> $GITHUB_OUTPUT @@ -73,8 +93,10 @@ jobs: - name: Get branch info id: branch_info shell: bash + env: + LATEST_BRANCH: ${{ env.LATEST_BRANCH }} + github_ref: ${{ github.ref }} run: | - github_ref="${{ github.ref }}" result=false if [[ "$github_ref" == "refs/tags/"* ]]; then @@ -83,10 +105,12 @@ jobs: github_ref=${github_ref##*/} - if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then + if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then result=true fi echo "is_default_branch=$result" >> $GITHUB_OUTPUT + echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT build_base: timeout-minutes: 70 @@ -102,7 +126,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit @@ -111,6 +136,14 @@ jobs: with: fetch-depth: 1 + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + - name: Login to DockerHub run: | docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} @@ -118,8 +151,11 @@ jobs: - name: Base OS tag id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - $os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}' + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'.'$Env:MATRIX_OS' echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - name: Generate tags @@ -128,26 +164,39 @@ jobs: with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.BASE_BUILD_NAME }} tags: | - type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- flavor: | latest=false - name: Build image id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_NAME: ${{ env.BASE_BUILD_NAME }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} run: | - $context='.\Dockerfiles\${{ env.BASE_BUILD_NAME }}\windows\' - $dockerfile= $context + 'Dockerfile.${{ matrix.component }}' + $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_BUILD_NAME\windows\" + $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT # Can not build on GitHub due existing symlink. Must be removed before build process Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + $tags_array=$( "$Env:TAGS".Split("`r`n") ) $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) echo "docker build --file=$dockerfile $tags $context" - docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} ` - --label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} ` - --build-arg=BUILD_BASE_IMAGE=mcr.microsoft.com/windows/servercore:${{ steps.base_os_tag.outputs.os_tag }} ` + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=mcr.microsoft.com/windows/servercore:$Env:BASE_OS_TAG ` --file=$dockerfile ` $tags ` $context @@ -166,14 +215,18 @@ jobs: - name: Image digest if: ${{ env.AUTO_PUSH_IMAGES }} + env: + TAGS: ${{ steps.meta.outputs.tags }} + BASE_BUILD_ARTIFACT_FILE_SUFFIX: {{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} + BASE_BUILD_NAME: ${{ env.BASE_BUILD_NAME }} run: | - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + $tags_array=$( "$Env:TAGS".Split("`r`n") ) $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] if (-not $?) {throw "Failed"} echo $digest - $digest | Set-Content -Path ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} + $digest | Set-Content -Path $Env:BASE_BUILD_NAME$Env:BASE_BUILD_ARTIFACT_FILE_SUFFIX - name: Upload SHA256 tag if: ${{ env.AUTO_PUSH_IMAGES }} @@ -203,12 +256,23 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version - name: Login to DockerHub run: | @@ -227,8 +291,13 @@ jobs: with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.COMPONENT_BASE_BUILD_NAME }} tags: | - type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- flavor: | latest=false @@ -315,11 +384,23 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version - name: Login to DockerHub run: | @@ -338,8 +419,13 @@ jobs: with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ matrix.component }} tags: | - type=ref,event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}- - type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }} + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }} flavor: | latest=false