From 017a856203f6d344c72ded9fed2def71bc25fbdf Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 12 Feb 2024 00:21:31 +0900 Subject: [PATCH] Prepare universal workflow --- .github/workflows/Azure.yml | 145 ----- .github/workflows/images_build.yml | 719 +++++++++++++++++--- .github/workflows/images_build_rhel.yml | 357 ++++++++-- .github/workflows/images_build_windows.yml | 723 ++++++++++++++++----- 4 files changed, 1480 insertions(+), 464 deletions(-) delete mode 100644 .github/workflows/Azure.yml diff --git a/.github/workflows/Azure.yml b/.github/workflows/Azure.yml deleted file mode 100644 index 57da239be..000000000 --- a/.github/workflows/Azure.yml +++ /dev/null @@ -1,145 +0,0 @@ -name: Azure - -on: - release: - types: - - published - push: - branches: - - '5.0' - - '5.4' - - 'trunk' - paths-ignore: - - '.env*' - - 'docker-compose*.yaml' - - '*/rhel/*' - - "**.md" - -defaults: - run: - shell: bash - -jobs: - build: - timeout-minutes: 70 - strategy: - fail-fast: false - matrix: - build: - - agent - - agent2 - - java-gateway - - proxy-mysql - - proxy-sqlite3 - - server-mysql - - server-pgsql - - snmptraps - - web-apache-mysql - - web-apache-pgsql - - web-nginx-mysql - - web-nginx-pgsql - os: - - alpine - - ubuntu - - ol - - runs-on: ubuntu-20.04 - steps: - - - uses: actions/checkout@v2 - - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Login to Azure Container Registry - uses: docker/login-action@v1 - with: - registry: ${{ secrets.azure_registry }}.azurecr.io - username: ${{ secrets.AZURE_USERNAME }} - password: ${{ secrets.AZURE_PASSWORD }} - - - name: Prepare platform list - id: platform - run: | - DOCKER_PLATFORM="linux/amd64,linux/arm64" - echo ::set-output name=list::${DOCKER_PLATFORM} - - - name: Prepare environment (push) - if: github.event_name == 'push' - id: prepare_push - run: | - TAGS_ARRAY=() - - IMAGE_NAME="${{ secrets.azure_registry }}.azurecr.io/${{ matrix.os }}/zabbix-${{ matrix.build }}" - GIT_BRANCH="${GITHUB_REF##*/}" - - if [ "${GIT_BRANCH}" == "trunk" ]; then - TAGS_ARRAY+=("$IMAGE_NAME:trunk") - else - GIT_BRANCH=`expr "${GIT_BRANCH}" : '\([0-9]*\.[0-9]*\).*'` - TAGS_ARRAY+=("$IMAGE_NAME:v${GIT_BRANCH}") - fi - - echo "::debug::Branch - ${GIT_BRANCH}" - - TAGS=$(printf -- "%s, " "${TAGS_ARRAY[@]}") - - echo "::debug::Tags - ${TAGS}" - - echo ::set-output name=image_name::${IMAGE_NAME} - echo ::set-output name=image_tag_versions::$(printf -- "%s," "${TAGS_ARRAY[@]}") - - - name: Prepare environment (release) - if: github.event_name == 'release' && github.event.action == 'published' - id: prepare_release - run: | - TAGS_ARRAY=() - - IMAGE_NAME="${{ secrets.azure_registry }}.azurecr.io/${{ matrix.os }}/zabbix-${{ matrix.build }}" - RELEASE_VERSION=${GITHUB_REF##*/} - GIT_BRANCH="${GITHUB_REF##*/}" - GIT_BRANCH=`expr "${GIT_BRANCH}" : '\([0-9]*\.[0-9]*\).*'` - - echo "::debug::Release version ${RELEASE_VERSION}. Branch ${GIT_BRANCH}" - - TAGS_ARRAY+=("$IMAGE_NAME:v${RELEASE_VERSION}") - - TAGS=$(printf -- "--tag %s " "${TAGS_ARRAY[@]}") - - echo ::set-output name=image_name::${IMAGE_NAME} - echo ::set-output name=image_tag_versions::$(printf -- ",%s" "${TAGS_ARRAY[@]}") - - - name: Prepare tags - id: prepare_tags - run: | - if [ ! -z "${{ steps.prepare_push.outputs.image_tag_versions }}" ]; then - TAGS="${{ steps.prepare_push.outputs.image_tag_versions }}" - IMAGE_NAME="${{ steps.prepare_push.outputs.image_name }}" - elif [ ! -z "${{ steps.prepare_release.outputs.image_tag_versions }}" ]; then - TAGS="${{ steps.prepare_release.outputs.image_tag_versions }}" - IMAGE_NAME="${{ steps.prepare_release.outputs.image_name }}" - else - exit 1 - fi - - echo ::set-output name=image_tag_versions::${TAGS} - echo ::set-output name=image_name::${IMAGE_NAME} - - - - name: Build and push - id: docker_build - uses: docker/build-push-action@v2 - with: - context: ./${{ matrix.build }}/${{ matrix.os }} - file: ./${{ matrix.build }}/${{ matrix.os }}/Dockerfile - platforms: ${{ steps.platform.outputs.list }} - push: ${{ secrets.AUTO_PUSH_IMAGES }} - tags: ${{ steps.prepare_tags.outputs.image_tag_versions }} - - - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index d6592527b..1cb5e0822 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -6,9 +6,7 @@ on: - published push: branches: - - '5.0' - - '6.0' - - '6.4' + - '[0-9]+.[0-9]+' - 'trunk' paths: - 'Dockerfiles/**' @@ -17,72 +15,130 @@ on: - '!Dockerfiles/*/rhel/*' - '!Dockerfiles/*/windows/*' - '.github/workflows/images_build.yml' + schedule: + - cron: '50 02 * * *' + workflow_dispatch: defaults: run: shell: bash env: - DOCKER_REPOSITORY: "zabbix" + TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} + AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} + + DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} + TRUNK_GIT_BRANCH: "refs/heads/trunk" + IMAGES_PREFIX: "zabbix-" + BASE_BUILD_NAME: "build-base" + MATRIX_FILE: "build.json" + DOCKERFILES_DIRECTORY: "./Dockerfiles" + + OIDC_ISSUER: "https://token.actions.githubusercontent.com" + IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" + jobs: init_build: name: Initialize build runs-on: ubuntu-latest + permissions: + contents: read outputs: os: ${{ steps.os.outputs.list }} database: ${{ steps.database.outputs.list }} components: ${{ steps.components.outputs.list }} is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} + current_branch: ${{ steps.branch_info.outputs.current_branch }} + sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 + sparse-checkout: ${{ env.MATRIX_FILE }} - - name: Check build.json file + - name: Check ${{ env.MATRIX_FILE }} file id: build_exists + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - if [[ ! -f "./build.json" ]]; then - echo "::error::File build.json is missing" + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" exit 1 fi - name: Prepare Operating System list id: os + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "./build.json") + os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Operating System List" + echo "$os_list" + echo "::endgroup::" echo "list=$os_list" >> $GITHUB_OUTPUT - name: Prepare Platform list id: platform_list + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - platform_list=$(jq -r '.["os-linux"] | tostring | @json' "./build.json") + platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE") + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" echo "list=$platform_list" >> $GITHUB_OUTPUT - name: Prepare Database engine list id: database + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "./build.json") + database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Database List" + echo "$database_list" + echo "::endgroup::" echo "list=$database_list" >> $GITHUB_OUTPUT - name: Prepare Zabbix component list id: components + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "./build.json") + component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" echo "list=$component_list" >> $GITHUB_OUTPUT - name: Get branch info id: branch_info + env: + LATEST_BRANCH: ${{ env.LATEST_BRANCH }} + github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }} run: | - github_ref="${{ github.ref }}" result=false + sha_short=$(git rev-parse --short HEAD) if [[ "$github_ref" == "refs/tags/"* ]]; then github_ref=${github_ref%.*} @@ -90,13 +146,22 @@ jobs: github_ref=${github_ref##*/} - if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then + if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then result=true fi - echo "is_default_branch=$result" >> $GITHUB_OUTPUT + + echo "::group::Branch data" + echo "is_default_branch - $result" + echo "current_branch - $github_ref" + echo "sha_short - $sha_short" + echo "::endgroup::" + + echo "is_default_branch=$result" >> $GITHUB_OUTPUT + echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "sha_short=$sha_short" >> $GITHUB_OUTPUT build_base: - timeout-minutes: 120 + timeout-minutes: 30 name: Build base on ${{ matrix.os }} needs: init_build strategy: @@ -105,12 +170,112 @@ jobs: os: ${{ fromJson(needs.init_build.outputs.os) }} runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + archive.ubuntu.com:80 + atl.mirrors.knownhost.com:443 + atl.mirrors.knownhost.com:80 + auth.docker.io:443 + cdn03.quay.io:443 + centos-stream-distro.1gservers.com:443 + centos-stream-distro.1gservers.com:80 + dfw.mirror.rackspace.com:443 + dfw.mirror.rackspace.com:80 + dl-cdn.alpinelinux.org:443 + download.cf.centos.org:443 + download.cf.centos.org:80 + epel.mirror.constant.com:443 + ftp-nyc.osuosl.org:443 + ftp-nyc.osuosl.org:80 + ftp-osl.osuosl.org:443 + ftp-osl.osuosl.org:80 + ftp.plusline.net:443 + ftp.plusline.net:80 + ftpmirror.your.org:80 + fulcio.sigstore.dev:443 + github.com:443 + iad.mirror.rackspace.com:443 + iad.mirror.rackspace.com:80 + index.docker.io:443 + lesnet.mm.fcix.net:443 + mirror-mci.yuki.net.uk:443 + mirror-mci.yuki.net.uk:80 + mirror.arizona.edu:443 + mirror.arizona.edu:80 + mirror.dogado.de:443 + mirror.dogado.de:80 + mirror.facebook.net:443 + mirror.facebook.net:80 + mirror.fcix.net:443 + mirror.hoobly.com:443 + mirror.math.princeton.edu:443 + mirror.netzwerge.de:443 + mirror.pilotfiber.com:443 + mirror.pilotfiber.com:80 + mirror.rackspace.com:443 + mirror.rackspace.com:80 + mirror.scaleuptech.com:443 + mirror.scaleuptech.com:80 + mirror.servaxnet.com:443 + mirror.servaxnet.com:80 + mirror.siena.edu:80 + mirror.stream.centos.org:443 + mirror.stream.centos.org:80 + mirror.team-cymru.com:443 + mirror.team-cymru.com:80 + mirror1.hs-esslingen.de:443 + mirrors.centos.org:443 + mirrors.fedoraproject.org:443 + mirrors.fedoraproject.org:80 + mirrors.iu13.net:80 + mirrors.mit.edu:443 + mirrors.ocf.berkeley.edu:443 + mirrors.ocf.berkeley.edu:80 + mirrors.sonic.net:443 + mirrors.wcupa.edu:443 + mirrors.wcupa.edu:80 + mirrors.xtom.de:80 + na.edge.kernel.org:443 + nocix.mm.fcix.net:443 + oauth2.sigstore.dev:443 + objects.githubusercontent.com:443 + ports.ubuntu.com:80 + production.cloudflare.docker.com:443 + quay.io:443 + registry-1.docker.io:443 + rekor.sigstore.dev:443 + repo.ialab.dsu.edu:443 + repos.eggycrew.com:443 + repos.eggycrew.com:80 + security.ubuntu.com:80 + tuf-repo-cdn.sigstore.dev:443 + uvermont.mm.fcix.net:443 + yum.oracle.com:443 + ziply.mm.fcix.net:443 + - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + - name: Set up QEMU uses: docker/setup-qemu-action@v3 with: @@ -130,65 +295,147 @@ jobs: - name: Prepare Platform list id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json") + platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") platform_list="${platform_list%,}" + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + echo "list=$platform_list" >> $GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ env.BASE_BUILD_NAME }} + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | - type=semver,pattern={{version}},prefix=${{ matrix.os }}- - type=semver,pattern={{version}},suffix=-${{ matrix.os }} - type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,event=branch,suffix=-${{ matrix.os }}-latest - type=raw,enable=${{ (needs.init_build.outputs.is_default_branch == 'true') && ( github.event_name == 'push' ) }},value=${{matrix.os}}-latest + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (matrix.os == 'alpine') && ( github.event_name == 'push' ) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - name: Build ${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} and push + - name: Build and publish image id: docker_build uses: docker/build-push-action@v5 with: - context: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} - file: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} + file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile platforms: ${{ steps.platform.outputs.list }} - push: ${{ secrets.AUTO_PUSH_IMAGES }} + push: ${{ env.AUTO_PUSH_IMAGES }} tags: ${{ steps.meta.outputs.tags }} labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: | + type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }} + cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" - name: Image digest + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} run: | - echo ${{ steps.docker_build.outputs.digest }} - echo "${{ steps.docker_build.outputs.digest }}" > ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" + echo "::group::Cache file name" + echo "$CACHE_FILE_NAME" + echo "::endgroup::" - - name: Upload SHA256 tag - uses: actions/upload-artifact@v4 + echo "$DIGEST" > "$CACHE_FILE_NAME" + + - name: Cache image digest + uses: actions/cache@v4 with: - name: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} - path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} - if-no-files-found: error + path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} build_base_database: timeout-minutes: 180 needs: [ "build_base", "init_build"] name: Build ${{ matrix.build }} base on ${{ matrix.os }} strategy: - fail-fast: false + fail-fast: false matrix: build: ${{ fromJson(needs.init_build.outputs.database) }} os: ${{ fromJson(needs.init_build.outputs.os) }} runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + git.zabbix.com:443 + github.com:443 + go.googlesource.com:443 + go.mongodb.org:443 + golang.org:443 + google.golang.org:443 + gopkg.in:443 + index.docker.io:443 + noto-website.storage.googleapis.com:443 + production.cloudflare.docker.com:443 + proxy.golang.org:443 + registry-1.docker.io:443 + storage.googleapis.com:443 + fulcio.sigstore.dev:443 + oauth2.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + - name: Checkout repository uses: actions/checkout@v4 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -209,65 +456,135 @@ jobs: - name: Prepare Platform list id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json") + platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") platform_list="${platform_list%,}" + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + echo "list=$platform_list" >> $GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }} + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | - type=semver,pattern={{version}},prefix=${{ matrix.os }}- - type=semver,pattern={{version}},suffix=-${{ matrix.os }} - type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,event=branch,suffix=-${{ matrix.os }}-latest - type=raw,enable=${{ (needs.init_build.outputs.is_default_branch == 'true') && ( github.event_name == 'push' ) }},value=${{matrix.os}}-latest + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (matrix.os == 'alpine') && ( github.event_name == 'push' ) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - name: Download SHA256 tag build-base:${{ matrix.os }} - uses: actions/download-artifact@v4 + - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} + uses: actions/cache@v4 with: - name: build-base_${{ matrix.os }} + path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - name: Retrieve build-base:${{ matrix.os }} SHA256 tag + - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag id: base_build + env: + MATRIX_OS: ${{ matrix.os }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | - BASE_TAG=$(cat build-base_${{ matrix.os }}) - BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-build-base@${BASE_TAG} + BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_OS}") + BUILD_BASE_IMAGE="${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" - echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT - echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + echo "::group::Base build image information" + echo "base_tag=${BASE_TAG}" + echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::endgroup::" + + echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT + echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + + - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + echo "::group::Image sign data" + echo "OIDC issuer=$OIDC_ISSUER" + echo "Identity=$IDENITY_REGEX" + echo "Image to verify=$BASE_IMAGE" + echo "::endgroup::" + + echo "::group::Verify signature" + cosign verify \ + --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ + --certificate-identity-regexp "$IDENITY_REGEX" \ + "$BASE_IMAGE" + echo "::endgroup::" - name: Build ${{ matrix.build }}/${{ matrix.os }} and push id: docker_build uses: docker/build-push-action@v5 with: - context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }} - file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} + file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile platforms: ${{ steps.platform.outputs.list }} - push: ${{ secrets.AUTO_PUSH_IMAGES }} + push: ${{ env.AUTO_PUSH_IMAGES }} tags: ${{ steps.meta.outputs.tags }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: | + type=gha,scope=${{ steps.base_build.outputs.base_build_image }} + type=registry,ref=${{ steps.base_build.outputs.base_build_image }} + cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" - name: Image digest + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.os }} run: | - echo ${{ steps.docker_build.outputs.digest }} - echo "${{ steps.docker_build.outputs.digest }}" > ${{ matrix.build }}_${{ matrix.os }} + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" + echo "::group::Cache file name" + echo "$CACHE_FILE_NAME" + echo "::endgroup::" + echo "$DIGEST" > $CACHE_FILE_NAME - - name: Upload SHA256 tag - uses: actions/upload-artifact@v4 + - name: Caching SHA256 tag of the image + uses: actions/cache@v4 with: - name: ${{ matrix.build }}_${{ matrix.os }} - path: ${{ matrix.build }}_${{ matrix.os }} - if-no-files-found: error + path: ${{ matrix.build }}_${{ matrix.os }} + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} build_images: timeout-minutes: 90 @@ -280,8 +597,141 @@ jobs: os: ${{ fromJson(needs.init_build.outputs.os) }} runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - - uses: actions/checkout@v4 + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + dl-cdn.alpinelinux.org:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + api.github.com:443 + atl.mirrors.knownhost.com:443 + atl.mirrors.knownhost.com:80 + auth.docker.io:443 + cdn03.quay.io:443 + centos-stream-distro.1gservers.com:443 + centos-stream-distro.1gservers.com:80 + d2lzkl7pfhq30w.cloudfront.net:443 + epel.mirror.constant.com:80 + forksystems.mm.fcix.net:80 + ftp-nyc.osuosl.org:443 + ftp-nyc.osuosl.org:80 + ftp-osl.osuosl.org:443 + ftp-osl.osuosl.org:80 + ftp.plusline.net:80 + ftpmirror.your.org:80 + github.com:443 + iad.mirror.rackspace.com:443 + index.docker.io:443 + ix-denver.mm.fcix.net:443 + mirror-mci.yuki.net.uk:443 + mirror.23m.com:80 + mirror.arizona.edu:80 + mirror.dal.nexril.net:80 + mirror.de.leaseweb.net:80 + mirror.dogado.de:80 + mirror.facebook.net:80 + mirror.hoobly.com:80 + mirror.math.princeton.edu:80 + mirror.netcologne.de:443 + mirror.netzwerge.de:443 + mirror.pilotfiber.com:443 + mirror.pilotfiber.com:80 + mirror.rackspace.com:443 + mirror.rackspace.com:80 + mirror.scaleuptech.com:443 + mirror.servaxnet.com:443 + mirror.servaxnet.com:80 + mirror.sfo12.us.leaseweb.net:80 + mirror.siena.edu:80 + mirror.steadfastnet.com:80 + mirror.team-cymru.com:443 + mirror.team-cymru.com:80 + mirror.umd.edu:443 + mirror1.hs-esslingen.de:443 + mirrors.centos.org:443 + mirrors.fedoraproject.org:443 + mirrors.iu13.net:443 + mirrors.iu13.net:80 + mirrors.ocf.berkeley.edu:443 + mirrors.sonic.net:80 + mirrors.syringanetworks.net:80 + mirrors.vcea.wsu.edu:80 + mirrors.wcupa.edu:80 + mirrors.xtom.de:80 + na.edge.kernel.org:443 + nnenix.mm.fcix.net:80 + ohioix.mm.fcix.net:80 + production.cloudflare.docker.com:443 + pubmirror1.math.uh.edu:443 + pubmirror3.math.uh.edu:80 + quay.io:443 + registry-1.docker.io:443 + repo.ialab.dsu.edu:80 + repos.eggycrew.com:80 + uvermont.mm.fcix.net:80 + ziply.mm.fcix.net:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + oauth2.sigstore.dev:443 + api.github.com:443 + auth.docker.io:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + yum.oracle.com:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + api.github.com:443 + archive.ubuntu.com:80 + auth.docker.io:443 + deb.debian.org:80 + github.com:443 + index.docker.io:443 + keyserver.ubuntu.com:11371 + nginx.org:443 + nginx.org:80 + ports.ubuntu.com:80 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + security.ubuntu.com:80 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -302,81 +752,166 @@ jobs: - name: Prepare Platform list id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_BUILD: ${{ matrix.build }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | # Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms - if ([ "${{ matrix.os }}" == "alpine" ] || [ "${{ matrix.os }}" == "centos" ]) && [ "${{ matrix.build }}" == "web-service" ]; then + if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then platform_list="linux/amd64,linux/arm64" # Chromium on Ubuntu is not available on s390x platform - elif [ "${{ matrix.os }}" == "ubuntu" ] && [ "${{ matrix.build }}" == "web-service" ]; then + elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then platform_list="linux/amd64,linux/arm/v7,linux/arm64" else - platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json") + platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE") fi # Build only Agent and Agent2 on 386 - if [ "${{ matrix.build }}" != "agent"* ]; then + if [ "$MATRIX_BUILD" != "agent"* ]; then platform_list="${platform_list#linux/386,}" fi - # Can not compile Java applications on ppc64le - if [ "${{ matrix.build }}" == "java-gateway" ]; then - platform_list="${platform_list%linux/ppc64le}" - fi - platform_list="${platform_list%,}" + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + echo "list=$platform_list" >> $GITHUB_OUTPUT - name: Detect Build Base Image id: build_base_image + env: + MATRIX_BUILD: ${{ matrix.build }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - BUILD_BASE=$(jq -r '.components."${{ matrix.build }}"' "./build.json") + BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\"" "$MATRIX_FILE") - echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT + echo "::group::Base Build Image" + echo "$BUILD_BASE" + echo "::endgroup::" + + echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }} + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | - type=semver,pattern={{version}},prefix=${{ matrix.os }}- - type=semver,pattern={{version}},suffix=-${{ matrix.os }} - type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,event=branch,suffix=-${{ matrix.os }}-latest - type=raw,enable=${{ (needs.init_build.outputs.is_default_branch == 'true') && ( github.event_name == 'push' ) }},value=${{matrix.os}}-latest + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (matrix.os == 'alpine') && ( github.event_name == 'push' ) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - name: Download SHA256 tag for ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} - uses: actions/download-artifact@v4 + - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} + uses: actions/cache@v4 if: ${{ matrix.build != 'snmptraps' }} with: - name: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }} + path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }} + key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }} - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag id: base_build if: ${{ matrix.build != 'snmptraps' }} + env: + BUILD_BASE: ${{ steps.build_base_image.outputs.build_base }} + MATRIX_OS: ${{ matrix.os }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | - BASE_TAG=$(cat ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }}) - BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-${{ steps.build_base_image.outputs.build_base }}@${BASE_TAG} + BASE_TAG=$(cat "${BUILD_BASE}_${MATRIX_OS}") + BUILD_BASE_IMAGE=${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BUILD_BASE}@${BASE_TAG} - echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT - echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + echo "::group::Base build image information" + echo "base_tag=${BASE_TAG}" + echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::endgroup::" - - name: Build ${{ matrix.build }}/${{ matrix.os }} and push + echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT + echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + + - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign + if: ${{ matrix.build != 'snmptraps' }} + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + echo "::group::Image sign data" + echo "OIDC issuer=$OIDC_ISSUER" + echo "Identity=$IDENITY_REGEX" + echo "Image to verify=$BASE_IMAGE" + echo "::endgroup::" + + echo "::group::Verify signature" + cosign verify \ + --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ + --certificate-identity-regexp "$IDENITY_REGEX" \ + "$BASE_IMAGE" + echo "::endgroup::" + + - name: Prepare cache data + id: cache_data + env: + BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }} + run: | + cache_images="" + if [[ ! -z "$BASE_IMAGE_TAG" ]]; then + cache_images="type=gha,scope=$BASE_IMAGE_TAG"$'\n'"type=registry,ref=$BASE_IMAGE_TAG" + fi + + echo "::group::Base images cache" + echo "$cache_images" + echo "::endgroup::" + + echo "cache_from=$cache_images" >> $GITHUB_OUTPUT + + - name: Build and push image id: docker_build uses: docker/build-push-action@v5 with: - context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }} - file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} + file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile platforms: ${{ steps.platform.outputs.list }} - push: ${{ secrets.AUTO_PUSH_IMAGES }} + push: ${{ env.AUTO_PUSH_IMAGES }} tags: ${{ steps.meta.outputs.tags }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: ${{ steps.cache_data.outputs.cache_from }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + run: | + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index e0f5e4404..5390861de 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -4,29 +4,51 @@ on: release: types: - published + workflow_dispatch: defaults: run: shell: bash env: + AUTO_PUSH_IMAGES: ${{ contains(fromJSON('["workflow_dispatch"]'), github.event_name) && 'false' || vars.AUTO_PUSH_IMAGES }} + LATEST_BRANCH: ${{ github.event.repository.default_branch }} + TRUNK_GIT_BRANCH: "refs/heads/trunk" + IMAGES_PREFIX: "zabbix-" BASE_BUILD_NAME: "build-base" + + DOCKERFILES_DIRECTORY: "Dockerfiles" + + OIDC_ISSUER: "https://token.actions.githubusercontent.com" + IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" + REGISTRY: "quay.io" REGISTRY_NAMESPACE: "redhat-isv-containers" + PREFLIGHT_IMAGE: "quay.io/opdev/preflight:stable" PFLT_LOGLEVEL: "warn" PFLT_ARTIFACTS: "/tmp/artifacts" jobs: init_build: name: Initialize build - runs-on: self-hosted + runs-on: ubuntu-latest + permissions: + contents: read outputs: components: ${{ steps.components.outputs.list }} is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} current_branch: ${{ steps.branch_info.outputs.current_branch }} sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + - name: Checkout repository uses: actions/checkout@v4 with: @@ -34,9 +56,13 @@ jobs: - name: Get branch info id: branch_info + shell: bash + env: + LATEST_BRANCH: ${{ env.LATEST_BRANCH }} + github_ref: ${{ github.ref }} run: | - github_ref="${{ github.ref }}" result=false + sha_short=$(git rev-parse --short HEAD) if [[ "$github_ref" == "refs/tags/"* ]]; then github_ref=${github_ref%.*} @@ -44,146 +70,272 @@ jobs: github_ref=${github_ref##*/} - if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then + if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then result=true fi + echo "::group::Branch data" + echo "is_default_branch - $result" + echo "current_branch - $github_ref" + echo "sha_short - $sha_short" + echo "::endgroup::" + echo "is_default_branch=$result" >> $GITHUB_OUTPUT echo "current_branch=$github_ref" >> $GITHUB_OUTPUT - echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - name: Prepare Zabbix component list id: components env: REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} + CURRENT_BRANCH: ${{ steps.branch_info.outputs.current_branch }} run: | - component_list=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ steps.branch_info.outputs.current_branch }}".components | keys | [ .[] | tostring ] | @json') + component_list=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components | keys | @json") + + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" echo "list=$component_list" >> $GITHUB_OUTPUT build_base: timeout-minutes: 30 - name: Build ${{ matrix.build }} base on RHEL + name: Build ${{ matrix.build }} base (${{ matrix.arch }}) needs: ["init_build"] strategy: fail-fast: false matrix: - build: ["build-base"] - - runs-on: self-hosted - outputs: - image: ${{ steps.build_image.outputs.image-with-tag }} + build: [build-base] + arch: [X64, ARM64] + runs-on: [self-hosted, linux, "${{ matrix.arch }}"] + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 1 + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Fix string case + id: lc + env: + ARCH: ${{ matrix.arch }} + run: | + echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT + - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: zabbix-${{ matrix.build }} + images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | - type=sha + type=sha,suffix=-${{ steps.lc.outputs.arch }} - name: Build Zabbix Build Base id: build_image uses: redhat-actions/buildah-build@v2 with: - context: ./Dockerfiles/${{ matrix.build }}/rhel + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel layers: false tags: ${{ steps.meta.outputs.tags }} containerfiles: | - ./Dockerfiles/${{ matrix.build }}/rhel/Dockerfile + ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile extra-args: | --pull + - name: Image digest + env: + IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} + run: | + DIGEST=$(podman inspect ${IMAGE_TAG} --format "{{ index .RepoDigests 0}}" | cut -d '@' -f2) + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" + echo "::group::Cache file name" + echo "$CACHE_FILE_NAME" + echo "::endgroup::" + + echo "$DIGEST" > "$CACHE_FILE_NAME" + + - name: Cache image digest + uses: actions/cache@v4 + with: + path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} + build_base_database: timeout-minutes: 180 needs: [ "build_base", "init_build"] - name: Build ${{ matrix.build }} base on RHEL + name: Build ${{ matrix.build }} base (${{ matrix.arch }}) strategy: fail-fast: false matrix: - build: ["mysql", "sqlite3"] - - runs-on: self-hosted + build: [build-mysql, build-sqlite3] + arch: [X64, ARM64] + runs-on: [self-hosted, linux, "${{ matrix.arch }}"] + permissions: + contents: read + id-token: write steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 1 + - name: Fix string case + id: lc + env: + ARCH: ${{ matrix.arch }} + run: | + echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT + - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: zabbix-build-${{ matrix.build }} + images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | - type=sha + type=sha,suffix=-${{ steps.lc.outputs.arch }} - - name: Build ${{ matrix.build }} image + - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} + uses: actions/cache@v4 + with: + path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} + + - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} SHA256 tag + id: base_build + env: + MATRIX_ARCH: ${{ matrix.arch }} + BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") + BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" + + echo "::group::Base build image information" + echo "base_tag=${BASE_TAG}" + echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::endgroup::" + + echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT + echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + + - name: Build Zabbix Build Base id: build_image uses: redhat-actions/buildah-build@v2 with: - context: ./Dockerfiles/build-${{ matrix.build }}/rhel + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel layers: false tags: ${{ steps.meta.outputs.tags }} containerfiles: | - ./Dockerfiles/build-${{ matrix.build }}/rhel/Dockerfile - build-args: BUILD_BASE_IMAGE=${{ needs.build_base.outputs.image }} + ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile + build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} + + - name: Image digest + env: + IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.arch }} + run: | + DIGEST=$(podman inspect ${IMAGE_TAG} --format "{{ index .RepoDigests 0}}" | cut -d '@' -f2) + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" + echo "::group::Cache file name" + echo "$CACHE_FILE_NAME" + echo "::endgroup::" + + echo "$DIGEST" > "$CACHE_FILE_NAME" + + - name: Cache image digest + uses: actions/cache@v4 + with: + path: ${{ matrix.build }}_${{ matrix.arch }} + key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }} build_images: timeout-minutes: 90 needs: [ "build_base_database", "init_build"] - name: Build ${{ matrix.build }} image + name: Build ${{ matrix.build }} image (${{ matrix.arch }}) strategy: fail-fast: false matrix: build: ${{ fromJson(needs.init_build.outputs.components) }} - - runs-on: self-hosted + arch: [X64, ARM64] + runs-on: [self-hosted, linux, "${{ matrix.arch }}"] + permissions: + contents: read + id-token: write steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Fix string case + id: lc + env: + ARCH: ${{ matrix.arch }} + run: | + echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT - name: Detect Build Base Image id: build_base_image env: REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} + MATRIX_BUILD: ${{ matrix.build }} + CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }} run: | - BUILD_BASE=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".build_base') + BUILD_BASE=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".build_base") - echo "build_base=$BUILD_BASE" >> $GITHUB_OUTPUT + echo "::group::Build base image" + echo "build_base=$BUILD_BASE" + echo "::endgroup::" + + echo "build_base=$BUILD_BASE" >> $GITHUB_OUTPUT - name: Generate image name id: image_name env: REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} + MATRIX_BUILD: ${{ matrix.build }} + CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }} run: | - IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".login') + IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login") - echo "::add-mask::$IMAGE_NAME" - echo "image_name=$IMAGE_NAME" >> $GITHUB_OUTPUT + echo "::add-mask::$IMAGE_NAME" + echo "image_name=$IMAGE_NAME" >> $GITHUB_OUTPUT - name: Generate credentials id: login_credentials env: REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} + MATRIX_BUILD: ${{ matrix.build }} + CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }} run: | - IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".login') - REGISTRY_PASSWORD=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".secret') + IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login") + REGISTRY_PASSWORD=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".secret") - echo "::add-mask::$IMAGE_NAME" - echo "::add-mask::redhat-isv-containers+$IMAGE_NAME-robot" - echo "::add-mask::$REGISTRY_PASSWORD" + echo "::add-mask::$IMAGE_NAME" + echo "::add-mask::redhat-isv-containers+$IMAGE_NAME-robot" + echo "::add-mask::$REGISTRY_PASSWORD" - echo "username=$IMAGE_NAME" >> $GITHUB_OUTPUT - echo "password=$REGISTRY_PASSWORD" >> $GITHUB_OUTPUT + echo "username=$IMAGE_NAME" >> $GITHUB_OUTPUT + echo "password=$REGISTRY_PASSWORD" >> $GITHUB_OUTPUT - name: Log in to Quay.io uses: redhat-actions/podman-login@v1.6 + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: LOGIN: ${{ steps.login_credentials.outputs.username }} PASSWORD: ${{ steps.login_credentials.outputs.password }} @@ -191,12 +343,14 @@ jobs: username: redhat-isv-containers+${{ env.LOGIN }}-robot password: ${{ env.PASSWORD }} registry: ${{ env.REGISTRY }} - auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ needs.init_build.outputs.sha_short }} + auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} - name: Remove smartmontools if: ${{ matrix.build == 'agent2' }} + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} run: | - sed -i '/smartmontools/d' Dockerfiles/agent2/rhel/Dockerfile + sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" - name: Generate tags id: meta @@ -207,38 +361,72 @@ jobs: type=semver,pattern={{version}} type=sha flavor: | - latest=${{ ( github.event_name == 'release' ) }} + latest=${{ github.event_name == 'release' }} + suffix=${{ matrix.arch == 'ARM64' && '-arm64' || '' }},onlatest=true - - name: Build ${{ matrix.build }} and push + - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} + uses: actions/cache@v4 + with: + path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.arch }} + key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.arch }}-${{ github.run_id }} + + - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} SHA256 tag + id: base_build + env: + MATRIX_ARCH: ${{ matrix.arch }} + BASE_IMAGE: ${{ steps.build_base_image.outputs.build_base }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") + BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" + + echo "::group::Base build image information" + echo "base_tag=${BASE_TAG}" + echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::endgroup::" + + echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT + echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + + - name: Build ${{ matrix.build }} id: build_image uses: redhat-actions/buildah-build@v2 with: - context: ./Dockerfiles/${{ matrix.build }}/rhel + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel layers: false tags: ${{ steps.meta.outputs.tags }} labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} containerfiles: | - ./Dockerfiles/${{ matrix.build }}/rhel/Dockerfile - build-args: BUILD_BASE_IMAGE=zabbix-${{ steps.build_base_image.outputs.build_base }}:sha-${{ needs.init_build.outputs.sha_short }} + ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile + build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} - name: Push to RedHat certification procedure id: push_to_registry + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: redhat-actions/push-to-registry@v2 with: tags: ${{ steps.meta.outputs.tags }} - name: Preflight + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: - PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ needs.init_build.outputs.sha_short }} + PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} PFLT_CERTIFICATION_PROJECT_ID: ${{ steps.login_credentials.outputs.username }} PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }} + IMAGE_TAG: ${{ steps.build_image.outputs.image-with-tag }} + PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} run: | - mkdir -p $PFLT_ARTIFACTS - podman run \ + mkdir -p $PFLT_ARTIFACTS + echo "::group::Pull preflight image" + podman pull "$PREFLIGHT_IMAGE" + echo "::endgroup::" + + echo "::group::Perform certification tests" + podman run \ -it \ --rm \ --security-opt=label=disable \ @@ -250,15 +438,74 @@ jobs: --env PFLT_DOCKERCONFIG=/temp-authfile.json \ -v $PFLT_ARTIFACTS:/artifacts \ -v $PFLT_DOCKERCONFIG:/temp-authfile.json:ro \ - quay.io/opdev/preflight:1.5.1 check container ${{ steps.build_image.outputs.image-with-tag }} --submit + "$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit + podman rmi -i -f "$PREFLIGHT_IMAGE" + echo "::endgroup::" - name: Push to RedHat certification procedure id: push_to_registry_all_tags + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: redhat-actions/push-to-registry@v2 with: tags: ${{ steps.meta.outputs.tags }} - - name: Cleanup + - name: Cleanup artifacts + if: ${{ always() }} + env: + PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} + PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} + TAGS: ${{ steps.meta.outputs.tags }} run: | - echo "${{ steps.meta.outputs.tags }}" | while IFS= read -r image_name ; do podman rmi -i -f $image_name; done - rm -rf ${{ env.PFLT_ARTIFACTS }} + echo "::group::Post build actions" + echo "$TAGS" | while IFS= read -r image_name ; do podman rmi -i -f "$image_name"; done + rm -rf "$PFLT_ARTIFACTS" + podman rmi -i -f "$PREFLIGHT_IMAGE" + echo "::endgroup::" + + clean_artifacts: + timeout-minutes: 90 + needs: [ "build_images", "init_build"] + name: Build ${{ matrix.build }} image (${{ matrix.arch }}) + strategy: + fail-fast: false + matrix: + build: [build-mysql, build-sqlite3] + arch: [X64, ARM64] + runs-on: [self-hosted, linux, "${{ matrix.arch }}"] + if: ${{ always() && needs.build_base_database.result == 'success' }} + permissions: {} + steps: + - name: Download SHA256 tag of ${{ matrix.build }}:${{ matrix.arch }} + uses: actions/cache@v4 + with: + path: ${{ matrix.build }}_${{ matrix.arch }} + key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }} + + - name: Remove ${{ matrix.build }}:${{ matrix.arch }} SHA256 tag + env: + MATRIX_ARCH: ${{ matrix.arch }} + BASE_IMAGE: ${{ matrix.build }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") + BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" + + podman rmi -i -f "$BUILD_BASE_IMAGE" + + - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} + uses: actions/cache@v4 + with: + path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} + + + - name: Remove ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} SHA256 tag + env: + MATRIX_ARCH: ${{ matrix.arch }} + BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") + BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" + + podman rmi -i -f "$BUILD_BASE_IMAGE" diff --git a/.github/workflows/images_build_windows.yml b/.github/workflows/images_build_windows.yml index af94b4341..e25967e04 100644 --- a/.github/workflows/images_build_windows.yml +++ b/.github/workflows/images_build_windows.yml @@ -6,55 +6,92 @@ on: - published push: branches: - - '5.0' - - '6.0' - - '6.4' + - '[0-9]+.[0-9]+' - 'trunk' paths: - 'Dockerfiles/*/windows/*' - '!**/README.md' - '.github/workflows/images_build_windows.yml' + schedule: + - cron: '05 02 * * *' + workflow_dispatch: defaults: run: shell: pwsh env: - DOCKER_REPOSITORY: "zabbix" + TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} + AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} + + DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} - IMAGE_PREFIX: "zabbix-" - BASE_BUILD_NAME: "build-base" - COMPONENT_BASE_BUILD_NAME: "build-mysql" - AUTO_PUSH_IMAGES: ${{ secrets.AUTO_PUSH_IMAGES }} + TRUNK_GIT_BRANCH: "refs/heads/trunk" + IMAGES_PREFIX: "zabbix-" + + MSFT_BASE_BUILD_IMAGE: "mcr.microsoft.com/windows/servercore" + PWSH_BASE_IMAGE_NAME: "mcr.microsoft.com/powershell" + PWSH_BASE_IMAGE_PREFIX: "lts-nanoserver-" + + BASE_IMAGE_NAME: "build-base" + BASE_BUILD_IMAGE_NAME: "build-mysql" + + MATRIX_FILE: "build.json" + DOCKERFILES_DIRECTORY: "Dockerfiles" + + OIDC_ISSUER: "https://token.actions.githubusercontent.com" + IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" jobs: init_build: name: Initialize build runs-on: ubuntu-latest + permissions: + contents: read outputs: os: ${{ steps.os.outputs.list }} components: ${{ steps.components.outputs.list }} is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} + current_branch: ${{ steps.branch_info.outputs.current_branch }} + sha_short: ${{ steps.branch_info.outputs.sha_short }} steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 + sparse-checkout: ${{ env.MATRIX_FILE }} - - name: Check build.json file + - name: Check ${{ env.MATRIX_FILE }} file id: build_exists shell: bash + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - if [[ ! -f "./build.json" ]]; then - echo "::error::File build.json is missing" + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" exit 1 fi - name: Prepare Operating System list id: os shell: bash + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "./build.json") + os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Operating System List" + echo "$os_list" + echo "::endgroup::" echo "list=$os_list" >> $GITHUB_OUTPUT @@ -64,14 +101,21 @@ jobs: run: | component_list='["agent","agent2"]' + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" + echo "list=$component_list" >> $GITHUB_OUTPUT - name: Get branch info id: branch_info shell: bash + env: + LATEST_BRANCH: ${{ env.LATEST_BRANCH }} + github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }} run: | - github_ref="${{ github.ref }}" result=false + sha_short=$(git rev-parse --short HEAD) if [[ "$github_ref" == "refs/tags/"* ]]; then github_ref=${github_ref%.*} @@ -79,324 +123,659 @@ jobs: github_ref=${github_ref##*/} - if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then + if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then result=true fi + + echo "::group::Branch data" + echo "is_default_branch - $result" + echo "current_branch - $github_ref" + echo "sha_short - $sha_short" + echo "::endgroup::" + echo "is_default_branch=$result" >> $GITHUB_OUTPUT + echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "sha_short=$sha_short" >> $GITHUB_OUTPUT build_base: - timeout-minutes: 70 name: Build ${{ matrix.component }} base on ${{ matrix.os }} needs: init_build - env: - BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}" + runs-on: ${{ matrix.os }} + timeout-minutes: 70 + permissions: + contents: read + id-token: write strategy: fail-fast: false matrix: os: ${{ fromJson(needs.init_build.outputs.os) }} component: ${{ fromJson(needs.init_build.outputs.components) }} - - runs-on: ${{ matrix.os }} steps: - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - - name: Login to DockerHub - run: | - docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} - if (-not $?) {throw "Failed"} + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' - - name: Base OS tag + - name: Check cosign version + run: cosign version + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Base Windows OS tag id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - $os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}' + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" + + echo "::group::Base Microsoft Windows OS tag" + echo "$os_tag" + echo "::endgroup::" + echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.BASE_BUILD_NAME }} + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | - type=semver,pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=semver,pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest - type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- - type=raw,enable=${{ ( needs.init_build.outputs.is_default_branch == 'true' ) && ( github.event_name == 'push' ) }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- flavor: | latest=false - - name: Build image + - name: Build and push image id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_IMAGE: ${{ env.MSFT_BASE_BUILD_IMAGE }} + BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} run: | - $context='.\Dockerfiles\${{ env.BASE_BUILD_NAME }}\windows\' - $dockerfile= $context + 'Dockerfile.${{ matrix.component }}' + echo "::group::Docker version" + docker version + echo "::endgroup::" + echo "::group::Docker info" + docker info + echo "::endgroup::" + + $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_IMAGE_NAME\windows\" + $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT + $base_os_image= $Env:BASE_BUILD_IMAGE + ':' + $Env:BASE_OS_TAG # Can not build on GitHub due existing symlink. Must be removed before build process Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + $tags_array=$( "$Env:TAGS".Split("`n") ) $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) - echo "docker build --file=$dockerfile $tags $context" - docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} ` - --label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} ` - --build-arg=BUILD_BASE_IMAGE=mcr.microsoft.com/windows/servercore:${{ steps.base_os_tag.outputs.os_tag }} ` + echo "::group::Image tags" + echo "$Env:TAGS" + echo "::endgroup::" + echo "::group::Pull base image" + docker pull $base_os_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Build Image" + Write-Host @" + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION + --label org.opencontainers.image.created=$Env:LABEL_CREATED + --build-arg=BUILD_BASE_IMAGE=$base_os_image + --file=$dockerfile + $tags + $context + "@ + + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=$base_os_image ` --file=$dockerfile ` $tags ` $context if (-not $?) {throw "Failed"} + echo "::endgroup::" - - name: Push image - if: ${{ env.AUTO_PUSH_IMAGES }} - run: | - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + echo "::group::Publish Image" + if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { + Foreach ($tag in $tags_array) { + echo "docker image push $tag" + docker image push $tag + if (-not $?) {throw "Failed"} + } - Foreach ($tag in $tags_array) { - echo "docker image push $tag" - docker image push $tag + $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] if (-not $?) {throw "Failed"} + echo "Image digest got from RepoDigests" } + else { + $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") + if (-not $?) {throw "Failed"} + echo "Image digest got from Id" + } + echo "::endgroup::" + + echo "::group::Digest" + echo "$digest" + echo "::endgroup::" + echo "digest=$digest" >> $Env:GITHUB_OUTPUT + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tag_list=@() + + + foreach ($tag in $tags_array) { + $tag_name=$tag.Split(":")[0] + $tag_list+="$tag_name@$Env:DIGEST" + } + echo "::group::Images to sign" + echo "$tag_list" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $tag_list" + cosign sign --yes $tag_list + echo "::endgroup::" - name: Image digest if: ${{ env.AUTO_PUSH_IMAGES }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} run: | - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + echo "::group::Image digest" + echo "$Env:DIGEST" + echo "::endgroup::" - $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] - if (-not $?) {throw "Failed"} + echo "::group::Cache file name" + echo "$Env:CACHE_FILE_NAME" + echo "::endgroup::" - echo $digest - $digest | Set-Content -Path ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} + $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - - name: Upload SHA256 tag - if: ${{ env.AUTO_PUSH_IMAGES }} - uses: actions/upload-artifact@v4 + - name: Cache image digest + uses: actions/cache@v4 with: - name: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} - path: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} - if-no-files-found: error - - - name: Logout from DockerHub - run: | - docker logout - if (-not $?) {throw "Failed"} + path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} build_components: - timeout-minutes: 70 - needs: [ "build_base", "init_build"] name: Build ${{ matrix.component }} sources on ${{ matrix.os }} - env: - BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}" - COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}" + needs: [ "build_base", "init_build"] + runs-on: ${{ matrix.os }} + timeout-minutes: 70 + permissions: + contents: read + id-token: write strategy: fail-fast: false matrix: os: ${{ fromJson(needs.init_build.outputs.os) }} component: ${{ fromJson(needs.init_build.outputs.components) }} - - runs-on: ${{ matrix.os }} steps: - name: Checkout repository uses: actions/checkout@v4 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version - name: Login to DockerHub - run: | - docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} - if (-not $?) {throw "Failed"} + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} - name: Base OS tag id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - $os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}' + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" + + echo "::group::Base Windows OS tag" + echo "$os_tag" + echo "::endgroup::" + echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.COMPONENT_BASE_BUILD_NAME }} + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | - type=semver,pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=semver,pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest - type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- - type=raw,enable=${{ ( needs.init_build.outputs.is_default_branch == 'true' ) && ( github.event_name == 'push' ) }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- flavor: | latest=false - - name: Download SHA256 tag build-base:${{ matrix.os }} - uses: actions/download-artifact@v4 + - name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} + uses: actions/cache@v4 with: - name: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} + path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag + - name: Retrieve ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag id: base_build + env: + BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} + MATRIX_OS: ${{ matrix.os }} + MATRIX_COMPONENT: ${{ matrix.component }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | - $base_tag = Get-Content ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} -Raw - $build_base_image="${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.BASE_BUILD_NAME }}@" + $base_tag + $base_image_file=$Env:BASE_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT + $base_tag = Get-Content $base_image_file -Raw + $build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_IMAGE_NAME@" + $base_tag - echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT - echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT + echo "::group::Base image Info" + echo "base_tag=$base_tag" + echo "base_build_image=$build_base_image" + echo "::endgroup::" - - name: Build image + echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT + echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT + + - name: Verify ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} cosign + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + cosign verify ` + --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` + --certificate-identity-regexp "$Env:IDENITY_REGEX" ` + "$Env:BASE_IMAGE" + + - name: Build and push image id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} + BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} run: | - $context='.\Dockerfiles\${{ env.COMPONENT_BASE_BUILD_NAME }}\windows\' - $dockerfile= $context + 'Dockerfile.${{ matrix.component }}' + echo "::group::Docker version" + docker version + echo "::endgroup::" + echo "::group::Docker info" + docker info + echo "::endgroup::" + + $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_BUILD_IMAGE_NAME\windows\" + $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT + $base_build_image= $Env:BASE_BUILD_IMAGE # Can not build on GitHub due existing symlink. Must be removed before build process Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) - $tags=$($tags_array | Foreach-Object { "--tag=$_" }) + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) - echo "docker build --file=$dockerfile $tags $context" - docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} ` - --label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} ` + echo "::group::Image tags" + echo "$Env:TAGS" + echo "::endgroup::" + echo "::group::Pull base image" + docker pull $base_build_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Build Image" + Write-Host @" + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION + --label org.opencontainers.image.created=$Env:LABEL_CREATED + --build-arg=BUILD_BASE_IMAGE=$base_build_image + --file=$dockerfile + $tags + $context + "@ + + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=$base_build_image ` --file=$dockerfile ` - --build-arg=BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} ` $tags ` $context if (-not $?) {throw "Failed"} + echo "::endgroup::" - - name: Push image - if: ${{ env.AUTO_PUSH_IMAGES }} - run: | - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + echo "::group::Publish Image" + if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { + Foreach ($tag in $tags_array) { + echo "docker image push $tag" + docker image push $tag + if (-not $?) {throw "Failed"} + } - Foreach ($tag in $tags_array) { - echo "docker image push $tag" - docker image push $tag + $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] if (-not $?) {throw "Failed"} + echo "Image digest got from RepoDigests" } + else { + $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") + if (-not $?) {throw "Failed"} + echo "Image digest got from Id" + } + echo "::endgroup::" + + echo "::group::Digest" + echo "$digest" + echo "::endgroup::" + echo "digest=$digest" >> $Env:GITHUB_OUTPUT + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tag_list=@() + + + foreach ($tag in $tags_array) { + $tag_name=$tag.Split(":")[0] + $tag_list+="$tag_name@$Env:DIGEST" + } + echo "::group::Images to sign" + echo "$tag_list" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $tag_list" + cosign sign --yes $tag_list + echo "::endgroup::" - name: Image digest if: ${{ env.AUTO_PUSH_IMAGES }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} run: | - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + echo "::group::Image digest" + echo "$Env:DIGEST" + echo "::endgroup::" - $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] - if (-not $?) {throw "Failed"} + echo "::group::Cache file name" + echo "$Env:CACHE_FILE_NAME" + echo "::endgroup::" - echo $digest - $digest | Set-Content -Path ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} + $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - - name: Upload SHA256 tag - if: ${{ env.AUTO_PUSH_IMAGES }} - uses: actions/upload-artifact@v4 + - name: Cache image digest + uses: actions/cache@v4 with: - name: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} - path: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} - if-no-files-found: error - - - name: Logout from DockerHub - run: | - docker logout - if (-not $?) {throw "Failed"} + path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} build_images: - timeout-minutes: 70 - needs: [ "build_components", "init_build"] name: Build ${{ matrix.component }} on ${{ matrix.os }} - env: - COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}" + needs: [ "build_components", "init_build"] + runs-on: ${{ matrix.os }} + timeout-minutes: 70 + permissions: + contents: read + id-token: write strategy: fail-fast: false matrix: os: ${{ fromJson(needs.init_build.outputs.os) }} component: ${{ fromJson(needs.init_build.outputs.components) }} - - runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version - name: Login to DockerHub - run: | - docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} - if (-not $?) {throw "Failed"} + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} - name: Base OS tag id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - $os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}' + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" + + echo "::group::Base OS tag" + echo "$os_tag" + echo "::endgroup::" + echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ matrix.component }} + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | - type=semver,pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- - type=semver,pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }} - type=ref,event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest - type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest - type=raw,enable=${{ ( needs.init_build.outputs.is_default_branch == 'true' ) && ( github.event_name == 'push' ) }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }} flavor: | latest=false - - name: Download SHA256 tag for ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }} - uses: actions/download-artifact@v4 + - name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} + uses: actions/cache@v4 with: - name: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} + path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - name: ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag + - name: Retrieve ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag id: base_build + env: + BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} + MATRIX_OS: ${{ matrix.os }} + MATRIX_COMPONENT: ${{ matrix.component }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | - $base_tag = Get-Content ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} -Raw - $build_base_image="${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.COMPONENT_BASE_BUILD_NAME }}@" + $base_tag + $base_image_file=$Env:BASE_BUILD_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT + $base_tag = Get-Content $base_image_file -Raw + $build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_BUILD_IMAGE_NAME@" + $base_tag - echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT - echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT + echo "::group::Base image Info" + echo "base_tag=$base_tag" + echo "base_build_image=$build_base_image" + echo "::endgroup::" - - name: Build image + echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT + echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT + + - name: Verify ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} cosign + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + cosign verify ` + --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` + --certificate-identity-regexp "$Env:IDENITY_REGEX" ` + "$Env:BASE_IMAGE" + + - name: Build and push image id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + PWSH_BASE_IMAGE_NAME: ${{ env.PWSH_BASE_IMAGE_NAME }} + PWSH_BASE_IMAGE_PREFIX: ${{ env.PWSH_BASE_IMAGE_PREFIX }} + AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} run: | - $context='.\Dockerfiles\${{ matrix.component }}\windows\' + echo "::group::Docker version" + docker version + echo "::endgroup::" + echo "::group::Docker info" + docker info + echo "::endgroup::" + + $context="$Env:DOCKERFILES_DIRECTORY\$Env:MATRIX_COMPONENT\windows\" $dockerfile= $context + 'Dockerfile' + $base_build_image= $Env:BASE_BUILD_IMAGE # Can not build on GitHub due existing symlink. Must be removed before build process Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) - $tags=$($tags_array | Foreach-Object { "--tag=$_" }) + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) # PowerShell images based on LTSC 2019 and LTSC 2016 do not have "ltsc" prefix - $os_tag_suffix='${{ steps.base_os_tag.outputs.os_tag }}' + $os_tag_suffix=$Env:BASE_BUILD_OS_TAG $os_tag_suffix=$os_tag_suffix -replace "ltsc2019",'1809' + $base_image=$Env:PWSH_BASE_IMAGE_NAME + ':' + $Env:PWSH_BASE_IMAGE_PREFIX + $os_tag_suffix - echo "docker build --file=$dockerfile $tags $context" - docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} ` - --label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} ` + echo "::group::Image tags" + echo "$Env:TAGS" + echo "::endgroup::" + echo "::group::Pull build base image" + docker pull $base_build_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + echo "::group::Pull Powershell base image" + docker pull $base_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Build Image" + Write-Host @" + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION + --label org.opencontainers.image.created=$Env:LABEL_CREATED + --build-arg=BUILD_BASE_IMAGE=$base_build_image + --build-arg=BASE_IMAGE=$base_image + --file=$dockerfile + $tags + $context + "@ + + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=$base_build_image ` + --build-arg=BASE_IMAGE=$base_image ` --file=$dockerfile ` - --build-arg=BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} ` - --build-arg=BASE_IMAGE=mcr.microsoft.com/powershell:lts-nanoserver-$os_tag_suffix ` $tags ` $context if (-not $?) {throw "Failed"} + echo "::endgroup::" - - name: Push image - if: ${{ env.AUTO_PUSH_IMAGES }} - run: | - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) + echo "::group::Publish Image" + if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { + Foreach ($tag in $tags_array) { + echo "docker image push $tag" + docker image push $tag + if (-not $?) {throw "Failed"} + } - Foreach ($tag in $tags_array) { - echo "docker image push $tag" - docker image push $tag + $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] if (-not $?) {throw "Failed"} + echo "Image digest got from RepoDigests" } + else { + $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") + if (-not $?) {throw "Failed"} + echo "Image digest got from Id" + } + echo "::endgroup::" + + echo "::group::Digest" + echo "$digest" + echo "::endgroup::" + echo "digest=$digest" >> $Env:GITHUB_OUTPUT + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tag_list=@() + + + foreach ($tag in $tags_array) { + $tag_name=$tag.Split(":")[0] + $tag_list+="$tag_name@$Env:DIGEST" + } + echo "::group::Images to sign" + echo "$tag_list" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $tag_list" + cosign sign --yes $tag_list + echo "::endgroup::" - name: Image digest if: ${{ env.AUTO_PUSH_IMAGES }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} run: | - $tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) - - $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] - if (-not $?) {throw "Failed"} - - echo $digest - - - name: Logout from DockerHub - run: | - docker logout - if (-not $?) {throw "Failed"} + echo "::group::Image digest" + echo "$Env:DIGEST" + echo "::endgroup::"