mirror of
https://github.com/zabbix/zabbix-docker.git
synced 2024-11-25 01:04:01 +01:00
Prepare universal workflow
This commit is contained in:
parent
98261ff720
commit
017a856203
145
.github/workflows/Azure.yml
vendored
145
.github/workflows/Azure.yml
vendored
@ -1,145 +0,0 @@
|
||||
name: Azure
|
||||
|
||||
on:
|
||||
release:
|
||||
types:
|
||||
- published
|
||||
push:
|
||||
branches:
|
||||
- '5.0'
|
||||
- '5.4'
|
||||
- 'trunk'
|
||||
paths-ignore:
|
||||
- '.env*'
|
||||
- 'docker-compose*.yaml'
|
||||
- '*/rhel/*'
|
||||
- "**.md"
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
jobs:
|
||||
build:
|
||||
timeout-minutes: 70
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
build:
|
||||
- agent
|
||||
- agent2
|
||||
- java-gateway
|
||||
- proxy-mysql
|
||||
- proxy-sqlite3
|
||||
- server-mysql
|
||||
- server-pgsql
|
||||
- snmptraps
|
||||
- web-apache-mysql
|
||||
- web-apache-pgsql
|
||||
- web-nginx-mysql
|
||||
- web-nginx-pgsql
|
||||
os:
|
||||
- alpine
|
||||
- ubuntu
|
||||
- ol
|
||||
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
-
|
||||
uses: actions/checkout@v2
|
||||
|
||||
-
|
||||
name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v1
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
-
|
||||
name: Login to Azure Container Registry
|
||||
uses: docker/login-action@v1
|
||||
with:
|
||||
registry: ${{ secrets.azure_registry }}.azurecr.io
|
||||
username: ${{ secrets.AZURE_USERNAME }}
|
||||
password: ${{ secrets.AZURE_PASSWORD }}
|
||||
|
||||
- name: Prepare platform list
|
||||
id: platform
|
||||
run: |
|
||||
DOCKER_PLATFORM="linux/amd64,linux/arm64"
|
||||
echo ::set-output name=list::${DOCKER_PLATFORM}
|
||||
|
||||
- name: Prepare environment (push)
|
||||
if: github.event_name == 'push'
|
||||
id: prepare_push
|
||||
run: |
|
||||
TAGS_ARRAY=()
|
||||
|
||||
IMAGE_NAME="${{ secrets.azure_registry }}.azurecr.io/${{ matrix.os }}/zabbix-${{ matrix.build }}"
|
||||
GIT_BRANCH="${GITHUB_REF##*/}"
|
||||
|
||||
if [ "${GIT_BRANCH}" == "trunk" ]; then
|
||||
TAGS_ARRAY+=("$IMAGE_NAME:trunk")
|
||||
else
|
||||
GIT_BRANCH=`expr "${GIT_BRANCH}" : '\([0-9]*\.[0-9]*\).*'`
|
||||
TAGS_ARRAY+=("$IMAGE_NAME:v${GIT_BRANCH}")
|
||||
fi
|
||||
|
||||
echo "::debug::Branch - ${GIT_BRANCH}"
|
||||
|
||||
TAGS=$(printf -- "%s, " "${TAGS_ARRAY[@]}")
|
||||
|
||||
echo "::debug::Tags - ${TAGS}"
|
||||
|
||||
echo ::set-output name=image_name::${IMAGE_NAME}
|
||||
echo ::set-output name=image_tag_versions::$(printf -- "%s," "${TAGS_ARRAY[@]}")
|
||||
|
||||
- name: Prepare environment (release)
|
||||
if: github.event_name == 'release' && github.event.action == 'published'
|
||||
id: prepare_release
|
||||
run: |
|
||||
TAGS_ARRAY=()
|
||||
|
||||
IMAGE_NAME="${{ secrets.azure_registry }}.azurecr.io/${{ matrix.os }}/zabbix-${{ matrix.build }}"
|
||||
RELEASE_VERSION=${GITHUB_REF##*/}
|
||||
GIT_BRANCH="${GITHUB_REF##*/}"
|
||||
GIT_BRANCH=`expr "${GIT_BRANCH}" : '\([0-9]*\.[0-9]*\).*'`
|
||||
|
||||
echo "::debug::Release version ${RELEASE_VERSION}. Branch ${GIT_BRANCH}"
|
||||
|
||||
TAGS_ARRAY+=("$IMAGE_NAME:v${RELEASE_VERSION}")
|
||||
|
||||
TAGS=$(printf -- "--tag %s " "${TAGS_ARRAY[@]}")
|
||||
|
||||
echo ::set-output name=image_name::${IMAGE_NAME}
|
||||
echo ::set-output name=image_tag_versions::$(printf -- ",%s" "${TAGS_ARRAY[@]}")
|
||||
|
||||
- name: Prepare tags
|
||||
id: prepare_tags
|
||||
run: |
|
||||
if [ ! -z "${{ steps.prepare_push.outputs.image_tag_versions }}" ]; then
|
||||
TAGS="${{ steps.prepare_push.outputs.image_tag_versions }}"
|
||||
IMAGE_NAME="${{ steps.prepare_push.outputs.image_name }}"
|
||||
elif [ ! -z "${{ steps.prepare_release.outputs.image_tag_versions }}" ]; then
|
||||
TAGS="${{ steps.prepare_release.outputs.image_tag_versions }}"
|
||||
IMAGE_NAME="${{ steps.prepare_release.outputs.image_name }}"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ::set-output name=image_tag_versions::${TAGS}
|
||||
echo ::set-output name=image_name::${IMAGE_NAME}
|
||||
|
||||
-
|
||||
name: Build and push
|
||||
id: docker_build
|
||||
uses: docker/build-push-action@v2
|
||||
with:
|
||||
context: ./${{ matrix.build }}/${{ matrix.os }}
|
||||
file: ./${{ matrix.build }}/${{ matrix.os }}/Dockerfile
|
||||
platforms: ${{ steps.platform.outputs.list }}
|
||||
push: ${{ secrets.AUTO_PUSH_IMAGES }}
|
||||
tags: ${{ steps.prepare_tags.outputs.image_tag_versions }}
|
||||
|
||||
-
|
||||
name: Image digest
|
||||
run: echo ${{ steps.docker_build.outputs.digest }}
|
701
.github/workflows/images_build.yml
vendored
701
.github/workflows/images_build.yml
vendored
@ -6,9 +6,7 @@ on:
|
||||
- published
|
||||
push:
|
||||
branches:
|
||||
- '5.0'
|
||||
- '6.0'
|
||||
- '6.4'
|
||||
- '[0-9]+.[0-9]+'
|
||||
- 'trunk'
|
||||
paths:
|
||||
- 'Dockerfiles/**'
|
||||
@ -17,72 +15,130 @@ on:
|
||||
- '!Dockerfiles/*/rhel/*'
|
||||
- '!Dockerfiles/*/windows/*'
|
||||
- '.github/workflows/images_build.yml'
|
||||
schedule:
|
||||
- cron: '50 02 * * *'
|
||||
workflow_dispatch:
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
env:
|
||||
DOCKER_REPOSITORY: "zabbix"
|
||||
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
|
||||
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}
|
||||
|
||||
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
|
||||
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
TRUNK_GIT_BRANCH: "refs/heads/trunk"
|
||||
IMAGES_PREFIX: "zabbix-"
|
||||
|
||||
BASE_BUILD_NAME: "build-base"
|
||||
|
||||
MATRIX_FILE: "build.json"
|
||||
DOCKERFILES_DIRECTORY: "./Dockerfiles"
|
||||
|
||||
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
|
||||
IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"
|
||||
|
||||
jobs:
|
||||
init_build:
|
||||
name: Initialize build
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
outputs:
|
||||
os: ${{ steps.os.outputs.list }}
|
||||
database: ${{ steps.database.outputs.list }}
|
||||
components: ${{ steps.components.outputs.list }}
|
||||
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
|
||||
current_branch: ${{ steps.branch_info.outputs.current_branch }}
|
||||
sha_short: ${{ steps.branch_info.outputs.sha_short }}
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
github.com:443
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
sparse-checkout: ${{ env.MATRIX_FILE }}
|
||||
|
||||
- name: Check build.json file
|
||||
- name: Check ${{ env.MATRIX_FILE }} file
|
||||
id: build_exists
|
||||
env:
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
if [[ ! -f "./build.json" ]]; then
|
||||
echo "::error::File build.json is missing"
|
||||
if [[ ! -f "$MATRIX_FILE" ]]; then
|
||||
echo "::error::File $MATRIX_FILE is missing"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Prepare Operating System list
|
||||
id: os
|
||||
env:
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "./build.json")
|
||||
os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
|
||||
|
||||
echo "::group::Operating System List"
|
||||
echo "$os_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$os_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Prepare Platform list
|
||||
id: platform_list
|
||||
env:
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
platform_list=$(jq -r '.["os-linux"] | tostring | @json' "./build.json")
|
||||
platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE")
|
||||
|
||||
echo "::group::Platform List"
|
||||
echo "$platform_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$platform_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Prepare Database engine list
|
||||
id: database
|
||||
env:
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "./build.json")
|
||||
database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE")
|
||||
|
||||
echo "::group::Database List"
|
||||
echo "$database_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$database_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Prepare Zabbix component list
|
||||
id: components
|
||||
env:
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "./build.json")
|
||||
component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
|
||||
|
||||
echo "::group::Zabbix Component List"
|
||||
echo "$component_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$component_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Get branch info
|
||||
id: branch_info
|
||||
env:
|
||||
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
|
||||
github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }}
|
||||
run: |
|
||||
github_ref="${{ github.ref }}"
|
||||
result=false
|
||||
sha_short=$(git rev-parse --short HEAD)
|
||||
|
||||
if [[ "$github_ref" == "refs/tags/"* ]]; then
|
||||
github_ref=${github_ref%.*}
|
||||
@ -90,13 +146,22 @@ jobs:
|
||||
|
||||
github_ref=${github_ref##*/}
|
||||
|
||||
if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then
|
||||
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
|
||||
result=true
|
||||
fi
|
||||
|
||||
echo "::group::Branch data"
|
||||
echo "is_default_branch - $result"
|
||||
echo "current_branch - $github_ref"
|
||||
echo "sha_short - $sha_short"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "is_default_branch=$result" >> $GITHUB_OUTPUT
|
||||
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
|
||||
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
|
||||
|
||||
build_base:
|
||||
timeout-minutes: 120
|
||||
timeout-minutes: 30
|
||||
name: Build base on ${{ matrix.os }}
|
||||
needs: init_build
|
||||
strategy:
|
||||
@ -105,12 +170,112 @@ jobs:
|
||||
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
api.github.com:443
|
||||
archive.ubuntu.com:80
|
||||
atl.mirrors.knownhost.com:443
|
||||
atl.mirrors.knownhost.com:80
|
||||
auth.docker.io:443
|
||||
cdn03.quay.io:443
|
||||
centos-stream-distro.1gservers.com:443
|
||||
centos-stream-distro.1gservers.com:80
|
||||
dfw.mirror.rackspace.com:443
|
||||
dfw.mirror.rackspace.com:80
|
||||
dl-cdn.alpinelinux.org:443
|
||||
download.cf.centos.org:443
|
||||
download.cf.centos.org:80
|
||||
epel.mirror.constant.com:443
|
||||
ftp-nyc.osuosl.org:443
|
||||
ftp-nyc.osuosl.org:80
|
||||
ftp-osl.osuosl.org:443
|
||||
ftp-osl.osuosl.org:80
|
||||
ftp.plusline.net:443
|
||||
ftp.plusline.net:80
|
||||
ftpmirror.your.org:80
|
||||
fulcio.sigstore.dev:443
|
||||
github.com:443
|
||||
iad.mirror.rackspace.com:443
|
||||
iad.mirror.rackspace.com:80
|
||||
index.docker.io:443
|
||||
lesnet.mm.fcix.net:443
|
||||
mirror-mci.yuki.net.uk:443
|
||||
mirror-mci.yuki.net.uk:80
|
||||
mirror.arizona.edu:443
|
||||
mirror.arizona.edu:80
|
||||
mirror.dogado.de:443
|
||||
mirror.dogado.de:80
|
||||
mirror.facebook.net:443
|
||||
mirror.facebook.net:80
|
||||
mirror.fcix.net:443
|
||||
mirror.hoobly.com:443
|
||||
mirror.math.princeton.edu:443
|
||||
mirror.netzwerge.de:443
|
||||
mirror.pilotfiber.com:443
|
||||
mirror.pilotfiber.com:80
|
||||
mirror.rackspace.com:443
|
||||
mirror.rackspace.com:80
|
||||
mirror.scaleuptech.com:443
|
||||
mirror.scaleuptech.com:80
|
||||
mirror.servaxnet.com:443
|
||||
mirror.servaxnet.com:80
|
||||
mirror.siena.edu:80
|
||||
mirror.stream.centos.org:443
|
||||
mirror.stream.centos.org:80
|
||||
mirror.team-cymru.com:443
|
||||
mirror.team-cymru.com:80
|
||||
mirror1.hs-esslingen.de:443
|
||||
mirrors.centos.org:443
|
||||
mirrors.fedoraproject.org:443
|
||||
mirrors.fedoraproject.org:80
|
||||
mirrors.iu13.net:80
|
||||
mirrors.mit.edu:443
|
||||
mirrors.ocf.berkeley.edu:443
|
||||
mirrors.ocf.berkeley.edu:80
|
||||
mirrors.sonic.net:443
|
||||
mirrors.wcupa.edu:443
|
||||
mirrors.wcupa.edu:80
|
||||
mirrors.xtom.de:80
|
||||
na.edge.kernel.org:443
|
||||
nocix.mm.fcix.net:443
|
||||
oauth2.sigstore.dev:443
|
||||
objects.githubusercontent.com:443
|
||||
ports.ubuntu.com:80
|
||||
production.cloudflare.docker.com:443
|
||||
quay.io:443
|
||||
registry-1.docker.io:443
|
||||
rekor.sigstore.dev:443
|
||||
repo.ialab.dsu.edu:443
|
||||
repos.eggycrew.com:443
|
||||
repos.eggycrew.com:80
|
||||
security.ubuntu.com:80
|
||||
tuf-repo-cdn.sigstore.dev:443
|
||||
uvermont.mm.fcix.net:443
|
||||
yum.oracle.com:443
|
||||
ziply.mm.fcix.net:443
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
run: cosign version
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
with:
|
||||
@ -130,50 +295,91 @@ jobs:
|
||||
|
||||
- name: Prepare Platform list
|
||||
id: platform
|
||||
env:
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json")
|
||||
platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE")
|
||||
platform_list="${platform_list%,}"
|
||||
|
||||
echo "::group::Platform List"
|
||||
echo "$platform_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$platform_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ env.BASE_BUILD_NAME }}
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=${{ matrix.os }}-
|
||||
type=semver,pattern={{version}},suffix=-${{ matrix.os }}
|
||||
type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest
|
||||
type=ref,event=branch,suffix=-${{ matrix.os }}-latest
|
||||
type=raw,enable=${{ (needs.init_build.outputs.is_default_branch == 'true') && ( github.event_name == 'push' ) }},value=${{matrix.os}}-latest
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
|
||||
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
|
||||
flavor: |
|
||||
latest=${{ (matrix.os == 'alpine') && ( github.event_name == 'push' ) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
|
||||
latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
|
||||
|
||||
- name: Build ${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} and push
|
||||
- name: Build and publish image
|
||||
id: docker_build
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}
|
||||
file: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile
|
||||
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}
|
||||
file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile
|
||||
platforms: ${{ steps.platform.outputs.list }}
|
||||
push: ${{ secrets.AUTO_PUSH_IMAGES }}
|
||||
push: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: |
|
||||
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
cache-from: |
|
||||
type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
|
||||
type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }}
|
||||
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
|
||||
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
images=""
|
||||
for tag in ${TAGS}; do
|
||||
images+="${tag}@${DIGEST} "
|
||||
done
|
||||
|
||||
echo "::group::Images to sign"
|
||||
echo "$images"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $images"
|
||||
cosign sign --yes ${images}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image digest
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
|
||||
run: |
|
||||
echo ${{ steps.docker_build.outputs.digest }}
|
||||
echo "${{ steps.docker_build.outputs.digest }}" > ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
|
||||
echo "::group::Image digest"
|
||||
echo "$DIGEST"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Cache file name"
|
||||
echo "$CACHE_FILE_NAME"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Upload SHA256 tag
|
||||
uses: actions/upload-artifact@v4
|
||||
echo "$DIGEST" > "$CACHE_FILE_NAME"
|
||||
|
||||
- name: Cache image digest
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
name: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
|
||||
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
|
||||
if-no-files-found: error
|
||||
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
build_base_database:
|
||||
timeout-minutes: 180
|
||||
@ -186,9 +392,50 @@ jobs:
|
||||
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
api.github.com:443
|
||||
auth.docker.io:443
|
||||
git.zabbix.com:443
|
||||
github.com:443
|
||||
go.googlesource.com:443
|
||||
go.mongodb.org:443
|
||||
golang.org:443
|
||||
google.golang.org:443
|
||||
gopkg.in:443
|
||||
index.docker.io:443
|
||||
noto-website.storage.googleapis.com:443
|
||||
production.cloudflare.docker.com:443
|
||||
proxy.golang.org:443
|
||||
registry-1.docker.io:443
|
||||
storage.googleapis.com:443
|
||||
fulcio.sigstore.dev:443
|
||||
oauth2.sigstore.dev:443
|
||||
objects.githubusercontent.com:443
|
||||
tuf-repo-cdn.sigstore.dev:443
|
||||
rekor.sigstore.dev:443
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
run: cosign version
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
@ -209,65 +456,135 @@ jobs:
|
||||
|
||||
- name: Prepare Platform list
|
||||
id: platform
|
||||
env:
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json")
|
||||
platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE")
|
||||
platform_list="${platform_list%,}"
|
||||
|
||||
echo "::group::Platform List"
|
||||
echo "$platform_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$platform_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }}
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=${{ matrix.os }}-
|
||||
type=semver,pattern={{version}},suffix=-${{ matrix.os }}
|
||||
type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest
|
||||
type=ref,event=branch,suffix=-${{ matrix.os }}-latest
|
||||
type=raw,enable=${{ (needs.init_build.outputs.is_default_branch == 'true') && ( github.event_name == 'push' ) }},value=${{matrix.os}}-latest
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
|
||||
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
|
||||
flavor: |
|
||||
latest=${{ (matrix.os == 'alpine') && ( github.event_name == 'push' ) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
|
||||
latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
|
||||
|
||||
- name: Download SHA256 tag build-base:${{ matrix.os }}
|
||||
uses: actions/download-artifact@v4
|
||||
- name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }}
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
name: build-base_${{ matrix.os }}
|
||||
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
|
||||
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
- name: Retrieve build-base:${{ matrix.os }} SHA256 tag
|
||||
- name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag
|
||||
id: base_build
|
||||
env:
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
|
||||
BASE_IMAGE: ${{ env.BASE_BUILD_NAME }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
BASE_TAG=$(cat build-base_${{ matrix.os }})
|
||||
BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-build-base@${BASE_TAG}
|
||||
BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_OS}")
|
||||
BUILD_BASE_IMAGE="${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}"
|
||||
|
||||
echo "::group::Base build image information"
|
||||
echo "base_tag=${BASE_TAG}"
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
|
||||
env:
|
||||
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
|
||||
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
|
||||
run: |
|
||||
echo "::group::Image sign data"
|
||||
echo "OIDC issuer=$OIDC_ISSUER"
|
||||
echo "Identity=$IDENITY_REGEX"
|
||||
echo "Image to verify=$BASE_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Verify signature"
|
||||
cosign verify \
|
||||
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
|
||||
--certificate-identity-regexp "$IDENITY_REGEX" \
|
||||
"$BASE_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
|
||||
id: docker_build
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}
|
||||
file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
|
||||
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}
|
||||
file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
|
||||
platforms: ${{ steps.platform.outputs.list }}
|
||||
push: ${{ secrets.AUTO_PUSH_IMAGES }}
|
||||
push: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
|
||||
labels: |
|
||||
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
cache-from: |
|
||||
type=gha,scope=${{ steps.base_build.outputs.base_build_image }}
|
||||
type=registry,ref=${{ steps.base_build.outputs.base_build_image }}
|
||||
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
|
||||
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
images=""
|
||||
for tag in ${TAGS}; do
|
||||
images+="${tag}@${DIGEST} "
|
||||
done
|
||||
|
||||
echo "::group::Images to sign"
|
||||
echo "$images"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $images"
|
||||
cosign sign --yes ${images}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image digest
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.os }}
|
||||
run: |
|
||||
echo ${{ steps.docker_build.outputs.digest }}
|
||||
echo "${{ steps.docker_build.outputs.digest }}" > ${{ matrix.build }}_${{ matrix.os }}
|
||||
echo "::group::Image digest"
|
||||
echo "$DIGEST"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Cache file name"
|
||||
echo "$CACHE_FILE_NAME"
|
||||
echo "::endgroup::"
|
||||
echo "$DIGEST" > $CACHE_FILE_NAME
|
||||
|
||||
- name: Upload SHA256 tag
|
||||
uses: actions/upload-artifact@v4
|
||||
- name: Caching SHA256 tag of the image
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
name: ${{ matrix.build }}_${{ matrix.os }}
|
||||
path: ${{ matrix.build }}_${{ matrix.os }}
|
||||
if-no-files-found: error
|
||||
key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
build_images:
|
||||
timeout-minutes: 90
|
||||
@ -280,8 +597,141 @@ jobs:
|
||||
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
api.github.com:443
|
||||
auth.docker.io:443
|
||||
dl-cdn.alpinelinux.org:443
|
||||
github.com:443
|
||||
index.docker.io:443
|
||||
production.cloudflare.docker.com:443
|
||||
registry-1.docker.io:443
|
||||
fulcio.sigstore.dev:443
|
||||
objects.githubusercontent.com:443
|
||||
tuf-repo-cdn.sigstore.dev:443
|
||||
rekor.sigstore.dev:443
|
||||
api.github.com:443
|
||||
atl.mirrors.knownhost.com:443
|
||||
atl.mirrors.knownhost.com:80
|
||||
auth.docker.io:443
|
||||
cdn03.quay.io:443
|
||||
centos-stream-distro.1gservers.com:443
|
||||
centos-stream-distro.1gservers.com:80
|
||||
d2lzkl7pfhq30w.cloudfront.net:443
|
||||
epel.mirror.constant.com:80
|
||||
forksystems.mm.fcix.net:80
|
||||
ftp-nyc.osuosl.org:443
|
||||
ftp-nyc.osuosl.org:80
|
||||
ftp-osl.osuosl.org:443
|
||||
ftp-osl.osuosl.org:80
|
||||
ftp.plusline.net:80
|
||||
ftpmirror.your.org:80
|
||||
github.com:443
|
||||
iad.mirror.rackspace.com:443
|
||||
index.docker.io:443
|
||||
ix-denver.mm.fcix.net:443
|
||||
mirror-mci.yuki.net.uk:443
|
||||
mirror.23m.com:80
|
||||
mirror.arizona.edu:80
|
||||
mirror.dal.nexril.net:80
|
||||
mirror.de.leaseweb.net:80
|
||||
mirror.dogado.de:80
|
||||
mirror.facebook.net:80
|
||||
mirror.hoobly.com:80
|
||||
mirror.math.princeton.edu:80
|
||||
mirror.netcologne.de:443
|
||||
mirror.netzwerge.de:443
|
||||
mirror.pilotfiber.com:443
|
||||
mirror.pilotfiber.com:80
|
||||
mirror.rackspace.com:443
|
||||
mirror.rackspace.com:80
|
||||
mirror.scaleuptech.com:443
|
||||
mirror.servaxnet.com:443
|
||||
mirror.servaxnet.com:80
|
||||
mirror.sfo12.us.leaseweb.net:80
|
||||
mirror.siena.edu:80
|
||||
mirror.steadfastnet.com:80
|
||||
mirror.team-cymru.com:443
|
||||
mirror.team-cymru.com:80
|
||||
mirror.umd.edu:443
|
||||
mirror1.hs-esslingen.de:443
|
||||
mirrors.centos.org:443
|
||||
mirrors.fedoraproject.org:443
|
||||
mirrors.iu13.net:443
|
||||
mirrors.iu13.net:80
|
||||
mirrors.ocf.berkeley.edu:443
|
||||
mirrors.sonic.net:80
|
||||
mirrors.syringanetworks.net:80
|
||||
mirrors.vcea.wsu.edu:80
|
||||
mirrors.wcupa.edu:80
|
||||
mirrors.xtom.de:80
|
||||
na.edge.kernel.org:443
|
||||
nnenix.mm.fcix.net:80
|
||||
ohioix.mm.fcix.net:80
|
||||
production.cloudflare.docker.com:443
|
||||
pubmirror1.math.uh.edu:443
|
||||
pubmirror3.math.uh.edu:80
|
||||
quay.io:443
|
||||
registry-1.docker.io:443
|
||||
repo.ialab.dsu.edu:80
|
||||
repos.eggycrew.com:80
|
||||
uvermont.mm.fcix.net:80
|
||||
ziply.mm.fcix.net:443
|
||||
fulcio.sigstore.dev:443
|
||||
objects.githubusercontent.com:443
|
||||
tuf-repo-cdn.sigstore.dev:443
|
||||
rekor.sigstore.dev:443
|
||||
oauth2.sigstore.dev:443
|
||||
api.github.com:443
|
||||
auth.docker.io:443
|
||||
github.com:443
|
||||
index.docker.io:443
|
||||
production.cloudflare.docker.com:443
|
||||
registry-1.docker.io:443
|
||||
yum.oracle.com:443
|
||||
fulcio.sigstore.dev:443
|
||||
objects.githubusercontent.com:443
|
||||
tuf-repo-cdn.sigstore.dev:443
|
||||
rekor.sigstore.dev:443
|
||||
api.github.com:443
|
||||
archive.ubuntu.com:80
|
||||
auth.docker.io:443
|
||||
deb.debian.org:80
|
||||
github.com:443
|
||||
index.docker.io:443
|
||||
keyserver.ubuntu.com:11371
|
||||
nginx.org:443
|
||||
nginx.org:80
|
||||
ports.ubuntu.com:80
|
||||
production.cloudflare.docker.com:443
|
||||
registry-1.docker.io:443
|
||||
security.ubuntu.com:80
|
||||
fulcio.sigstore.dev:443
|
||||
objects.githubusercontent.com:443
|
||||
tuf-repo-cdn.sigstore.dev:443
|
||||
rekor.sigstore.dev:443
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
run: cosign version
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
@ -302,35 +752,45 @@ jobs:
|
||||
|
||||
- name: Prepare Platform list
|
||||
id: platform
|
||||
env:
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_BUILD: ${{ matrix.build }}
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
# Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms
|
||||
if ([ "${{ matrix.os }}" == "alpine" ] || [ "${{ matrix.os }}" == "centos" ]) && [ "${{ matrix.build }}" == "web-service" ]; then
|
||||
if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then
|
||||
platform_list="linux/amd64,linux/arm64"
|
||||
# Chromium on Ubuntu is not available on s390x platform
|
||||
elif [ "${{ matrix.os }}" == "ubuntu" ] && [ "${{ matrix.build }}" == "web-service" ]; then
|
||||
elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then
|
||||
platform_list="linux/amd64,linux/arm/v7,linux/arm64"
|
||||
else
|
||||
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json")
|
||||
platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE")
|
||||
fi
|
||||
|
||||
# Build only Agent and Agent2 on 386
|
||||
if [ "${{ matrix.build }}" != "agent"* ]; then
|
||||
if [ "$MATRIX_BUILD" != "agent"* ]; then
|
||||
platform_list="${platform_list#linux/386,}"
|
||||
fi
|
||||
|
||||
# Can not compile Java applications on ppc64le
|
||||
if [ "${{ matrix.build }}" == "java-gateway" ]; then
|
||||
platform_list="${platform_list%linux/ppc64le}"
|
||||
fi
|
||||
|
||||
platform_list="${platform_list%,}"
|
||||
|
||||
echo "::group::Platform List"
|
||||
echo "$platform_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$platform_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Detect Build Base Image
|
||||
id: build_base_image
|
||||
env:
|
||||
MATRIX_BUILD: ${{ matrix.build }}
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
BUILD_BASE=$(jq -r '.components."${{ matrix.build }}"' "./build.json")
|
||||
BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\"" "$MATRIX_FILE")
|
||||
|
||||
echo "::group::Base Build Image"
|
||||
echo "$BUILD_BASE"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT
|
||||
|
||||
@ -338,45 +798,120 @@ jobs:
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }}
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=${{ matrix.os }}-
|
||||
type=semver,pattern={{version}},suffix=-${{ matrix.os }}
|
||||
type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest
|
||||
type=ref,event=branch,suffix=-${{ matrix.os }}-latest
|
||||
type=raw,enable=${{ (needs.init_build.outputs.is_default_branch == 'true') && ( github.event_name == 'push' ) }},value=${{matrix.os}}-latest
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
|
||||
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
|
||||
flavor: |
|
||||
latest=${{ (matrix.os == 'alpine') && ( github.event_name == 'push' ) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
|
||||
latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
|
||||
|
||||
- name: Download SHA256 tag for ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
|
||||
uses: actions/download-artifact@v4
|
||||
- name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
|
||||
uses: actions/cache@v4
|
||||
if: ${{ matrix.build != 'snmptraps' }}
|
||||
with:
|
||||
name: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }}
|
||||
path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }}
|
||||
key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
- name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag
|
||||
id: base_build
|
||||
if: ${{ matrix.build != 'snmptraps' }}
|
||||
env:
|
||||
BUILD_BASE: ${{ steps.build_base_image.outputs.build_base }}
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
BASE_TAG=$(cat ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }})
|
||||
BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-${{ steps.build_base_image.outputs.build_base }}@${BASE_TAG}
|
||||
BASE_TAG=$(cat "${BUILD_BASE}_${MATRIX_OS}")
|
||||
BUILD_BASE_IMAGE=${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BUILD_BASE}@${BASE_TAG}
|
||||
|
||||
echo "::group::Base build image information"
|
||||
echo "base_tag=${BASE_TAG}"
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
|
||||
- name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
|
||||
if: ${{ matrix.build != 'snmptraps' }}
|
||||
env:
|
||||
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
|
||||
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
|
||||
run: |
|
||||
echo "::group::Image sign data"
|
||||
echo "OIDC issuer=$OIDC_ISSUER"
|
||||
echo "Identity=$IDENITY_REGEX"
|
||||
echo "Image to verify=$BASE_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Verify signature"
|
||||
cosign verify \
|
||||
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
|
||||
--certificate-identity-regexp "$IDENITY_REGEX" \
|
||||
"$BASE_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Prepare cache data
|
||||
id: cache_data
|
||||
env:
|
||||
BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }}
|
||||
run: |
|
||||
cache_images=""
|
||||
if [[ ! -z "$BASE_IMAGE_TAG" ]]; then
|
||||
cache_images="type=gha,scope=$BASE_IMAGE_TAG"$'\n'"type=registry,ref=$BASE_IMAGE_TAG"
|
||||
fi
|
||||
|
||||
echo "::group::Base images cache"
|
||||
echo "$cache_images"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "cache_from=$cache_images" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Build and push image
|
||||
id: docker_build
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}
|
||||
file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
|
||||
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}
|
||||
file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
|
||||
platforms: ${{ steps.platform.outputs.list }}
|
||||
push: ${{ secrets.AUTO_PUSH_IMAGES }}
|
||||
push: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
|
||||
labels: |
|
||||
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
cache-from: ${{ steps.cache_data.outputs.cache_from }}
|
||||
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
images=""
|
||||
for tag in ${TAGS}; do
|
||||
images+="${tag}@${DIGEST} "
|
||||
done
|
||||
|
||||
echo "::group::Images to sign"
|
||||
echo "$images"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $images"
|
||||
cosign sign --yes ${images}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image digest
|
||||
run: echo ${{ steps.docker_build.outputs.digest }}
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
run: |
|
||||
echo "::group::Image digest"
|
||||
echo "$DIGEST"
|
||||
echo "::endgroup::"
|
||||
|
337
.github/workflows/images_build_rhel.yml
vendored
337
.github/workflows/images_build_rhel.yml
vendored
@ -4,29 +4,51 @@ on:
|
||||
release:
|
||||
types:
|
||||
- published
|
||||
workflow_dispatch:
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
env:
|
||||
AUTO_PUSH_IMAGES: ${{ contains(fromJSON('["workflow_dispatch"]'), github.event_name) && 'false' || vars.AUTO_PUSH_IMAGES }}
|
||||
|
||||
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
TRUNK_GIT_BRANCH: "refs/heads/trunk"
|
||||
IMAGES_PREFIX: "zabbix-"
|
||||
BASE_BUILD_NAME: "build-base"
|
||||
|
||||
DOCKERFILES_DIRECTORY: "Dockerfiles"
|
||||
|
||||
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
|
||||
IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"
|
||||
|
||||
REGISTRY: "quay.io"
|
||||
REGISTRY_NAMESPACE: "redhat-isv-containers"
|
||||
PREFLIGHT_IMAGE: "quay.io/opdev/preflight:stable"
|
||||
PFLT_LOGLEVEL: "warn"
|
||||
PFLT_ARTIFACTS: "/tmp/artifacts"
|
||||
|
||||
jobs:
|
||||
init_build:
|
||||
name: Initialize build
|
||||
runs-on: self-hosted
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
outputs:
|
||||
components: ${{ steps.components.outputs.list }}
|
||||
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
|
||||
current_branch: ${{ steps.branch_info.outputs.current_branch }}
|
||||
sha_short: ${{ steps.branch_info.outputs.sha_short }}
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
github.com:443
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
@ -34,9 +56,13 @@ jobs:
|
||||
|
||||
- name: Get branch info
|
||||
id: branch_info
|
||||
shell: bash
|
||||
env:
|
||||
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
|
||||
github_ref: ${{ github.ref }}
|
||||
run: |
|
||||
github_ref="${{ github.ref }}"
|
||||
result=false
|
||||
sha_short=$(git rev-parse --short HEAD)
|
||||
|
||||
if [[ "$github_ref" == "refs/tags/"* ]]; then
|
||||
github_ref=${github_ref%.*}
|
||||
@ -44,116 +70,237 @@ jobs:
|
||||
|
||||
github_ref=${github_ref##*/}
|
||||
|
||||
if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then
|
||||
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
|
||||
result=true
|
||||
fi
|
||||
|
||||
echo "::group::Branch data"
|
||||
echo "is_default_branch - $result"
|
||||
echo "current_branch - $github_ref"
|
||||
echo "sha_short - $sha_short"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "is_default_branch=$result" >> $GITHUB_OUTPUT
|
||||
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
|
||||
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
||||
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
|
||||
|
||||
|
||||
- name: Prepare Zabbix component list
|
||||
id: components
|
||||
env:
|
||||
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
|
||||
CURRENT_BRANCH: ${{ steps.branch_info.outputs.current_branch }}
|
||||
run: |
|
||||
component_list=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ steps.branch_info.outputs.current_branch }}".components | keys | [ .[] | tostring ] | @json')
|
||||
component_list=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components | keys | @json")
|
||||
|
||||
echo "::group::Zabbix Component List"
|
||||
echo "$component_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$component_list" >> $GITHUB_OUTPUT
|
||||
|
||||
build_base:
|
||||
timeout-minutes: 30
|
||||
name: Build ${{ matrix.build }} base on RHEL
|
||||
name: Build ${{ matrix.build }} base (${{ matrix.arch }})
|
||||
needs: ["init_build"]
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
build: ["build-base"]
|
||||
|
||||
runs-on: self-hosted
|
||||
outputs:
|
||||
image: ${{ steps.build_image.outputs.image-with-tag }}
|
||||
build: [build-base]
|
||||
arch: [X64, ARM64]
|
||||
runs-on: [self-hosted, linux, "${{ matrix.arch }}"]
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
run: cosign version
|
||||
|
||||
- name: Fix string case
|
||||
id: lc
|
||||
env:
|
||||
ARCH: ${{ matrix.arch }}
|
||||
run: |
|
||||
echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: zabbix-${{ matrix.build }}
|
||||
images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }}
|
||||
tags: |
|
||||
type=sha
|
||||
type=sha,suffix=-${{ steps.lc.outputs.arch }}
|
||||
|
||||
- name: Build Zabbix Build Base
|
||||
id: build_image
|
||||
uses: redhat-actions/buildah-build@v2
|
||||
with:
|
||||
context: ./Dockerfiles/${{ matrix.build }}/rhel
|
||||
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel
|
||||
layers: false
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
containerfiles: |
|
||||
./Dockerfiles/${{ matrix.build }}/rhel/Dockerfile
|
||||
${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile
|
||||
extra-args: |
|
||||
--pull
|
||||
|
||||
- name: Image digest
|
||||
env:
|
||||
IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
|
||||
CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}
|
||||
run: |
|
||||
DIGEST=$(podman inspect ${IMAGE_TAG} --format "{{ index .RepoDigests 0}}" | cut -d '@' -f2)
|
||||
echo "::group::Image digest"
|
||||
echo "$DIGEST"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Cache file name"
|
||||
echo "$CACHE_FILE_NAME"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "$DIGEST" > "$CACHE_FILE_NAME"
|
||||
|
||||
- name: Cache image digest
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}
|
||||
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }}
|
||||
|
||||
build_base_database:
|
||||
timeout-minutes: 180
|
||||
needs: [ "build_base", "init_build"]
|
||||
name: Build ${{ matrix.build }} base on RHEL
|
||||
name: Build ${{ matrix.build }} base (${{ matrix.arch }})
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
build: ["mysql", "sqlite3"]
|
||||
|
||||
runs-on: self-hosted
|
||||
build: [build-mysql, build-sqlite3]
|
||||
arch: [X64, ARM64]
|
||||
runs-on: [self-hosted, linux, "${{ matrix.arch }}"]
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Fix string case
|
||||
id: lc
|
||||
env:
|
||||
ARCH: ${{ matrix.arch }}
|
||||
run: |
|
||||
echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: zabbix-build-${{ matrix.build }}
|
||||
images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }}
|
||||
tags: |
|
||||
type=sha
|
||||
type=sha,suffix=-${{ steps.lc.outputs.arch }}
|
||||
|
||||
- name: Build ${{ matrix.build }} image
|
||||
- name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }}
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}
|
||||
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }}
|
||||
|
||||
- name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} SHA256 tag
|
||||
id: base_build
|
||||
env:
|
||||
MATRIX_ARCH: ${{ matrix.arch }}
|
||||
BASE_IMAGE: ${{ env.BASE_BUILD_NAME }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}")
|
||||
BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}"
|
||||
|
||||
echo "::group::Base build image information"
|
||||
echo "base_tag=${BASE_TAG}"
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Build Zabbix Build Base
|
||||
id: build_image
|
||||
uses: redhat-actions/buildah-build@v2
|
||||
with:
|
||||
context: ./Dockerfiles/build-${{ matrix.build }}/rhel
|
||||
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel
|
||||
layers: false
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
containerfiles: |
|
||||
./Dockerfiles/build-${{ matrix.build }}/rhel/Dockerfile
|
||||
build-args: BUILD_BASE_IMAGE=${{ needs.build_base.outputs.image }}
|
||||
${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile
|
||||
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
|
||||
|
||||
- name: Image digest
|
||||
env:
|
||||
IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
|
||||
CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.arch }}
|
||||
run: |
|
||||
DIGEST=$(podman inspect ${IMAGE_TAG} --format "{{ index .RepoDigests 0}}" | cut -d '@' -f2)
|
||||
echo "::group::Image digest"
|
||||
echo "$DIGEST"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Cache file name"
|
||||
echo "$CACHE_FILE_NAME"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "$DIGEST" > "$CACHE_FILE_NAME"
|
||||
|
||||
- name: Cache image digest
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ matrix.build }}_${{ matrix.arch }}
|
||||
key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }}
|
||||
|
||||
build_images:
|
||||
timeout-minutes: 90
|
||||
needs: [ "build_base_database", "init_build"]
|
||||
name: Build ${{ matrix.build }} image
|
||||
name: Build ${{ matrix.build }} image (${{ matrix.arch }})
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
build: ${{ fromJson(needs.init_build.outputs.components) }}
|
||||
|
||||
runs-on: self-hosted
|
||||
arch: [X64, ARM64]
|
||||
runs-on: [self-hosted, linux, "${{ matrix.arch }}"]
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Fix string case
|
||||
id: lc
|
||||
env:
|
||||
ARCH: ${{ matrix.arch }}
|
||||
run: |
|
||||
echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Detect Build Base Image
|
||||
id: build_base_image
|
||||
env:
|
||||
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
|
||||
MATRIX_BUILD: ${{ matrix.build }}
|
||||
CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }}
|
||||
run: |
|
||||
BUILD_BASE=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".build_base')
|
||||
BUILD_BASE=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".build_base")
|
||||
|
||||
echo "::group::Build base image"
|
||||
echo "build_base=$BUILD_BASE"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "build_base=$BUILD_BASE" >> $GITHUB_OUTPUT
|
||||
|
||||
@ -161,8 +308,10 @@ jobs:
|
||||
id: image_name
|
||||
env:
|
||||
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
|
||||
MATRIX_BUILD: ${{ matrix.build }}
|
||||
CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }}
|
||||
run: |
|
||||
IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".login')
|
||||
IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login")
|
||||
|
||||
echo "::add-mask::$IMAGE_NAME"
|
||||
echo "image_name=$IMAGE_NAME" >> $GITHUB_OUTPUT
|
||||
@ -171,9 +320,11 @@ jobs:
|
||||
id: login_credentials
|
||||
env:
|
||||
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
|
||||
MATRIX_BUILD: ${{ matrix.build }}
|
||||
CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }}
|
||||
run: |
|
||||
IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".login')
|
||||
REGISTRY_PASSWORD=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n '$data."${{ needs.init_build.outputs.current_branch }}".components."${{ matrix.build }}".secret')
|
||||
IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login")
|
||||
REGISTRY_PASSWORD=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".secret")
|
||||
|
||||
echo "::add-mask::$IMAGE_NAME"
|
||||
echo "::add-mask::redhat-isv-containers+$IMAGE_NAME-robot"
|
||||
@ -184,6 +335,7 @@ jobs:
|
||||
|
||||
- name: Log in to Quay.io
|
||||
uses: redhat-actions/podman-login@v1.6
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
env:
|
||||
LOGIN: ${{ steps.login_credentials.outputs.username }}
|
||||
PASSWORD: ${{ steps.login_credentials.outputs.password }}
|
||||
@ -191,12 +343,14 @@ jobs:
|
||||
username: redhat-isv-containers+${{ env.LOGIN }}-robot
|
||||
password: ${{ env.PASSWORD }}
|
||||
registry: ${{ env.REGISTRY }}
|
||||
auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ needs.init_build.outputs.sha_short }}
|
||||
auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }}
|
||||
|
||||
- name: Remove smartmontools
|
||||
if: ${{ matrix.build == 'agent2' }}
|
||||
env:
|
||||
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
|
||||
run: |
|
||||
sed -i '/smartmontools/d' Dockerfiles/agent2/rhel/Dockerfile
|
||||
sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile"
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
@ -207,37 +361,71 @@ jobs:
|
||||
type=semver,pattern={{version}}
|
||||
type=sha
|
||||
flavor: |
|
||||
latest=${{ ( github.event_name == 'release' ) }}
|
||||
latest=${{ github.event_name == 'release' }}
|
||||
suffix=${{ matrix.arch == 'ARM64' && '-arm64' || '' }},onlatest=true
|
||||
|
||||
- name: Build ${{ matrix.build }} and push
|
||||
- name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }}
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.arch }}
|
||||
key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.arch }}-${{ github.run_id }}
|
||||
|
||||
- name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} SHA256 tag
|
||||
id: base_build
|
||||
env:
|
||||
MATRIX_ARCH: ${{ matrix.arch }}
|
||||
BASE_IMAGE: ${{ steps.build_base_image.outputs.build_base }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}")
|
||||
BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}"
|
||||
|
||||
echo "::group::Base build image information"
|
||||
echo "base_tag=${BASE_TAG}"
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
|
||||
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Build ${{ matrix.build }}
|
||||
id: build_image
|
||||
uses: redhat-actions/buildah-build@v2
|
||||
with:
|
||||
context: ./Dockerfiles/${{ matrix.build }}/rhel
|
||||
context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel
|
||||
layers: false
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: |
|
||||
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
containerfiles: |
|
||||
./Dockerfiles/${{ matrix.build }}/rhel/Dockerfile
|
||||
build-args: BUILD_BASE_IMAGE=zabbix-${{ steps.build_base_image.outputs.build_base }}:sha-${{ needs.init_build.outputs.sha_short }}
|
||||
${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile
|
||||
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
|
||||
|
||||
- name: Push to RedHat certification procedure
|
||||
id: push_to_registry
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
uses: redhat-actions/push-to-registry@v2
|
||||
with:
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
|
||||
- name: Preflight
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
env:
|
||||
PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ needs.init_build.outputs.sha_short }}
|
||||
PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }}
|
||||
PFLT_CERTIFICATION_PROJECT_ID: ${{ steps.login_credentials.outputs.username }}
|
||||
PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }}
|
||||
PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }}
|
||||
PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }}
|
||||
IMAGE_TAG: ${{ steps.build_image.outputs.image-with-tag }}
|
||||
PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }}
|
||||
run: |
|
||||
mkdir -p $PFLT_ARTIFACTS
|
||||
echo "::group::Pull preflight image"
|
||||
podman pull "$PREFLIGHT_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Perform certification tests"
|
||||
podman run \
|
||||
-it \
|
||||
--rm \
|
||||
@ -250,15 +438,74 @@ jobs:
|
||||
--env PFLT_DOCKERCONFIG=/temp-authfile.json \
|
||||
-v $PFLT_ARTIFACTS:/artifacts \
|
||||
-v $PFLT_DOCKERCONFIG:/temp-authfile.json:ro \
|
||||
quay.io/opdev/preflight:1.5.1 check container ${{ steps.build_image.outputs.image-with-tag }} --submit
|
||||
"$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit
|
||||
podman rmi -i -f "$PREFLIGHT_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Push to RedHat certification procedure
|
||||
id: push_to_registry_all_tags
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
uses: redhat-actions/push-to-registry@v2
|
||||
with:
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
|
||||
- name: Cleanup
|
||||
- name: Cleanup artifacts
|
||||
if: ${{ always() }}
|
||||
env:
|
||||
PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }}
|
||||
PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
echo "${{ steps.meta.outputs.tags }}" | while IFS= read -r image_name ; do podman rmi -i -f $image_name; done
|
||||
rm -rf ${{ env.PFLT_ARTIFACTS }}
|
||||
echo "::group::Post build actions"
|
||||
echo "$TAGS" | while IFS= read -r image_name ; do podman rmi -i -f "$image_name"; done
|
||||
rm -rf "$PFLT_ARTIFACTS"
|
||||
podman rmi -i -f "$PREFLIGHT_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
clean_artifacts:
|
||||
timeout-minutes: 90
|
||||
needs: [ "build_images", "init_build"]
|
||||
name: Build ${{ matrix.build }} image (${{ matrix.arch }})
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
build: [build-mysql, build-sqlite3]
|
||||
arch: [X64, ARM64]
|
||||
runs-on: [self-hosted, linux, "${{ matrix.arch }}"]
|
||||
if: ${{ always() && needs.build_base_database.result == 'success' }}
|
||||
permissions: {}
|
||||
steps:
|
||||
- name: Download SHA256 tag of ${{ matrix.build }}:${{ matrix.arch }}
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ matrix.build }}_${{ matrix.arch }}
|
||||
key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }}
|
||||
|
||||
- name: Remove ${{ matrix.build }}:${{ matrix.arch }} SHA256 tag
|
||||
env:
|
||||
MATRIX_ARCH: ${{ matrix.arch }}
|
||||
BASE_IMAGE: ${{ matrix.build }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}")
|
||||
BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}"
|
||||
|
||||
podman rmi -i -f "$BUILD_BASE_IMAGE"
|
||||
|
||||
- name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }}
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}
|
||||
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }}
|
||||
|
||||
|
||||
- name: Remove ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} SHA256 tag
|
||||
env:
|
||||
MATRIX_ARCH: ${{ matrix.arch }}
|
||||
BASE_IMAGE: ${{ env.BASE_BUILD_NAME }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}")
|
||||
BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}"
|
||||
|
||||
podman rmi -i -f "$BUILD_BASE_IMAGE"
|
||||
|
723
.github/workflows/images_build_windows.yml
vendored
723
.github/workflows/images_build_windows.yml
vendored
@ -6,55 +6,92 @@ on:
|
||||
- published
|
||||
push:
|
||||
branches:
|
||||
- '5.0'
|
||||
- '6.0'
|
||||
- '6.4'
|
||||
- '[0-9]+.[0-9]+'
|
||||
- 'trunk'
|
||||
paths:
|
||||
- 'Dockerfiles/*/windows/*'
|
||||
- '!**/README.md'
|
||||
- '.github/workflows/images_build_windows.yml'
|
||||
schedule:
|
||||
- cron: '05 02 * * *'
|
||||
workflow_dispatch:
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: pwsh
|
||||
|
||||
env:
|
||||
DOCKER_REPOSITORY: "zabbix"
|
||||
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
|
||||
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}
|
||||
|
||||
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
|
||||
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
IMAGE_PREFIX: "zabbix-"
|
||||
BASE_BUILD_NAME: "build-base"
|
||||
COMPONENT_BASE_BUILD_NAME: "build-mysql"
|
||||
AUTO_PUSH_IMAGES: ${{ secrets.AUTO_PUSH_IMAGES }}
|
||||
TRUNK_GIT_BRANCH: "refs/heads/trunk"
|
||||
IMAGES_PREFIX: "zabbix-"
|
||||
|
||||
MSFT_BASE_BUILD_IMAGE: "mcr.microsoft.com/windows/servercore"
|
||||
PWSH_BASE_IMAGE_NAME: "mcr.microsoft.com/powershell"
|
||||
PWSH_BASE_IMAGE_PREFIX: "lts-nanoserver-"
|
||||
|
||||
BASE_IMAGE_NAME: "build-base"
|
||||
BASE_BUILD_IMAGE_NAME: "build-mysql"
|
||||
|
||||
MATRIX_FILE: "build.json"
|
||||
DOCKERFILES_DIRECTORY: "Dockerfiles"
|
||||
|
||||
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
|
||||
IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"
|
||||
|
||||
jobs:
|
||||
init_build:
|
||||
name: Initialize build
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
outputs:
|
||||
os: ${{ steps.os.outputs.list }}
|
||||
components: ${{ steps.components.outputs.list }}
|
||||
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
|
||||
current_branch: ${{ steps.branch_info.outputs.current_branch }}
|
||||
sha_short: ${{ steps.branch_info.outputs.sha_short }}
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
github.com:443
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
sparse-checkout: ${{ env.MATRIX_FILE }}
|
||||
|
||||
- name: Check build.json file
|
||||
- name: Check ${{ env.MATRIX_FILE }} file
|
||||
id: build_exists
|
||||
shell: bash
|
||||
env:
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
if [[ ! -f "./build.json" ]]; then
|
||||
echo "::error::File build.json is missing"
|
||||
if [[ ! -f "$MATRIX_FILE" ]]; then
|
||||
echo "::error::File $MATRIX_FILE is missing"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Prepare Operating System list
|
||||
id: os
|
||||
shell: bash
|
||||
env:
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "./build.json")
|
||||
os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
|
||||
|
||||
echo "::group::Operating System List"
|
||||
echo "$os_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$os_list" >> $GITHUB_OUTPUT
|
||||
|
||||
@ -64,14 +101,21 @@ jobs:
|
||||
run: |
|
||||
component_list='["agent","agent2"]'
|
||||
|
||||
echo "::group::Zabbix Component List"
|
||||
echo "$component_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "list=$component_list" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Get branch info
|
||||
id: branch_info
|
||||
shell: bash
|
||||
env:
|
||||
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
|
||||
github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }}
|
||||
run: |
|
||||
github_ref="${{ github.ref }}"
|
||||
result=false
|
||||
sha_short=$(git rev-parse --short HEAD)
|
||||
|
||||
if [[ "$github_ref" == "refs/tags/"* ]]; then
|
||||
github_ref=${github_ref%.*}
|
||||
@ -79,324 +123,659 @@ jobs:
|
||||
|
||||
github_ref=${github_ref##*/}
|
||||
|
||||
if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then
|
||||
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
|
||||
result=true
|
||||
fi
|
||||
|
||||
echo "::group::Branch data"
|
||||
echo "is_default_branch - $result"
|
||||
echo "current_branch - $github_ref"
|
||||
echo "sha_short - $sha_short"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "is_default_branch=$result" >> $GITHUB_OUTPUT
|
||||
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
|
||||
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
|
||||
|
||||
build_base:
|
||||
timeout-minutes: 70
|
||||
name: Build ${{ matrix.component }} base on ${{ matrix.os }}
|
||||
needs: init_build
|
||||
env:
|
||||
BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}"
|
||||
runs-on: ${{ matrix.os }}
|
||||
timeout-minutes: 70
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
||||
component: ${{ fromJson(needs.init_build.outputs.components) }}
|
||||
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Login to DockerHub
|
||||
run: |
|
||||
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
|
||||
if (-not $?) {throw "Failed"}
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Base OS tag
|
||||
- name: Check cosign version
|
||||
run: cosign version
|
||||
|
||||
- name: Login to DockerHub
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
|
||||
- name: Base Windows OS tag
|
||||
id: base_os_tag
|
||||
env:
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
$os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}'
|
||||
$os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
|
||||
|
||||
echo "::group::Base Microsoft Windows OS tag"
|
||||
echo "$os_tag"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.BASE_BUILD_NAME }}
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=semver,pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
||||
type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
||||
type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
|
||||
type=raw,enable=${{ ( needs.init_build.outputs.is_default_branch == 'true' ) && ( github.event_name == 'push' ) }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
|
||||
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
||||
flavor: |
|
||||
latest=false
|
||||
|
||||
- name: Build image
|
||||
- name: Build and push image
|
||||
id: docker_build
|
||||
env:
|
||||
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
|
||||
BASE_BUILD_IMAGE: ${{ env.MSFT_BASE_BUILD_IMAGE }}
|
||||
BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }}
|
||||
MATRIX_COMPONENT: ${{ matrix.component }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
|
||||
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
$context='.\Dockerfiles\${{ env.BASE_BUILD_NAME }}\windows\'
|
||||
$dockerfile= $context + 'Dockerfile.${{ matrix.component }}'
|
||||
echo "::group::Docker version"
|
||||
docker version
|
||||
echo "::endgroup::"
|
||||
echo "::group::Docker info"
|
||||
docker info
|
||||
echo "::endgroup::"
|
||||
|
||||
$context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_IMAGE_NAME\windows\"
|
||||
$dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT
|
||||
$base_os_image= $Env:BASE_BUILD_IMAGE + ':' + $Env:BASE_OS_TAG
|
||||
# Can not build on GitHub due existing symlink. Must be removed before build process
|
||||
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
|
||||
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
$tags_array=$( "$Env:TAGS".Split("`n") )
|
||||
$tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
|
||||
|
||||
echo "docker build --file=$dockerfile $tags $context"
|
||||
docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} `
|
||||
--label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} `
|
||||
--build-arg=BUILD_BASE_IMAGE=mcr.microsoft.com/windows/servercore:${{ steps.base_os_tag.outputs.os_tag }} `
|
||||
echo "::group::Image tags"
|
||||
echo "$Env:TAGS"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Pull base image"
|
||||
docker pull $base_os_image
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Build Image"
|
||||
Write-Host @"
|
||||
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
|
||||
--label org.opencontainers.image.created=$Env:LABEL_CREATED
|
||||
--build-arg=BUILD_BASE_IMAGE=$base_os_image
|
||||
--file=$dockerfile
|
||||
$tags
|
||||
$context
|
||||
"@
|
||||
|
||||
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
|
||||
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
|
||||
--build-arg=BUILD_BASE_IMAGE=$base_os_image `
|
||||
--file=$dockerfile `
|
||||
$tags `
|
||||
$context
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Push image
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
|
||||
echo "::group::Publish Image"
|
||||
if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
|
||||
Foreach ($tag in $tags_array) {
|
||||
echo "docker image push $tag"
|
||||
docker image push $tag
|
||||
if (-not $?) {throw "Failed"}
|
||||
}
|
||||
|
||||
- name: Image digest
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
|
||||
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
|
||||
if (-not $?) {throw "Failed"}
|
||||
|
||||
echo $digest
|
||||
$digest | Set-Content -Path ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
|
||||
- name: Upload SHA256 tag
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
path: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Logout from DockerHub
|
||||
run: |
|
||||
docker logout
|
||||
echo "Image digest got from RepoDigests"
|
||||
}
|
||||
else {
|
||||
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "Image digest got from Id"
|
||||
}
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Digest"
|
||||
echo "$digest"
|
||||
echo "::endgroup::"
|
||||
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
$tags_array=$( "$Env:TAGS".Split("`n") )
|
||||
$tag_list=@()
|
||||
|
||||
|
||||
foreach ($tag in $tags_array) {
|
||||
$tag_name=$tag.Split(":")[0]
|
||||
$tag_list+="$tag_name@$Env:DIGEST"
|
||||
}
|
||||
echo "::group::Images to sign"
|
||||
echo "$tag_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $tag_list"
|
||||
cosign sign --yes $tag_list
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image digest
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
||||
run: |
|
||||
echo "::group::Image digest"
|
||||
echo "$Env:DIGEST"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Cache file name"
|
||||
echo "$Env:CACHE_FILE_NAME"
|
||||
echo "::endgroup::"
|
||||
|
||||
$Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME
|
||||
|
||||
- name: Cache image digest
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
||||
key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
build_components:
|
||||
timeout-minutes: 70
|
||||
needs: [ "build_base", "init_build"]
|
||||
name: Build ${{ matrix.component }} sources on ${{ matrix.os }}
|
||||
env:
|
||||
BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}"
|
||||
COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}"
|
||||
needs: [ "build_base", "init_build"]
|
||||
runs-on: ${{ matrix.os }}
|
||||
timeout-minutes: 70
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
||||
component: ${{ fromJson(needs.init_build.outputs.components) }}
|
||||
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
run: cosign version
|
||||
|
||||
- name: Login to DockerHub
|
||||
run: |
|
||||
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
|
||||
if (-not $?) {throw "Failed"}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
|
||||
- name: Base OS tag
|
||||
id: base_os_tag
|
||||
env:
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
$os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}'
|
||||
$os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
|
||||
|
||||
echo "::group::Base Windows OS tag"
|
||||
echo "$os_tag"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.COMPONENT_BASE_BUILD_NAME }}
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=semver,pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
||||
type=ref,event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
||||
type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
|
||||
type=raw,enable=${{ ( needs.init_build.outputs.is_default_branch == 'true' ) && ( github.event_name == 'push' ) }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
|
||||
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
||||
flavor: |
|
||||
latest=false
|
||||
|
||||
- name: Download SHA256 tag build-base:${{ matrix.os }}
|
||||
uses: actions/download-artifact@v4
|
||||
- name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }}
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
name: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
||||
key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
- name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag
|
||||
- name: Retrieve ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag
|
||||
id: base_build
|
||||
env:
|
||||
BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }}
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_COMPONENT: ${{ matrix.component }}
|
||||
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
$base_tag = Get-Content ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} -Raw
|
||||
$build_base_image="${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.BASE_BUILD_NAME }}@" + $base_tag
|
||||
$base_image_file=$Env:BASE_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT
|
||||
$base_tag = Get-Content $base_image_file -Raw
|
||||
$build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_IMAGE_NAME@" + $base_tag
|
||||
|
||||
echo "::group::Base image Info"
|
||||
echo "base_tag=$base_tag"
|
||||
echo "base_build_image=$build_base_image"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT
|
||||
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Build image
|
||||
id: docker_build
|
||||
- name: Verify ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} cosign
|
||||
env:
|
||||
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
|
||||
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
|
||||
run: |
|
||||
$context='.\Dockerfiles\${{ env.COMPONENT_BASE_BUILD_NAME }}\windows\'
|
||||
$dockerfile= $context + 'Dockerfile.${{ matrix.component }}'
|
||||
cosign verify `
|
||||
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
|
||||
--certificate-identity-regexp "$Env:IDENITY_REGEX" `
|
||||
"$Env:BASE_IMAGE"
|
||||
|
||||
- name: Build and push image
|
||||
id: docker_build
|
||||
env:
|
||||
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
|
||||
BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}
|
||||
BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
|
||||
MATRIX_COMPONENT: ${{ matrix.component }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
echo "::group::Docker version"
|
||||
docker version
|
||||
echo "::endgroup::"
|
||||
echo "::group::Docker info"
|
||||
docker info
|
||||
echo "::endgroup::"
|
||||
|
||||
$context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_BUILD_IMAGE_NAME\windows\"
|
||||
$dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT
|
||||
$base_build_image= $Env:BASE_BUILD_IMAGE
|
||||
# Can not build on GitHub due existing symlink. Must be removed before build process
|
||||
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
|
||||
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
$tags=$($tags_array | Foreach-Object { "--tag=$_" })
|
||||
$tags_array=$( "$Env:TAGS".Split("`n") )
|
||||
$tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
|
||||
|
||||
echo "docker build --file=$dockerfile $tags $context"
|
||||
docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} `
|
||||
--label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} `
|
||||
echo "::group::Image tags"
|
||||
echo "$Env:TAGS"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Pull base image"
|
||||
docker pull $base_build_image
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Build Image"
|
||||
Write-Host @"
|
||||
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
|
||||
--label org.opencontainers.image.created=$Env:LABEL_CREATED
|
||||
--build-arg=BUILD_BASE_IMAGE=$base_build_image
|
||||
--file=$dockerfile
|
||||
$tags
|
||||
$context
|
||||
"@
|
||||
|
||||
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
|
||||
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
|
||||
--build-arg=BUILD_BASE_IMAGE=$base_build_image `
|
||||
--file=$dockerfile `
|
||||
--build-arg=BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} `
|
||||
$tags `
|
||||
$context
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Push image
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
|
||||
echo "::group::Publish Image"
|
||||
if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
|
||||
Foreach ($tag in $tags_array) {
|
||||
echo "docker image push $tag"
|
||||
docker image push $tag
|
||||
if (-not $?) {throw "Failed"}
|
||||
}
|
||||
|
||||
- name: Image digest
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
|
||||
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
|
||||
if (-not $?) {throw "Failed"}
|
||||
|
||||
echo $digest
|
||||
$digest | Set-Content -Path ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
|
||||
- name: Upload SHA256 tag
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
path: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Logout from DockerHub
|
||||
run: |
|
||||
docker logout
|
||||
echo "Image digest got from RepoDigests"
|
||||
}
|
||||
else {
|
||||
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "Image digest got from Id"
|
||||
}
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Digest"
|
||||
echo "$digest"
|
||||
echo "::endgroup::"
|
||||
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
$tags_array=$( "$Env:TAGS".Split("`n") )
|
||||
$tag_list=@()
|
||||
|
||||
|
||||
foreach ($tag in $tags_array) {
|
||||
$tag_name=$tag.Split(":")[0]
|
||||
$tag_list+="$tag_name@$Env:DIGEST"
|
||||
}
|
||||
echo "::group::Images to sign"
|
||||
echo "$tag_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $tag_list"
|
||||
cosign sign --yes $tag_list
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image digest
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
CACHE_FILE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
||||
run: |
|
||||
echo "::group::Image digest"
|
||||
echo "$Env:DIGEST"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Cache file name"
|
||||
echo "$Env:CACHE_FILE_NAME"
|
||||
echo "::endgroup::"
|
||||
|
||||
$Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME
|
||||
|
||||
- name: Cache image digest
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
||||
key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
build_images:
|
||||
timeout-minutes: 70
|
||||
needs: [ "build_components", "init_build"]
|
||||
name: Build ${{ matrix.component }} on ${{ matrix.os }}
|
||||
env:
|
||||
COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}"
|
||||
needs: [ "build_components", "init_build"]
|
||||
runs-on: ${{ matrix.os }}
|
||||
timeout-minutes: 70
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
||||
component: ${{ fromJson(needs.init_build.outputs.components) }}
|
||||
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
run: cosign version
|
||||
|
||||
- name: Login to DockerHub
|
||||
run: |
|
||||
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
|
||||
if (-not $?) {throw "Failed"}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
|
||||
- name: Base OS tag
|
||||
id: base_os_tag
|
||||
env:
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
||||
run: |
|
||||
$os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}'
|
||||
$os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
|
||||
|
||||
echo "::group::Base OS tag"
|
||||
echo "$os_tag"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tags
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ matrix.component }}
|
||||
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=semver,pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }}
|
||||
type=ref,event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
||||
type=ref,event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=raw,enable=${{ ( needs.init_build.outputs.is_default_branch == 'true' ) && ( github.event_name == 'push' ) }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }}
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-
|
||||
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}
|
||||
flavor: |
|
||||
latest=false
|
||||
|
||||
- name: Download SHA256 tag for ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }}
|
||||
uses: actions/download-artifact@v4
|
||||
- name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }}
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
name: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
|
||||
path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
||||
key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
|
||||
|
||||
- name: ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag
|
||||
- name: Retrieve ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag
|
||||
id: base_build
|
||||
env:
|
||||
BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}
|
||||
MATRIX_OS: ${{ matrix.os }}
|
||||
MATRIX_COMPONENT: ${{ matrix.component }}
|
||||
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
|
||||
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
||||
run: |
|
||||
$base_tag = Get-Content ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} -Raw
|
||||
$build_base_image="${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.COMPONENT_BASE_BUILD_NAME }}@" + $base_tag
|
||||
$base_image_file=$Env:BASE_BUILD_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT
|
||||
$base_tag = Get-Content $base_image_file -Raw
|
||||
$build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_BUILD_IMAGE_NAME@" + $base_tag
|
||||
|
||||
echo "::group::Base image Info"
|
||||
echo "base_tag=$base_tag"
|
||||
echo "base_build_image=$build_base_image"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT
|
||||
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Build image
|
||||
id: docker_build
|
||||
- name: Verify ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} cosign
|
||||
env:
|
||||
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
|
||||
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
|
||||
run: |
|
||||
$context='.\Dockerfiles\${{ matrix.component }}\windows\'
|
||||
cosign verify `
|
||||
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
|
||||
--certificate-identity-regexp "$Env:IDENITY_REGEX" `
|
||||
"$Env:BASE_IMAGE"
|
||||
|
||||
- name: Build and push image
|
||||
id: docker_build
|
||||
env:
|
||||
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
|
||||
BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}
|
||||
MATRIX_COMPONENT: ${{ matrix.component }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
|
||||
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
PWSH_BASE_IMAGE_NAME: ${{ env.PWSH_BASE_IMAGE_NAME }}
|
||||
PWSH_BASE_IMAGE_PREFIX: ${{ env.PWSH_BASE_IMAGE_PREFIX }}
|
||||
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
echo "::group::Docker version"
|
||||
docker version
|
||||
echo "::endgroup::"
|
||||
echo "::group::Docker info"
|
||||
docker info
|
||||
echo "::endgroup::"
|
||||
|
||||
$context="$Env:DOCKERFILES_DIRECTORY\$Env:MATRIX_COMPONENT\windows\"
|
||||
$dockerfile= $context + 'Dockerfile'
|
||||
$base_build_image= $Env:BASE_BUILD_IMAGE
|
||||
# Can not build on GitHub due existing symlink. Must be removed before build process
|
||||
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
|
||||
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
$tags=$($tags_array | Foreach-Object { "--tag=$_" })
|
||||
$tags_array=$( "$Env:TAGS".Split("`n") )
|
||||
$tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
|
||||
|
||||
# PowerShell images based on LTSC 2019 and LTSC 2016 do not have "ltsc" prefix
|
||||
$os_tag_suffix='${{ steps.base_os_tag.outputs.os_tag }}'
|
||||
$os_tag_suffix=$Env:BASE_BUILD_OS_TAG
|
||||
$os_tag_suffix=$os_tag_suffix -replace "ltsc2019",'1809'
|
||||
$base_image=$Env:PWSH_BASE_IMAGE_NAME + ':' + $Env:PWSH_BASE_IMAGE_PREFIX + $os_tag_suffix
|
||||
|
||||
echo "docker build --file=$dockerfile $tags $context"
|
||||
docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} `
|
||||
--label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} `
|
||||
echo "::group::Image tags"
|
||||
echo "$Env:TAGS"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Pull build base image"
|
||||
docker pull $base_build_image
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "::endgroup::"
|
||||
echo "::group::Pull Powershell base image"
|
||||
docker pull $base_image
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Build Image"
|
||||
Write-Host @"
|
||||
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
|
||||
--label org.opencontainers.image.created=$Env:LABEL_CREATED
|
||||
--build-arg=BUILD_BASE_IMAGE=$base_build_image
|
||||
--build-arg=BASE_IMAGE=$base_image
|
||||
--file=$dockerfile
|
||||
$tags
|
||||
$context
|
||||
"@
|
||||
|
||||
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
|
||||
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
|
||||
--build-arg=BUILD_BASE_IMAGE=$base_build_image `
|
||||
--build-arg=BASE_IMAGE=$base_image `
|
||||
--file=$dockerfile `
|
||||
--build-arg=BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} `
|
||||
--build-arg=BASE_IMAGE=mcr.microsoft.com/powershell:lts-nanoserver-$os_tag_suffix `
|
||||
$tags `
|
||||
$context
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Push image
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
|
||||
echo "::group::Publish Image"
|
||||
if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
|
||||
Foreach ($tag in $tags_array) {
|
||||
echo "docker image push $tag"
|
||||
docker image push $tag
|
||||
if (-not $?) {throw "Failed"}
|
||||
}
|
||||
|
||||
- name: Image digest
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
run: |
|
||||
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") )
|
||||
|
||||
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
|
||||
if (-not $?) {throw "Failed"}
|
||||
|
||||
echo $digest
|
||||
|
||||
- name: Logout from DockerHub
|
||||
run: |
|
||||
docker logout
|
||||
echo "Image digest got from RepoDigests"
|
||||
}
|
||||
else {
|
||||
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
|
||||
if (-not $?) {throw "Failed"}
|
||||
echo "Image digest got from Id"
|
||||
}
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Digest"
|
||||
echo "$digest"
|
||||
echo "::endgroup::"
|
||||
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
|
||||
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
$tags_array=$( "$Env:TAGS".Split("`n") )
|
||||
$tag_list=@()
|
||||
|
||||
|
||||
foreach ($tag in $tags_array) {
|
||||
$tag_name=$tag.Split(":")[0]
|
||||
$tag_list+="$tag_name@$Env:DIGEST"
|
||||
}
|
||||
echo "::group::Images to sign"
|
||||
echo "$tag_list"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $tag_list"
|
||||
cosign sign --yes $tag_list
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image digest
|
||||
if: ${{ env.AUTO_PUSH_IMAGES }}
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
run: |
|
||||
echo "::group::Image digest"
|
||||
echo "$Env:DIGEST"
|
||||
echo "::endgroup::"
|
||||
|
Loading…
Reference in New Issue
Block a user