extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2024-11-22 07:43:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-03-05 13:47:19 +09:00
parent 6f44f78dca
commit 39bff12835
1 changed files with 49 additions and 255 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

304
.github/workflows/images_build_test.yml vendored
View File

@ -1,4 +1,4 @@
name: Build images (DockerHub, rhel)
name: Build images (RedHat registry)
on:
release:
@ -8,7 +8,6 @@ on:
branches:
- '[0-9]+.[0-9]+'
- 'trunk'
- 'trunk_rhel'
paths:
- 'Dockerfiles/*/rhel/*'
- 'build.json'
@ -27,8 +26,7 @@ permissions:
env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
# AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
AUTO_PUSH_IMAGES: false
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
@ -177,99 +175,8 @@ jobs:
runs-on: [self-hosted, linux, ubuntu]
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
archive.ubuntu.com:80
atl.mirrors.knownhost.com:443
atl.mirrors.knownhost.com:80
auth.docker.io:443
cdn03.quay.io:443
centos-stream-distro.1gservers.com:443
centos-stream-distro.1gservers.com:80
dfw.mirror.rackspace.com:443
dfw.mirror.rackspace.com:80
dl-cdn.alpinelinux.org:443
download.cf.centos.org:443
download.cf.centos.org:80
epel.mirror.constant.com:443
ftp-nyc.osuosl.org:443
ftp-nyc.osuosl.org:80
ftp-osl.osuosl.org:443
ftp-osl.osuosl.org:80
ftp.plusline.net:443
ftp.plusline.net:80
ftpmirror.your.org:80
fulcio.sigstore.dev:443
github.com:443
ghcr.io:443
iad.mirror.rackspace.com:443
iad.mirror.rackspace.com:80
index.docker.io:443
lesnet.mm.fcix.net:443
mirror-mci.yuki.net.uk:443
mirror-mci.yuki.net.uk:80
mirror.arizona.edu:443
mirror.arizona.edu:80
mirror.dogado.de:443
mirror.dogado.de:80
mirror.facebook.net:443
mirror.facebook.net:80
mirror.fcix.net:443
mirror.hoobly.com:443
mirror.math.princeton.edu:443
mirror.netzwerge.de:443
mirror.pilotfiber.com:443
mirror.pilotfiber.com:80
mirror.rackspace.com:443
mirror.rackspace.com:80
mirror.scaleuptech.com:443
mirror.scaleuptech.com:80
mirror.servaxnet.com:443
mirror.servaxnet.com:80
mirror.siena.edu:80
mirror.stream.centos.org:443
mirror.stream.centos.org:80
mirror.team-cymru.com:443
mirror.team-cymru.com:80
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.fedoraproject.org:443
mirrors.fedoraproject.org:80
mirrors.iu13.net:80
mirrors.mit.edu:443
mirrors.ocf.berkeley.edu:443
mirrors.ocf.berkeley.edu:80
mirrors.sonic.net:443
mirrors.wcupa.edu:443
mirrors.wcupa.edu:80
mirrors.xtom.de:80
na.edge.kernel.org:443
nocix.mm.fcix.net:443
oauth2.sigstore.dev:443
objects.githubusercontent.com:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
quay.io:443
registry-1.docker.io:443
rekor.sigstore.dev:443
repo.ialab.dsu.edu:443
repos.eggycrew.com:443
repos.eggycrew.com:80
security.ubuntu.com:80
tuf-repo-cdn.sigstore.dev:443
uvermont.mm.fcix.net:443
yum.oracle.com:443
ziply.mm.fcix.net:443
pkg-containers.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
@ -277,15 +184,22 @@ jobs:
fetch-depth: 1
- name: Install cosign
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
run: cosign version
- name: Set up QEMU
if: ${{ matrix.os != 'rhel' }}
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
image: tonistiigi/binfmt:latest
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
with:
@ -312,8 +226,8 @@ jobs:
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -359,26 +273,26 @@ jobs:
echo 'EOF' >> "$GITHUB_OUTPUT"
- name: Login to DockerHub
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.DOCKER_REGISTRY_TEST }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Copy RedHat subscription
- name: Prepare RedHat subscription
if: ${{ matrix.os == 'rhel' }}
env:
CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
run: |
cp -R /tmp/secrets/ $CONTEXT/
cp -R "/tmp/secrets/" "$CONTEXT/"
- name: Build and publish image
id: docker_build
@ -388,7 +302,7 @@ jobs:
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
platforms: ${{ steps.platform.outputs.list }}
push: true
provenance: mode=max
provenance: ${{ env.AUTO_PUSH_IMAGES == 'true' && 'mode=max' || '' }}
sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
tags: ${{ steps.meta.outputs.tags }}
labels: |
@ -398,7 +312,7 @@ jobs:
cache-to: ${{ steps.cache_data.outputs.cache_to }}
- name: Sign the images with GitHub OIDC Token
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
@ -491,13 +405,13 @@ jobs:
fetch-depth: 1
- name: Install cosign
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
run: cosign version
- name: Set up QEMU
@ -531,15 +445,15 @@ jobs:
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,suffix=-${{ matrix.os }}-latest
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') && matrix.os != 'rhel' }},value=${{matrix.os}}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
flavor: |
@ -566,7 +480,7 @@ jobs:
echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
@ -621,14 +535,14 @@ jobs:
echo 'EOF' >> "$GITHUB_OUTPUT"
- name: Login to DockerHub
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.DOCKER_REGISTRY_TEST }}
@ -643,8 +557,8 @@ jobs:
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
platforms: ${{ steps.platform.outputs.list }}
push: true
provenance: mode=max
sbom: true
provenance: ${{ env.AUTO_PUSH_IMAGES == 'true' && 'mode=max' || '' }}
sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
@ -652,7 +566,7 @@ jobs:
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
@ -698,7 +612,7 @@ jobs:
strategy:
fail-fast: false
matrix:
build: ["agent"]
build: ${{ fromJson(needs.init_build.outputs.components) }}
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: [self-hosted, linux, ubuntu]
@ -707,126 +621,6 @@ jobs:
id-token: write
packages: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
dl-cdn.alpinelinux.org:443
github.com:443
index.docker.io:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
api.github.com:443
atl.mirrors.knownhost.com:443
atl.mirrors.knownhost.com:80
auth.docker.io:443
cdn03.quay.io:443
centos-stream-distro.1gservers.com:443
centos-stream-distro.1gservers.com:80
d2lzkl7pfhq30w.cloudfront.net:443
epel.mirror.constant.com:80
forksystems.mm.fcix.net:80
ftp-nyc.osuosl.org:443
ftp-nyc.osuosl.org:80
ftp-osl.osuosl.org:443
ftp-osl.osuosl.org:80
ftp.plusline.net:80
ftpmirror.your.org:80
github.com:443
iad.mirror.rackspace.com:443
index.docker.io:443
ix-denver.mm.fcix.net:443
mirror-mci.yuki.net.uk:443
mirror.23m.com:80
mirror.arizona.edu:80
mirror.dal.nexril.net:80
mirror.de.leaseweb.net:80
mirror.dogado.de:80
mirror.facebook.net:80
mirror.hoobly.com:80
mirror.math.princeton.edu:80
mirror.netcologne.de:443
mirror.netzwerge.de:443
mirror.pilotfiber.com:443
mirror.pilotfiber.com:80
mirror.rackspace.com:443
mirror.rackspace.com:80
mirror.scaleuptech.com:443
mirror.servaxnet.com:443
mirror.servaxnet.com:80
mirror.sfo12.us.leaseweb.net:80
mirror.siena.edu:80
mirror.steadfastnet.com:80
mirror.team-cymru.com:443
mirror.team-cymru.com:80
mirror.umd.edu:443
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.fedoraproject.org:443
mirrors.iu13.net:443
mirrors.iu13.net:80
mirrors.ocf.berkeley.edu:443
mirrors.sonic.net:80
mirrors.syringanetworks.net:80
mirrors.vcea.wsu.edu:80
mirrors.wcupa.edu:80
mirrors.xtom.de:80
na.edge.kernel.org:443
nnenix.mm.fcix.net:80
ohioix.mm.fcix.net:80
production.cloudflare.docker.com:443
pubmirror1.math.uh.edu:443
pubmirror3.math.uh.edu:80
quay.io:443
ghcr.io:443
registry-1.docker.io:443
repo.ialab.dsu.edu:80
repos.eggycrew.com:80
uvermont.mm.fcix.net:80
ziply.mm.fcix.net:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
oauth2.sigstore.dev:443
api.github.com:443
auth.docker.io:443
github.com:443
index.docker.io:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
yum.oracle.com:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
api.github.com:443
archive.ubuntu.com:80
auth.docker.io:443
deb.debian.org:80
github.com:443
index.docker.io:443
keyserver.ubuntu.com:11371
nginx.org:443
nginx.org:80
ports.ubuntu.com:80
production.cloudflare.docker.com:443
registry-1.docker.io:443
security.ubuntu.com:80
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
pkg-containers.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
@ -834,13 +628,13 @@ jobs:
fetch-depth: 1
- name: Install cosign
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
run: cosign version
- name: Set up QEMU
@ -857,6 +651,7 @@ jobs:
- name: Variables formating
id: var_format
if: ${{ matrix.os == 'rhel' }}
env:
MATRIX_BUILD: ${{ matrix.build }}
run: |
@ -920,9 +715,9 @@ jobs:
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os == 'rhel' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -933,7 +728,7 @@ jobs:
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
flavor: |
latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
latest=${{ ((matrix.os == 'alpine' && needs.init_build.outputs.is_default_branch == 'true') || matrix.os == 'rhel') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }}
- name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
@ -958,7 +753,7 @@ jobs:
echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
- name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
@ -1013,14 +808,14 @@ jobs:
sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile"
- name: Login to DockerHub
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.DOCKER_REGISTRY_TEST }}
@ -1029,7 +824,7 @@ jobs:
- name: Log in to ${{ env.REGISTRY }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os == 'rhel' }}
with:
username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)]) }}
password: ${{ secrets[format('{0}_{1}_SECRET', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }}
@ -1042,8 +837,9 @@ jobs:
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
platforms: ${{ steps.platform.outputs.list }}
push: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
provenance: ${{ env.AUTO_PUSH_IMAGES == 'true' && 'mode=max' || '' }}
push: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }}
sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
@ -1051,6 +847,7 @@ jobs:
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Preflight certification
if: ${{ matrix.os == 'rhel' }}
env:
PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }}
PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }}
@ -1062,16 +859,13 @@ jobs:
SUBMIT_IMAGE: ${{ env.AUTO_PUSH_IMAGES != 'true' && '--submit' || '' }}
run: |
mkdir -p $PFLT_ARTIFACTS
echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image"
echo "::endgroup::"
echo "::group::Perform certification tests"
echo "::group::Perform certification tests (${SUBMIT_IMAGE})"
export PFLT_DOCKERCONFIG="$HOME/.docker/config.json"
preflight check container $IMAGE_TAG --submit
preflight check container "${IMAGE_TAG}" ${SUBMIT_IMAGE}
echo "::endgroup::"
- name: Sign the images with GitHub OIDC Token
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}