This commit is contained in:
Alexey Pustovalov 2024-03-04 11:24:33 +09:00
parent f5dc322eef
commit 54d7550917

View File

@ -10,9 +10,9 @@ on:
- 'trunk'
- 'trunk_rhel'
paths:
- 'Dockerfiles/*/rhel/*'
- 'build.json'
- '!**/README.md'
- 'Dockerfiles/*/rhel/*'
- '.github/workflows/images_build_test.yml'
schedule:
- cron: '50 02 * * *'
@ -48,6 +48,12 @@ env:
DOCKER_REGISTRY_TEST: "ghcr.io"
DOCKER_REPOSITORY_TEST: "zabbix"
REGISTRY: "quay.io"
REGISTRY_NAMESPACE: "redhat-isv-containers"
PREFLIGHT_IMAGE: "quay.io/opdev/preflight:stable"
PFLT_LOGLEVEL: "warn"
PFLT_ARTIFACTS: "/tmp/artifacts"
jobs:
init_build:
name: Initialize build
@ -61,6 +67,7 @@ jobs:
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
current_branch: ${{ steps.branch_info.outputs.current_branch }}
sha_short: ${{ steps.branch_info.outputs.sha_short }}
secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -155,6 +162,7 @@ jobs:
echo "is_default_branch=$result" >> $GITHUB_OUTPUT
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
echo "secret_prefix=RHEL_64" >> $GITHUB_OUTPUT
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
build_base:
@ -847,6 +855,19 @@ jobs:
with:
driver-opts: image=moby/buildkit:master
- name: Variables formating
id: var_format
env:
MATRIX_BUILD: ${{ matrix.build }}
run: |
MATRIX_BUILD=${MATRIX_BUILD^^}
MATRIX_BUILD=${MATRIX_BUILD//-/_}
echo "::group::Result"
echo "matrix_build=${MATRIX_BUILD}"
echo "::endgroup::"
echo "matrix_build=${MATRIX_BUILD}" >> $GITHUB_OUTPUT
- name: Prepare Platform list
id: platform
env:
@ -899,8 +920,9 @@ jobs:
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -982,7 +1004,6 @@ jobs:
CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
run: |
cp -R "/tmp/secrets/" "$CONTEXT/"
ls -lah "$CONTEXT/"
- name: Remove smartmontools
if: ${{ matrix.build == 'agent2' && matrix.os == 'rhel' }}
@ -999,13 +1020,21 @@ jobs:
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.DOCKER_REGISTRY_TEST }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to ${{ env.REGISTRY }}
uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
with:
username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)]) }}
password: ${{ secrets[format('{0}_{1}_SECRET', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }}
registry: ${{ env.REGISTRY }}
- name: Build and push image
id: docker_build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
@ -1022,6 +1051,38 @@ jobs:
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Preflight certification
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
env:
PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }}
PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }}
PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }}
PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }}
IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }}
run: |
mkdir -p $PFLT_ARTIFACTS
echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image"
docker pull "$PREFLIGHT_IMAGE"
echo "::endgroup::"
echo "::group::Perform certification tests"
docker run \
-it \
--rm \
--security-opt=label=disable \
--env PFLT_LOGLEVEL=$PFLT_LOGLEVEL \
--env PFLT_ARTIFACTS=/artifacts \
--env PFLT_LOGFILE=/artifacts/preflight.log \
--env PFLT_CERTIFICATION_PROJECT_ID=$PFLT_CERTIFICATION_PROJECT_ID \
--env PFLT_PYXIS_API_TOKEN=$PFLT_PYXIS_API_TOKEN \
--env PFLT_DOCKERCONFIG=/temp-authfile.json \
-v $PFLT_ARTIFACTS:/artifacts \
-v $HOME/.docker/config.json:/temp-authfile.json:ro \
"$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit
docker rmi -i -f "$PREFLIGHT_IMAGE"
echo "::endgroup::"
- name: Sign the images with GitHub OIDC Token
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: