From 54d75509179b6421d51317bfe65e1537056c3cf7 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 11:24:33 +0900 Subject: [PATCH] Updated --- .github/workflows/images_build_test.yml | 69 +++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 4 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 0462dfdab..6144daac6 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -10,9 +10,9 @@ on: - 'trunk' - 'trunk_rhel' paths: + - 'Dockerfiles/*/rhel/*' - 'build.json' - '!**/README.md' - - 'Dockerfiles/*/rhel/*' - '.github/workflows/images_build_test.yml' schedule: - cron: '50 02 * * *' @@ -48,6 +48,12 @@ env: DOCKER_REGISTRY_TEST: "ghcr.io" DOCKER_REPOSITORY_TEST: "zabbix" + REGISTRY: "quay.io" + REGISTRY_NAMESPACE: "redhat-isv-containers" + PREFLIGHT_IMAGE: "quay.io/opdev/preflight:stable" + PFLT_LOGLEVEL: "warn" + PFLT_ARTIFACTS: "/tmp/artifacts" + jobs: init_build: name: Initialize build @@ -61,6 +67,7 @@ jobs: is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} current_branch: ${{ steps.branch_info.outputs.current_branch }} sha_short: ${{ steps.branch_info.outputs.sha_short }} + secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }} steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -155,6 +162,7 @@ jobs: echo "is_default_branch=$result" >> $GITHUB_OUTPUT echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "secret_prefix=RHEL_64" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT build_base: @@ -847,6 +855,19 @@ jobs: with: driver-opts: image=moby/buildkit:master + - name: Variables formating + id: var_format + env: + MATRIX_BUILD: ${{ matrix.build }} + run: | + MATRIX_BUILD=${MATRIX_BUILD^^} + MATRIX_BUILD=${MATRIX_BUILD//-/_} + + echo "::group::Result" + echo "matrix_build=${MATRIX_BUILD}" + echo "::endgroup::" + echo "matrix_build=${MATRIX_BUILD}" >> $GITHUB_OUTPUT + - name: Prepare Platform list id: platform env: @@ -899,8 +920,9 @@ jobs: uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -982,7 +1004,6 @@ jobs: CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} run: | cp -R "/tmp/secrets/" "$CONTEXT/" - ls -lah "$CONTEXT/" - name: Remove smartmontools if: ${{ matrix.build == 'agent2' && matrix.os == 'rhel' }} @@ -999,13 +1020,21 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to ${{ env.REGISTRY }} + uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6 + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + with: + username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)]) }} + password: ${{ secrets[format('{0}_{1}_SECRET', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} + registry: ${{ env.REGISTRY }} + - name: Build and push image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 @@ -1022,6 +1051,38 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + - name: Preflight certification + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + env: + PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} + PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} + PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} + PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }} + IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} + run: | + mkdir -p $PFLT_ARTIFACTS + echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image" + docker pull "$PREFLIGHT_IMAGE" + echo "::endgroup::" + + echo "::group::Perform certification tests" + docker run \ + -it \ + --rm \ + --security-opt=label=disable \ + --env PFLT_LOGLEVEL=$PFLT_LOGLEVEL \ + --env PFLT_ARTIFACTS=/artifacts \ + --env PFLT_LOGFILE=/artifacts/preflight.log \ + --env PFLT_CERTIFICATION_PROJECT_ID=$PFLT_CERTIFICATION_PROJECT_ID \ + --env PFLT_PYXIS_API_TOKEN=$PFLT_PYXIS_API_TOKEN \ + --env PFLT_DOCKERCONFIG=/temp-authfile.json \ + -v $PFLT_ARTIFACTS:/artifacts \ + -v $HOME/.docker/config.json:/temp-authfile.json:ro \ + "$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit + docker rmi -i -f "$PREFLIGHT_IMAGE" + echo "::endgroup::" + - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: