extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-05-31 15:16:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Prepare universal workflow

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-02-10 01:18:00 +09:00
parent ffcff7fe6b
commit 5ced8d392c
1 changed files with 314 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

417
.github/workflows/images_build_windows.yml vendored
View File

@ -137,8 +137,6 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
env:
BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}"
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -281,30 +279,43 @@ jobs:
DIGEST: ${{ steps.docker_build.outputs.digest }} DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }} TAGS: ${{ steps.meta.outputs.tags }}
run: | run: |
$images="" $tags_array=$( "$Env:TAGS".Split("`n") )
$tags_array=$( "$Env:TAGS".Split("`n") ) $tag_list=@()
$tags_final=@()
foreach ($tag in $tags_array) {
$tag_name=$tag.Split(":")[0] foreach ($tag in $tags_array) {
$images=$images + "$tag_name@$Env:DIGEST " $tag_name=$tag.Split(":")[0]
$tags_final+="$tag_name@$Env:DIGEST" $tag_list+="$tag_name@$Env:DIGEST"
} }
echo "$tags_final" echo "::group::Images to sign"
cosign sign --yes $tags_final echo "$tag_list"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $tag_list"
cosign sign --yes $tag_list
echo "::endgroup::"
- name: Image digest - name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }} if: ${{ env.AUTO_PUSH_IMAGES }}
env: env:
DIGEST: ${{ steps.docker_build.outputs.digest }} DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}_${{ matrix.component }}
run: | run: |
echo "::group::Image digest"
echo "$Env:DIGEST" echo "$Env:DIGEST"
echo "::endgroup::"
echo "::group::Cache file name"
echo "$Env:CACHE_FILE_NAME"
echo "::endgroup::"
$Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME
- name: Cache image digest - name: Cache image digest
uses: actions/cache@v4 uses: actions/cache@v4
with: with:
path: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}_${{ matrix.component }}
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
build_components: build_components:
@ -314,9 +325,6 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
env:
BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}"
COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX: "_${{ matrix.os }}_${{ matrix.component }}"
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -339,14 +347,23 @@ jobs:
run: cosign version run: cosign version
- name: Login to DockerHub - name: Login to DockerHub
run: | uses: docker/login-action@v3
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} with:
if (-not $?) {throw "Failed"} username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Base OS tag - name: Base OS tag
id: base_os_tag id: base_os_tag
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
$os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}' $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
echo "::group::Base Windows OS tag"
echo "$os_tag"
echo "::endgroup::"
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
- name: Generate tags - name: Generate tags
@ -365,74 +382,167 @@ jobs:
flavor: | flavor: |
latest=false latest=false
- name: Download SHA256 tag build-base:${{ matrix.os }} - name: Download SHA256 tag of build-base:${{ matrix.os }}
uses: actions/download-artifact@v4 uses: actions/cache@v4
with: with:
name: ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}_${{ matrix.component }}
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
- name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag
id: base_build id: base_build
env:
BASE_BUILD_NAME: ${{ env.BASE_BUILD_NAME }}
MATRIX_OS: ${{ matrix.os }}
MATRIX_COMPONENT: ${{ matrix.component }}
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
IMAGE_PREFIX: ${{ env.IMAGE_PREFIX }}
run: | run: |
$base_tag = Get-Content ${{ env.BASE_BUILD_NAME }}${{ env.BASE_BUILD_ARTIFACT_FILE_SUFFIX }} -Raw $base_image_file=$Env:BASE_BUILD_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT
$build_base_image="${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.BASE_BUILD_NAME }}@" + $base_tag $base_tag = Get-Content $base_image_file -Raw
$build_base_image="$Env:MATRIX_COMPONENT/$Env:IMAGE_PREFIX$Env:BASE_BUILD_NAME@" + $base_tag
echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT echo "::group::Base image Info"
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT echo "base_tag=$base_tag"
echo "base_build_image=$build_base_image"
echo "::endgroup::"
- name: Build image echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT
- name: Verify build-base:${{ matrix.os }} cosign
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
run: |
cosign verify \
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" \
--certificate-identity-regexp "$Env:IDENITY_REGEX" \
"$Env:BASE_IMAGE"
- name: Build and push image
id: docker_build id: docker_build
env:
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
COMPONENT_BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
COMPONENT_BASE_BUILD_NAME: ${{ env.COMPONENT_BASE_BUILD_NAME }}
MATRIX_COMPONENT: ${{ matrix.component }}
TAGS: ${{ steps.meta.outputs.tags }}
COMPONENT_BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
SHA_SHORT: ${{ needs.init_build.outputs.sha_short }}
run: | run: |
$context='.\Dockerfiles\${{ env.COMPONENT_BASE_BUILD_NAME }}\windows\' echo "::group::Docker version"
$dockerfile= $context + 'Dockerfile.${{ matrix.component }}' docker version
echo "::endgroup::"
echo "::group::Docker info"
docker info
echo "::endgroup::"
$context="$Env:DOCKERFILES_DIRECTORY\$Env:COMPONENT_BASE_BUILD_NAME\windows\"
$dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT
$base_build_image= $Env:COMPONENT_BASE_BUILD_IMAGE + ':' + $Env:COMPONENT_BASE_OS_TAG
# Can not build on GitHub due existing symlink. Must be removed before build process # Can not build on GitHub due existing symlink. Must be removed before build process
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) $tags_array=$( "$Env:TAGS".Split("`n") )
$tags=$($tags_array | Foreach-Object { "--tag=$_" }) $tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
echo "docker build --file=$dockerfile $tags $context" echo "::group::Image tags"
docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} ` echo "$Env:TAGS"
--label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} ` echo "::endgroup::"
echo "::group::Pull base image"
docker pull $base_os_image
echo "::endgroup::"
echo "::group::Build Image"
Write-Host @"
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
--label org.opencontainers.image.created=$Env:LABEL_CREATED
--build-arg=BUILD_BASE_IMAGE=$base_build_image
--file=$dockerfile
$tags
$context
"@
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
--build-arg=BUILD_BASE_IMAGE=$base_build_image `
--file=$dockerfile ` --file=$dockerfile `
--build-arg=BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} `
$tags ` $tags `
$context $context
if (-not $?) {throw "Failed"} if (-not $?) {throw "Failed"}
echo "::endgroup::"
- name: Push image echo "::group::Publish Image"
if: ${{ env.AUTO_PUSH_IMAGES }} if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
run: | Foreach ($tag in $tags_array) {
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) echo "docker image push $tag"
docker image push $tag
if (-not $?) {throw "Failed"}
}
Foreach ($tag in $tags_array) { $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
echo "docker image push $tag"
docker image push $tag
if (-not $?) {throw "Failed"} if (-not $?) {throw "Failed"}
echo "Image digest got from RepoDigests"
} }
else {
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
if (-not $?) {throw "Failed"}
echo "Image digest got from Id"
}
echo "::endgroup::"
echo "::group::Digest"
echo "$digest"
echo "::endgroup::"
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
$tags_array=$( "$Env:TAGS".Split("`n") )
$tag_list=@()
foreach ($tag in $tags_array) {
$tag_name=$tag.Split(":")[0]
$tag_list+="$tag_name@$Env:DIGEST"
}
echo "::group::Images to sign"
echo "$tag_list"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $tag_list"
cosign sign --yes $tag_list
echo "::endgroup::"
- name: Image digest - name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }} if: ${{ env.AUTO_PUSH_IMAGES }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ env.COMPONENT_BASE_BUILD_NAME }}_${{ matrix.os }}_${{ matrix.component }}
run: | run: |
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) echo "::group::Image digest"
echo "$Env:DIGEST"
echo "::endgroup::"
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] echo "::group::Cache file name"
if (-not $?) {throw "Failed"} echo "$Env:CACHE_FILE_NAME"
echo "::endgroup::"
echo $digest $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME
$digest | Set-Content -Path ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }}
- name: Upload SHA256 tag - name: Cache image digest
if: ${{ env.AUTO_PUSH_IMAGES }} uses: actions/cache@v4
uses: actions/upload-artifact@v4
with: with:
name: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} path: ${{ env.COMPONENT_BASE_BUILD_NAME }}_${{ matrix.os }}_${{ matrix.component }}
path: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} key: ${{ env.COMPONENT_BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
if-no-files-found: error
- name: Logout from DockerHub
run: |
docker logout
if (-not $?) {throw "Failed"}
build_images: build_images:
timeout-minutes: 70 timeout-minutes: 70
@ -451,11 +561,6 @@ jobs:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
@ -470,14 +575,23 @@ jobs:
run: cosign version run: cosign version
- name: Login to DockerHub - name: Login to DockerHub
run: | uses: docker/login-action@v3
docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} with:
if (-not $?) {throw "Failed"} username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Base OS tag - name: Base OS tag
id: base_os_tag id: base_os_tag
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
$os_tag=$(Get-Content -Path .\build.json | ConvertFrom-Json).'os-windows'.'${{ matrix.os }}' $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
echo "::group::Base Windows OS tag"
echo "$os_tag"
echo "::endgroup::"
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
- name: Generate tags - name: Generate tags
@ -496,67 +610,164 @@ jobs:
flavor: | flavor: |
latest=false latest=false
- name: Download SHA256 tag for ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }} - name: Download SHA256 tag of ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }}
uses: actions/download-artifact@v4 uses: actions/cache@v4
with: with:
name: ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} path: ${{ env.COMPONENT_BASE_BUILD_NAME }}_${{ matrix.os }}_${{ matrix.component }}
key: ${{ env.COMPONENT_BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
- name: ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag - name: Retrieve ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag
id: base_build id: base_build
env:
COMPONENT_BASE_BUILD_NAME: ${{ env.COMPONENT_BASE_BUILD_NAME }}
MATRIX_OS: ${{ matrix.os }}
MATRIX_COMPONENT: ${{ matrix.component }}
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
IMAGE_PREFIX: ${{ env.IMAGE_PREFIX }}
run: | run: |
$base_tag = Get-Content ${{ env.COMPONENT_BASE_BUILD_NAME }}${{ env.COMPONENT_BASE_BUILD_ARTIFACT_FILE_SUFFIX }} -Raw $base_image_file=$Env:COMPONENT_BASE_BUILD_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT
$build_base_image="${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGE_PREFIX }}${{ env.COMPONENT_BASE_BUILD_NAME }}@" + $base_tag $base_tag = Get-Content $base_image_file -Raw
$build_base_image="$Env:MATRIX_COMPONENT/$Env:IMAGE_PREFIX$Env:COMPONENT_BASE_BUILD_NAME@" + $base_tag
echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT echo "::group::Base image Info"
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT echo "base_tag=$base_tag"
echo "base_build_image=$build_base_image"
echo "::endgroup::"
- name: Build image echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT
- name: Verify ${{ env.COMPONENT_BASE_BUILD_NAME }}:${{ matrix.os }} cosign
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
run: |
cosign verify \
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" \
--certificate-identity-regexp "$Env:IDENITY_REGEX" \
"$Env:BASE_IMAGE"
- name: Build and push image
id: docker_build id: docker_build
env:
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
COMPONENT_BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
COMPONENT_BASE_BUILD_NAME: ${{ env.COMPONENT_BASE_BUILD_NAME }}
MATRIX_COMPONENT: ${{ matrix.component }}
TAGS: ${{ steps.meta.outputs.tags }}
COMPONENT_BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
SHA_SHORT: ${{ needs.init_build.outputs.sha_short }}
run: | run: |
$context='.\Dockerfiles\${{ matrix.component }}\windows\' echo "::group::Docker version"
docker version
echo "::endgroup::"
echo "::group::Docker info"
docker info
echo "::endgroup::"
$context="$Env:DOCKERFILES_DIRECTORY\$Env:MATRIX_COMPONENT\windows\"
$dockerfile= $context + 'Dockerfile' $dockerfile= $context + 'Dockerfile'
$base_build_image= $Env:COMPONENT_BASE_BUILD_IMAGE + ':' + $Env:COMPONENT_BASE_BUILD_IMAGE
# Can not build on GitHub due existing symlink. Must be removed before build process # Can not build on GitHub due existing symlink. Must be removed before build process
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) $tags_array=$( "$Env:TAGS".Split("`n") )
$tags=$($tags_array | Foreach-Object { "--tag=$_" }) $tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
# PowerShell images based on LTSC 2019 and LTSC 2016 do not have "ltsc" prefix # PowerShell images based on LTSC 2019 and LTSC 2016 do not have "ltsc" prefix
$os_tag_suffix='${{ steps.base_os_tag.outputs.os_tag }}' $os_tag_suffix=$Env:COMPONENT_BASE_OS_TAG
$os_tag_suffix=$os_tag_suffix -replace "ltsc2019",'1809' $os_tag_suffix=$os_tag_suffix -replace "ltsc2019",'1809'
echo "docker build --file=$dockerfile $tags $context" echo "::group::Image tags"
docker build --label org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} ` echo "$Env:TAGS"
--label org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} ` echo "::endgroup::"
--file=$dockerfile ` echo "::group::Pull base image"
--build-arg=BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} ` docker pull $base_os_image
echo "::endgroup::"
echo "::group::Build Image"
Write-Host @"
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
--label org.opencontainers.image.created=$Env:LABEL_CREATED
--build-arg=BUILD_BASE_IMAGE=$base_build_image
--build-arg=BASE_IMAGE=mcr.microsoft.com/powershell:lts-nanoserver-$os_tag_suffix
--file=$dockerfile
$tags
$context
"@
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
--build-arg=BUILD_BASE_IMAGE=$base_build_image `
--build-arg=BASE_IMAGE=mcr.microsoft.com/powershell:lts-nanoserver-$os_tag_suffix ` --build-arg=BASE_IMAGE=mcr.microsoft.com/powershell:lts-nanoserver-$os_tag_suffix `
--file=$dockerfile `
$tags ` $tags `
$context $context
if (-not $?) {throw "Failed"} if (-not $?) {throw "Failed"}
echo "::endgroup::"
- name: Push image echo "::group::Publish Image"
if: ${{ env.AUTO_PUSH_IMAGES }} if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
run: | Foreach ($tag in $tags_array) {
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) echo "docker image push $tag"
docker image push $tag
if (-not $?) {throw "Failed"}
}
Foreach ($tag in $tags_array) { $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
echo "docker image push $tag"
docker image push $tag
if (-not $?) {throw "Failed"} if (-not $?) {throw "Failed"}
echo "Image digest got from RepoDigests"
} }
else {
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
if (-not $?) {throw "Failed"}
echo "Image digest got from Id"
}
echo "::endgroup::"
echo "::group::Digest"
echo "$digest"
echo "::endgroup::"
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
$tags_array=$( "$Env:TAGS".Split("`n") )
$tag_list=@()
foreach ($tag in $tags_array) {
$tag_name=$tag.Split(":")[0]
$tag_list+="$tag_name@$Env:DIGEST"
}
echo "::group::Images to sign"
echo "$tag_list"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $tag_list"
cosign sign --yes $tag_list
echo "::endgroup::"
- name: Image digest - name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }} if: ${{ env.AUTO_PUSH_IMAGES }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ env.COMPONENT_BASE_BUILD_NAME }}_${{ matrix.os }}_${{ matrix.component }}
run: | run: |
$tags_array=$( "${{ steps.meta.outputs.tags }}".Split("`r`n") ) echo "::group::Image digest"
echo "$Env:DIGEST"
echo "::endgroup::"
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] echo "::group::Cache file name"
if (-not $?) {throw "Failed"} echo "$Env:CACHE_FILE_NAME"
echo "::endgroup::"
echo $digest $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME
- name: Logout from DockerHub
run: |
docker logout
if (-not $?) {throw "Failed"}