From 70ce39b4724e39639c76936ba5180e5c1e71ed59 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 01:07:11 +0900 Subject: [PATCH 01/35] Updated building images workflow --- .github/workflows/images_build.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 6b623e771..97e63cb5e 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -316,7 +316,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Prepare cache data id: cache_data @@ -511,7 +511,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 @@ -610,10 +610,8 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: | - type=gha,scope=${{ steps.base_build.outputs.base_build_image }} - type=registry,ref=${{ steps.base_build.outputs.base_build_image }} - cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + cache-from: ${{ steps.cache_data.outputs.cache_from }} + cache-to: ${{ steps.cache_data.outputs.cache_to }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -878,7 +876,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 From 621cf8e8a214b7557ce5075d0150356b57f135fa Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 01:10:57 +0900 Subject: [PATCH 02/35] Updated building images workflow --- .github/workflows/images_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 97e63cb5e..0bb95ec6c 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -573,9 +573,9 @@ jobs: cache_to=() cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") - cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") + #cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") cache_from+=("type=gha,scope=${IMAGE_TAG}") - cache_from+=("type=registry,ref=${IMAGE_TAG}") + #cache_from+=("type=registry,ref=${IMAGE_TAG}") cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") From 23cde80e68e7bfc5ef001667f5d96d8bfde7f18a Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 02:00:53 +0900 Subject: [PATCH 03/35] Updated building images workflow --- .github/workflows/images_build.yml | 59 +++++++++++++++++++----------- 1 file changed, 38 insertions(+), 21 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 0bb95ec6c..36b7ec56d 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -316,7 +316,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Prepare cache data id: cache_data @@ -362,8 +362,14 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: ${{ steps.cache_data.outputs.cache_from }} - cache-to: ${{ steps.cache_data.outputs.cache_to }} + cache-from: type=local,src=/tmp/.buildx-base-cache + cache-to: type=local,src=/tmp/.buildx-base-cache + + - name: Cache image + uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: /tmp/.buildx-base-cache + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -371,10 +377,7 @@ jobs: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done + images=$(printf "%s@${DIGEST}" "${TAGS[@]}") echo "::group::Images to sign" echo "$images" @@ -511,7 +514,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 @@ -573,9 +576,9 @@ jobs: cache_to=() cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") - #cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") + cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") cache_from+=("type=gha,scope=${IMAGE_TAG}") - #cache_from+=("type=registry,ref=${IMAGE_TAG}") + cache_from+=("type=registry,ref=${IMAGE_TAG}") cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") @@ -597,6 +600,18 @@ jobs: echo "$cache_to" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" + - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} + uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: /tmp/.buildx-base-cache + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Download metadata of ${{ matrix.build }}:${{ matrix.os }} + uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: /tmp/.buildx-build-cache + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} + - name: Build ${{ matrix.build }}/${{ matrix.os }} and push id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 @@ -610,8 +625,16 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: ${{ steps.cache_data.outputs.cache_from }} - cache-to: ${{ steps.cache_data.outputs.cache_to }} + cache-from: | + type=local,src=/tmp/.buildx-base-cache + type=local,src=/tmp/.buildx-build-cache + cache-to: type=local,src=/tmp/.buildx-build-cache + + - name: Cache image + uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: /tmp/.buildx-build-cache + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -619,10 +642,7 @@ jobs: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done + images=$(printf "%s@${DIGEST}" "${TAGS[@]}") echo "::group::Images to sign" echo "$images" @@ -876,7 +896,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 @@ -967,10 +987,7 @@ jobs: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done + images=$(printf "%s@${DIGEST}" "${TAGS[@]}") echo "::group::Images to sign" echo "$images" From 5794f784ad448263b99d3f1abaf30c7658038bf8 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 02:06:32 +0900 Subject: [PATCH 04/35] Updated building images workflow --- .github/workflows/images_build.yml | 31 ++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 36b7ec56d..92146e77a 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -342,6 +342,7 @@ jobs: cache_from=$(printf '%s\n' "${cache_from[@]}") cache_to=$(printf '%s\n' "${cache_to[@]}") + mkdir -p /tmp/.buildx-base-cache echo 'cache_from<> "$GITHUB_OUTPUT" echo "$cache_from" >> "$GITHUB_OUTPUT" @@ -350,6 +351,12 @@ jobs: echo "$cache_to" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" + - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} + uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: /tmp/.buildx-base-cache + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + - name: Build and publish image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 @@ -565,6 +572,18 @@ jobs: "$BASE_IMAGE" echo "::endgroup::" + - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} + uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: /tmp/.buildx-base-cache + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Download metadata of ${{ matrix.build }}:${{ matrix.os }} + uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: /tmp/.buildx-build-cache + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} + - name: Prepare cache data id: cache_data env: @@ -600,18 +619,6 @@ jobs: echo "$cache_to" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" - - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} - uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: /tmp/.buildx-base-cache - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - - name: Download metadata of ${{ matrix.build }}:${{ matrix.os }} - uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: /tmp/.buildx-build-cache - key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} - - name: Build ${{ matrix.build }}/${{ matrix.os }} and push id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 From 17854452e33f40547f6ebaf9239f20f34e84a7a1 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 02:08:43 +0900 Subject: [PATCH 05/35] Updated building images workflow --- .github/workflows/images_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 92146e77a..bf40ad594 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -370,7 +370,7 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} cache-from: type=local,src=/tmp/.buildx-base-cache - cache-to: type=local,src=/tmp/.buildx-base-cache + cache-to: type=local,dest=/tmp/.buildx-base-cache - name: Cache image uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 @@ -635,7 +635,7 @@ jobs: cache-from: | type=local,src=/tmp/.buildx-base-cache type=local,src=/tmp/.buildx-build-cache - cache-to: type=local,src=/tmp/.buildx-build-cache + cache-to: type=local,dest=/tmp/.buildx-build-cache - name: Cache image uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 From 2ca0e27b65c33310822a0c6269ed675deaed8f7e Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 02:21:22 +0900 Subject: [PATCH 06/35] Updated building images workflow --- .github/workflows/images_build.yml | 33 +++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index bf40ad594..6de19e2ce 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -49,6 +49,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + actions: write outputs: os: ${{ steps.os.outputs.list }} database: ${{ steps.database.outputs.list }} @@ -150,6 +151,28 @@ jobs: echo "current_branch=$github_ref" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT + - name: Cleanup cache + shell: bash + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} + BRANCH: ${{ steps.branch_info.outputs.current_branch }} + GH_RUN_ID: ${{ github.run_id }} + run: | + gh extension install actions/gh-actions-cache + + cache_keys=$(gh actions-cache list -R "${REPO}" -B "${BRANCH}" -L 100 --sort created-at --order desc | cut -f 1) + + ## Setting this to not fail the workflow while deleting cache keys + set +e + echo "Deleting caches..." + for cache_key in $cache_keys + do + if [[ "$cache_key" == *"${GH_RUN_ID}" ]] && [[ "$cache_key" != *"${GH_RUN_ID}-image" ]]; then + gh actions-cache delete $cache_key -R "${REPO}" -B "${BRANCH}" --confirm + fi + done + build_base: timeout-minutes: 30 name: Build base on ${{ matrix.os }} @@ -355,7 +378,7 @@ jobs: uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: /tmp/.buildx-base-cache - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}-image - name: Build and publish image id: docker_build @@ -376,7 +399,7 @@ jobs: uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: /tmp/.buildx-base-cache - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}-image - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -576,13 +599,13 @@ jobs: uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: /tmp/.buildx-base-cache - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}-image - name: Download metadata of ${{ matrix.build }}:${{ matrix.os }} uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: /tmp/.buildx-build-cache - key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}-image - name: Prepare cache data id: cache_data @@ -641,7 +664,7 @@ jobs: uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: /tmp/.buildx-build-cache - key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}-image - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} From cc572d67fa41c73827ccb5c75e07219a28fa31b2 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 02:22:59 +0900 Subject: [PATCH 07/35] Updated building images workflow --- .github/workflows/images_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 6de19e2ce..fdf61dc47 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -64,6 +64,7 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.github.com:443 github.com:443 - name: Checkout repository From 8b342243ffa1e07a0af6b1ce1cee4ea7ab03c198 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 02:24:04 +0900 Subject: [PATCH 08/35] Updated building images workflow --- .github/workflows/images_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index fdf61dc47..c50b6e643 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -66,6 +66,7 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 + objects.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 From 50b0adbcb0d72b25e6df3dd158320cf390f6ee4c Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 02:37:12 +0900 Subject: [PATCH 09/35] Updated building images workflow --- .github/workflows/images_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index c50b6e643..0560fcf8b 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -636,6 +636,7 @@ jobs: cache_from=$(printf '%s\n' "${cache_from[@]}") cache_to=$(printf '%s\n' "${cache_to[@]}") + mkdir -p /tmp/.buildx-build-cache/ echo 'cache_from<> "$GITHUB_OUTPUT" echo "$cache_from" >> "$GITHUB_OUTPUT" From 4d90c392435da55a4cc996e962b68149ab9816d5 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 12:04:17 +0900 Subject: [PATCH 10/35] Updated building images workflow --- .github/workflows/images_build.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 0560fcf8b..f43d98c5e 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -31,6 +31,7 @@ env: AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} + DOCKER_REGISTRY_TEST: "zabbix-docker" LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" IMAGES_PREFIX: "zabbix-" @@ -311,6 +312,14 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Prepare Platform list id: platform env: @@ -330,7 +339,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} + images: ${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -394,8 +403,6 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: type=local,src=/tmp/.buildx-base-cache - cache-to: type=local,dest=/tmp/.buildx-base-cache - name: Cache image uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 From 1e2435cd6c8305bf0450f4a534bb72874b8a19c6 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 12:08:08 +0900 Subject: [PATCH 11/35] Updated building images workflow --- .github/workflows/images_build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index f43d98c5e..bc8640990 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -219,6 +219,7 @@ jobs: ftpmirror.your.org:80 fulcio.sigstore.dev:443 github.com:443 + ghcr.io:443 iad.mirror.rackspace.com:443 iad.mirror.rackspace.com:80 index.docker.io:443 @@ -477,6 +478,7 @@ jobs: golang.org:443 google.golang.org:443 gopkg.in:443 + ghcr.io:443 index.docker.io:443 noto-website.storage.googleapis.com:443 production.cloudflare.docker.com:443 From b29bfaef34da1dc2b154ddc718ccf4d6293e27d0 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 12:12:27 +0900 Subject: [PATCH 12/35] Updated building images workflow --- .github/workflows/images_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index bc8640990..b0bc6e1de 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -340,7 +340,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} + images: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -399,7 +399,7 @@ jobs: context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile platforms: ${{ steps.platform.outputs.list }} - push: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} From 677a48f9c79dcd7fef6166635945f824b1d18f92 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 12:18:35 +0900 Subject: [PATCH 13/35] Updated building images workflow --- .github/workflows/images_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index b0bc6e1de..c4f817cfa 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -31,7 +31,7 @@ env: AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} - DOCKER_REGISTRY_TEST: "zabbix-docker" + DOCKER_REGISTRY_TEST: "zabbix" LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" IMAGES_PREFIX: "zabbix-" From be99dddfef4d0f08d9e7b21a9eafab08d72c516d Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 12:19:37 +0900 Subject: [PATCH 14/35] Updated building images workflow --- .github/workflows/images_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index c4f817cfa..4429bb5e6 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -189,6 +189,7 @@ jobs: permissions: contents: read id-token: write + packages: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 From 787f76d1189c74203af45a3430c40cc2c1ebb633 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 12:59:27 +0900 Subject: [PATCH 15/35] Updated building images workflow --- .github/workflows/images_build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 4429bb5e6..a655534aa 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -545,7 +545,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }} + images: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -568,7 +568,7 @@ jobs: id: base_build env: MATRIX_OS: ${{ matrix.os }} - DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + DOCKER_REPOSITORY: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }} BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | @@ -659,10 +659,10 @@ jobs: id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} + context: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ matrix.build }}/${{ matrix.os }} file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile platforms: ${{ steps.platform.outputs.list }} - push: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + push: true tags: ${{ steps.meta.outputs.tags }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} labels: | From db8bc6b51ad047be48e0e1b6d677e6d144ca8ea9 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 13:12:32 +0900 Subject: [PATCH 16/35] Updated building images workflow --- .github/workflows/images_build.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index a655534aa..758053534 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -659,7 +659,7 @@ jobs: id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ matrix.build }}/${{ matrix.os }} + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile platforms: ${{ steps.platform.outputs.list }} push: true @@ -668,10 +668,6 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: | - type=local,src=/tmp/.buildx-base-cache - type=local,src=/tmp/.buildx-build-cache - cache-to: type=local,dest=/tmp/.buildx-build-cache - name: Cache image uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 @@ -928,7 +924,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }} + images: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -954,7 +950,7 @@ jobs: env: BUILD_BASE: ${{ steps.build_base_image.outputs.build_base }} MATRIX_OS: ${{ matrix.os }} - DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + DOCKER_REPOSITORY: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }} IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | BASE_TAG=$(cat "${BUILD_BASE}_${MATRIX_OS}") @@ -1022,7 +1018,6 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: ${{ steps.cache_data.outputs.cache_from }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} From 8a84b83c6962c78e6120ca2d46d44da207036ee5 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 13:24:47 +0900 Subject: [PATCH 17/35] Updated building images workflow --- .github/workflows/images_build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 758053534..6203a636f 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -463,6 +463,7 @@ jobs: permissions: contents: read id-token: write + packages: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -725,6 +726,7 @@ jobs: permissions: contents: read id-token: write + packages: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 From d49452e3376463658d951ee6f211e2ed068819bd Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 13:39:39 +0900 Subject: [PATCH 18/35] Updated building images workflow --- .github/workflows/images_build.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 6203a636f..2d9b8e9ca 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -527,6 +527,14 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Prepare Platform list id: platform env: @@ -878,6 +886,14 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Prepare Platform list id: platform env: From f7b248bf5ab108c87ee95e7287a413eaf9ee94a5 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 13:50:35 +0900 Subject: [PATCH 19/35] Updated building images workflow --- .github/workflows/images_build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 2d9b8e9ca..dbd302973 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -279,6 +279,7 @@ jobs: uvermont.mm.fcix.net:443 yum.oracle.com:443 ziply.mm.fcix.net:443 + pkg-containers.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -492,6 +493,7 @@ jobs: objects.githubusercontent.com:443 tuf-repo-cdn.sigstore.dev:443 rekor.sigstore.dev:443 + pkg-containers.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -853,6 +855,7 @@ jobs: objects.githubusercontent.com:443 tuf-repo-cdn.sigstore.dev:443 rekor.sigstore.dev:443 + pkg-containers.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 From 5f2bd523097f114698d1810376c55f931a1f2613 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 14:04:05 +0900 Subject: [PATCH 20/35] Updated building images workflow --- .github/workflows/images_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index dbd302973..afb21797a 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -670,7 +670,7 @@ jobs: id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile platforms: ${{ steps.platform.outputs.list }} push: true From 3a2cdbe44d1db6da54ea4dae74b21bf423ede886 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 15:11:56 +0900 Subject: [PATCH 21/35] Updated building images workflow --- .github/workflows/images_build.yml | 41 +++++++++++++----------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index afb21797a..c26cdccca 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -31,7 +31,6 @@ env: AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} - DOCKER_REGISTRY_TEST: "zabbix" LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" IMAGES_PREFIX: "zabbix-" @@ -44,6 +43,9 @@ env: OIDC_ISSUER: "https://token.actions.githubusercontent.com" IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" + DOCKER_REGISTRY_TEST: "ghcr.io" + DOCKER_REPOSITORY_TEST: "zabbix" + jobs: init_build: name: Initialize build @@ -315,11 +317,11 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Login to DockerHub + - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - registry: ghcr.io + registry: ${{ env.DOCKER_REGISTRY_TEST }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} @@ -342,7 +344,9 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} + images: | + ${{ format('{0}{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -388,18 +392,12 @@ jobs: echo "$cache_to" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" - - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} - uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: /tmp/.buildx-base-cache - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}-image - - name: Build and publish image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} - file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile + context: ${{ format("{0}/{1}/{2}", env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + file: ${{ format("{0}/{1}/{2}/Dockerfile", env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} push: true tags: ${{ steps.meta.outputs.tags }} @@ -407,12 +405,6 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - - name: Cache image - uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: /tmp/.buildx-base-cache - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}-image - - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: @@ -432,8 +424,9 @@ jobs: - name: Image digest env: - DIGEST: ${{ steps.docker_build.outputs.digest || fromJSON(steps.meta.outputs.json).tags[0] }} - CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: "base_image_metadata" + METADATA: ${{ steps.docker_build.outputs }} run: | echo "::group::Image digest" echo "$DIGEST" @@ -441,13 +434,16 @@ jobs: echo "::group::Cache file name" echo "$CACHE_FILE_NAME" echo "::endgroup::" + echo "$METADATA" > test_file + + cat test_file echo "$DIGEST" > "$CACHE_FILE_NAME" - name: Cache image digest uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: - path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + path: "base_image_metadata" key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} build_base_database: @@ -459,7 +455,6 @@ jobs: matrix: build: ${{ fromJson(needs.init_build.outputs.database) }} os: ${{ fromJson(needs.init_build.outputs.os) }} - runs-on: ubuntu-latest permissions: contents: read @@ -583,7 +578,7 @@ jobs: BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | - BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_OS}") + BASE_TAG=$(cat "base_image_metadata") if [[ "${BASE_TAG}" == "sha256"* ]]; then BUILD_BASE_IMAGE="${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" else From 79e2dbac25220903dc04a7df036eb4145305aa98 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 15:14:50 +0900 Subject: [PATCH 22/35] Updated building images workflow --- .github/workflows/images_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index c26cdccca..b3b3a92d4 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -396,8 +396,8 @@ jobs: id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ format("{0}/{1}/{2}", env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} - file: ${{ format("{0}/{1}/{2}/Dockerfile", env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} push: true tags: ${{ steps.meta.outputs.tags }} From b2d05d99a3c30180e38469f6561967dfe7280166 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 15:19:51 +0900 Subject: [PATCH 23/35] Updated building images workflow --- .github/workflows/images_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index b3b3a92d4..0fc680b8f 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -345,7 +345,7 @@ jobs: uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | - ${{ format('{0}{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | From c823a7a3c1989f7ce66daf2c0f4486a4d309df68 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 15:28:59 +0900 Subject: [PATCH 24/35] Updated building images workflow --- .github/workflows/images_build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 0fc680b8f..cce50f49b 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -351,11 +351,11 @@ jobs: tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} flavor: | latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} @@ -426,7 +426,7 @@ jobs: env: DIGEST: ${{ steps.docker_build.outputs.digest }} CACHE_FILE_NAME: "base_image_metadata" - METADATA: ${{ steps.docker_build.outputs }} + METADATA: ${{ steps.docker_build.outputs.metadata }} run: | echo "::group::Image digest" echo "$DIGEST" From cc796dbe398a6aae2d1d4b32ac75ab176818cc8b Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 15:49:20 +0900 Subject: [PATCH 25/35] Updated building images workflow --- .github/workflows/images_build.yml | 49 +++++++++++------------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index cce50f49b..5cefc6483 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -424,26 +424,22 @@ jobs: - name: Image digest env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - CACHE_FILE_NAME: "base_image_metadata" + CACHE_FILE_NAME: "base_image_metadata.json" METADATA: ${{ steps.docker_build.outputs.metadata }} run: | - echo "::group::Image digest" - echo "$DIGEST" + echo "::group::Image metadata" + echo "${METADATA}" echo "::endgroup::" echo "::group::Cache file name" - echo "$CACHE_FILE_NAME" + echo "${CACHE_FILE_NAME}" echo "::endgroup::" - echo "$METADATA" > test_file - cat test_file - - echo "$DIGEST" > "$CACHE_FILE_NAME" + echo "${METADATA}" > "$CACHE_FILE_NAME" - name: Cache image digest uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: - path: "base_image_metadata" + path: "base_image_metadata.json" key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} build_base_database: @@ -556,42 +552,31 @@ jobs: tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,suffix=-${{ matrix.os }}-latest type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} flavor: | latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: - path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + path: "base_image_metadata.json" key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag + - name: Process ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} image metadata id: base_build - env: - MATRIX_OS: ${{ matrix.os }} - DOCKER_REPOSITORY: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }} - BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} - IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | - BASE_TAG=$(cat "base_image_metadata") - if [[ "${BASE_TAG}" == "sha256"* ]]; then - BUILD_BASE_IMAGE="${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" - else - BUILD_BASE_IMAGE=${BASE_TAG} - fi - - echo "::group::Base build image information" - echo "base_tag=${BASE_TAG}" - echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::group::Base image metadata" + cat "base_image_metadata.json" echo "::endgroup::" - echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT - echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "base_image_metadata.json") + IMAGE_NAME=$(jq -r '."image.name"' "base_image_metadata.json" | cut -d: -f1) + + echo "base_build_image=${IMAGE_NAME}@IMAGE_DIGEST" >> $GITHUB_OUTPUT - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} From 594adfc8897810e80acc777f40c0f545697cdb24 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 15:59:40 +0900 Subject: [PATCH 26/35] Updated building images workflow --- .github/workflows/images_build.yml | 72 ++++++++++++++---------------- 1 file changed, 33 insertions(+), 39 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 5cefc6483..bbe30bfd8 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -310,21 +310,6 @@ jobs: with: driver-opts: image=moby/buildkit:master - - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.DOCKER_REGISTRY_TEST }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Prepare Platform list id: platform env: @@ -392,6 +377,21 @@ jobs: echo "$cache_to" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.DOCKER_REGISTRY_TEST }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and publish image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 @@ -513,21 +513,6 @@ jobs: with: driver-opts: image=moby/buildkit:master - - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Prepare Platform list id: platform env: @@ -576,7 +561,7 @@ jobs: IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "base_image_metadata.json") IMAGE_NAME=$(jq -r '."image.name"' "base_image_metadata.json" | cut -d: -f1) - echo "base_build_image=${IMAGE_NAME}@IMAGE_DIGEST" >> $GITHUB_OUTPUT + echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -646,12 +631,27 @@ jobs: echo "$cache_to" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build ${{ matrix.build }}/${{ matrix.os }} and push id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} - file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile + context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os }} + file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os }} platforms: ${{ steps.platform.outputs.list }} push: true tags: ${{ steps.meta.outputs.tags }} @@ -660,12 +660,6 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - - name: Cache image - uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: /tmp/.buildx-build-cache - key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}-image - - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: From 03da059ae26a6bb145b6c6f712b08f8f0026595d Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 16:00:20 +0900 Subject: [PATCH 27/35] Updated building images workflow --- .github/workflows/images_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index bbe30bfd8..45ca501de 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -650,8 +650,8 @@ jobs: id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os }} - file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os }} + context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} + file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} push: true tags: ${{ steps.meta.outputs.tags }} From 970aaa2e57407f3bafeb95d191eaf51c33c44211 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 16:20:22 +0900 Subject: [PATCH 28/35] Updated building images workflow --- .github/workflows/images_build.yml | 57 ++++++++++-------------------- 1 file changed, 19 insertions(+), 38 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 45ca501de..0b6ea06f5 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -583,18 +583,6 @@ jobs: "$BASE_IMAGE" echo "::endgroup::" - - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} - uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: /tmp/.buildx-base-cache - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}-image - - - name: Download metadata of ${{ matrix.build }}:${{ matrix.os }} - uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: /tmp/.buildx-build-cache - key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}-image - - name: Prepare cache data id: cache_data env: @@ -679,21 +667,21 @@ jobs: - name: Image digest env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.os }} + CACHE_FILE_NAME: "base_build_image_metadata.json" run: | - echo "::group::Image digest" - echo "$DIGEST" + echo "::group::Image metadata" + echo "${METADATA}" echo "::endgroup::" echo "::group::Cache file name" - echo "$CACHE_FILE_NAME" + echo "${CACHE_FILE_NAME}" echo "::endgroup::" - echo "$DIGEST" > $CACHE_FILE_NAME + + echo "${METADATA}" > "$CACHE_FILE_NAME" - name: Caching SHA256 tag of the image uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: - path: ${{ matrix.build }}_${{ matrix.os }} + path: "base_build_image_metadata.json" key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} build_images: @@ -928,7 +916,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} flavor: | latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} @@ -936,28 +924,21 @@ jobs: uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 if: ${{ matrix.build != 'snmptraps' }} with: - path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }} + path: "base_build_image_metadata.json" key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }} - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag id: base_build if: ${{ matrix.build != 'snmptraps' }} - env: - BUILD_BASE: ${{ steps.build_base_image.outputs.build_base }} - MATRIX_OS: ${{ matrix.os }} - DOCKER_REPOSITORY: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }} - IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | - BASE_TAG=$(cat "${BUILD_BASE}_${MATRIX_OS}") - BUILD_BASE_IMAGE=${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BUILD_BASE}@${BASE_TAG} - - echo "::group::Base build image information" - echo "base_tag=${BASE_TAG}" - echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::group::Base build image metadata" + cat "base_build_image_metadata.json" echo "::endgroup::" - echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT - echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "base_image_metadata.json") + IMAGE_NAME=$(jq -r '."image.name"' "base_image_metadata.json" | cut -d: -f1) + + echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }} @@ -1031,10 +1012,10 @@ jobs: cosign sign --yes ${images} echo "::endgroup::" - - name: Image digest + - name: Image metadata env: - DIGEST: ${{ steps.docker_build.outputs.digest }} + METADATA: ${{ steps.docker_build.outputs.metadata }} run: | - echo "::group::Image digest" - echo "$DIGEST" + echo "::group::Image metadata" + echo "${METADATA}" echo "::endgroup::" From d77ef59f9deabfe4201f78934e6010d4913e001c Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 17:18:22 +0900 Subject: [PATCH 29/35] Updated building images workflow --- .github/workflows/images_build.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 0b6ea06f5..8fc1261c7 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -532,7 +532,9 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }} + images: | + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -907,7 +909,9 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'ghcr.io/' }}${{ env.AUTO_PUSH_IMAGES == 'true' && env.DOCKER_REPOSITORY || env.DOCKER_REGISTRY_TEST }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }} + images: | + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- From bf6472036e0f5e3e9dae746d5a5da1ca2aa8a60f Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 19:09:50 +0900 Subject: [PATCH 30/35] Updated building images workflow --- .github/workflows/images_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 8fc1261c7..cd002cc68 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -670,6 +670,7 @@ jobs: - name: Image digest env: CACHE_FILE_NAME: "base_build_image_metadata.json" + METADATA: ${{ steps.docker_build.outputs.metadata }} run: | echo "::group::Image metadata" echo "${METADATA}" From d3d07ceb7c7c84b2b2c5fe4966434394b6060984 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 20:56:30 +0900 Subject: [PATCH 31/35] Updated building images workflow --- .github/workflows/images_build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index cd002cc68..d7d8762b9 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -368,7 +368,6 @@ jobs: cache_from=$(printf '%s\n' "${cache_from[@]}") cache_to=$(printf '%s\n' "${cache_to[@]}") - mkdir -p /tmp/.buildx-base-cache echo 'cache_from<> "$GITHUB_OUTPUT" echo "$cache_from" >> "$GITHUB_OUTPUT" @@ -404,6 +403,7 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: ${{ steps.cache_data.outputs.cache_from }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -649,6 +649,7 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: ${{ steps.cache_data.outputs.cache_from }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -782,6 +783,7 @@ jobs: pubmirror1.math.uh.edu:443 pubmirror3.math.uh.edu:80 quay.io:443 + ghcr.io:443 registry-1.docker.io:443 repo.ialab.dsu.edu:80 repos.eggycrew.com:80 From 5f53fffcafc76b87d36144fdf7bc5c205b790c7b Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 22:42:23 +0900 Subject: [PATCH 32/35] Updated building images workflow --- .github/workflows/images_build.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index d7d8762b9..b49b3817d 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -937,13 +937,15 @@ jobs: - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag id: base_build if: ${{ matrix.build != 'snmptraps' }} + env: + CACHE_FILE_NAME: "base_build_image_metadata.json" run: | echo "::group::Base build image metadata" - cat "base_build_image_metadata.json" + cat "${CACHE_FILE_NAME}" echo "::endgroup::" - IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "base_image_metadata.json") - IMAGE_NAME=$(jq -r '."image.name"' "base_image_metadata.json" | cut -d: -f1) + IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}") + IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1) echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT From a8397414f444d1849eca7f027c90bfd6a1284814 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sun, 18 Feb 2024 22:45:18 +0900 Subject: [PATCH 33/35] Updated building images workflow --- .github/workflows/images_build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index b49b3817d..aa8cc73de 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -353,7 +353,7 @@ jobs: cache_from=() cache_to=() - cache_from+=("type=gha,scope=${IMAGE_TAG}") + #cache_from+=("type=gha,scope=${IMAGE_TAG}") cache_from+=("type=registry,ref=${IMAGE_TAG}") cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") @@ -595,9 +595,9 @@ jobs: cache_from=() cache_to=() - cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") - cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") - cache_from+=("type=gha,scope=${IMAGE_TAG}") + #cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") + #cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") + #cache_from+=("type=gha,scope=${IMAGE_TAG}") cache_from+=("type=registry,ref=${IMAGE_TAG}") cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") From 386720bff3bb257f94d28d8fc47926cd90ea844f Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 19 Feb 2024 00:04:01 +0900 Subject: [PATCH 34/35] Updated building images workflow --- .github/workflows/images_build_rhel.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index fa803125f..95beaca32 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -29,7 +29,7 @@ permissions: contents: read env: - AUTO_PUSH_IMAGES: ${{ contains(fromJSON('["workflow_dispatch", "push"]'), github.event_name) && 'false' || vars.AUTO_PUSH_IMAGES }} + AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch", "push"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" @@ -588,6 +588,9 @@ jobs: org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} containerfiles: | ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile + extra-args: | + --pull + --iidfile=${{ github.workspace }}/iidfile build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} - name: Log in to ${{ env.REGISTRY }} @@ -657,6 +660,15 @@ jobs: podman rmi -i -f "$PREFLIGHT_IMAGE" echo "::endgroup::" + - name: Image digest + env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + TAG_ID=$(cat $GITHUB_WORKSPACE/iidfile) + echo "::group::Image digest" + echo "$TAG_ID" + echo "::endgroup::" + - name: Post build image if: ${{ success() || failure() }} run: | From 833baae46d38398f8644a4ca641714c8f9da6a95 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 19 Feb 2024 14:57:53 +0900 Subject: [PATCH 35/35] Updated building images workflow --- .github/workflows/images_build.yml | 133 ++++++++++-------------- .github/workflows/images_build_rhel.yml | 31 +++--- 2 files changed, 73 insertions(+), 91 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index aa8cc73de..3cee093c6 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -36,12 +36,14 @@ env: IMAGES_PREFIX: "zabbix-" BASE_BUILD_NAME: "build-base" + BASE_CACHE_FILE_NAME: "base_image_metadata.json" + BUILD_CACHE_FILE_NAME: "base_build_image_metadata.json" MATRIX_FILE: "build.json" DOCKERFILES_DIRECTORY: "./Dockerfiles" OIDC_ISSUER: "https://token.actions.githubusercontent.com" - IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" + IDENTITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" DOCKER_REGISTRY_TEST: "ghcr.io" DOCKER_REPOSITORY_TEST: "zabbix" @@ -52,7 +54,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - actions: write outputs: os: ${{ steps.os.outputs.list }} database: ${{ steps.database.outputs.list }} @@ -156,28 +157,6 @@ jobs: echo "current_branch=$github_ref" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - - name: Cleanup cache - shell: bash - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO: ${{ github.repository }} - BRANCH: ${{ steps.branch_info.outputs.current_branch }} - GH_RUN_ID: ${{ github.run_id }} - run: | - gh extension install actions/gh-actions-cache - - cache_keys=$(gh actions-cache list -R "${REPO}" -B "${BRANCH}" -L 100 --sort created-at --order desc | cut -f 1) - - ## Setting this to not fail the workflow while deleting cache keys - set +e - echo "Deleting caches..." - for cache_key in $cache_keys - do - if [[ "$cache_key" == *"${GH_RUN_ID}" ]] && [[ "$cache_key" != *"${GH_RUN_ID}-image" ]]; then - gh actions-cache delete $cache_key -R "${REPO}" -B "${BRANCH}" --confirm - fi - done - build_base: timeout-minutes: 30 name: Build base on ${{ matrix.os }} @@ -353,8 +332,8 @@ jobs: cache_from=() cache_to=() - #cache_from+=("type=gha,scope=${IMAGE_TAG}") - cache_from+=("type=registry,ref=${IMAGE_TAG}") + cache_from+=("type=gha,scope=${IMAGE_TAG}") + #cache_from+=("type=registry,ref=${IMAGE_TAG}") cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") @@ -404,6 +383,7 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} cache-from: ${{ steps.cache_data.outputs.cache_from }} + cache-to: ${{ steps.cache_data.outputs.cache_to }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -422,9 +402,9 @@ jobs: cosign sign --yes ${images} echo "::endgroup::" - - name: Image digest + - name: Image metadata env: - CACHE_FILE_NAME: "base_image_metadata.json" + CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} METADATA: ${{ steps.docker_build.outputs.metadata }} run: | echo "::group::Image metadata" @@ -436,10 +416,10 @@ jobs: echo "${METADATA}" > "$CACHE_FILE_NAME" - - name: Cache image digest + - name: Cache image metadata uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: - path: "base_image_metadata.json" + path: ${{ env.BASE_CACHE_FILE_NAME }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} build_base_database: @@ -547,21 +527,23 @@ jobs: flavor: | latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} + - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: - path: "base_image_metadata.json" + path: ${{ env.BASE_CACHE_FILE_NAME }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} - name: Process ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} image metadata id: base_build + env: + CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} run: | echo "::group::Base image metadata" - cat "base_image_metadata.json" + cat "${CACHE_FILE_NAME}" echo "::endgroup::" - IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "base_image_metadata.json") - IMAGE_NAME=$(jq -r '."image.name"' "base_image_metadata.json" | cut -d: -f1) + IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}") + IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1) echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT @@ -570,18 +552,18 @@ jobs: env: BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} OIDC_ISSUER: ${{ env.OIDC_ISSUER }} - IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} run: | echo "::group::Image sign data" echo "OIDC issuer=$OIDC_ISSUER" - echo "Identity=$IDENITY_REGEX" + echo "Identity=$IDENTITY_REGEX" echo "Image to verify=$BASE_IMAGE" echo "::endgroup::" echo "::group::Verify signature" cosign verify \ --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ - --certificate-identity-regexp "$IDENITY_REGEX" \ + --certificate-identity-regexp "$IDENTITY_REGEX" \ "$BASE_IMAGE" echo "::endgroup::" @@ -595,9 +577,9 @@ jobs: cache_from=() cache_to=() - #cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") - #cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") - #cache_from+=("type=gha,scope=${IMAGE_TAG}") + cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") + cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") + cache_from+=("type=gha,scope=${IMAGE_TAG}") cache_from+=("type=registry,ref=${IMAGE_TAG}") cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") @@ -612,7 +594,6 @@ jobs: cache_from=$(printf '%s\n' "${cache_from[@]}") cache_to=$(printf '%s\n' "${cache_to[@]}") - mkdir -p /tmp/.buildx-build-cache/ echo 'cache_from<> "$GITHUB_OUTPUT" echo "$cache_from" >> "$GITHUB_OUTPUT" @@ -649,7 +630,6 @@ jobs: labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: ${{ steps.cache_data.outputs.cache_from }} - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} @@ -668,9 +648,9 @@ jobs: cosign sign --yes ${images} echo "::endgroup::" - - name: Image digest + - name: Image metadata env: - CACHE_FILE_NAME: "base_build_image_metadata.json" + CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} METADATA: ${{ steps.docker_build.outputs.metadata }} run: | echo "::group::Image metadata" @@ -682,10 +662,10 @@ jobs: echo "${METADATA}" > "$CACHE_FILE_NAME" - - name: Caching SHA256 tag of the image + - name: Cache image metadata uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: - path: "base_build_image_metadata.json" + path: ${{ env.BUILD_CACHE_FILE_NAME }} key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} build_images: @@ -702,7 +682,7 @@ jobs: permissions: contents: read id-token: write - packages: write + packages: read steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -831,11 +811,13 @@ jobs: fetch-depth: 1 - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 with: cosign-release: 'v2.2.3' - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} run: cosign version - name: Set up QEMU @@ -849,21 +831,6 @@ jobs: with: driver-opts: image=moby/buildkit:master - - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Prepare Platform list id: platform env: @@ -919,26 +886,26 @@ jobs: tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} flavor: | latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} + - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 if: ${{ matrix.build != 'snmptraps' }} with: - path: "base_build_image_metadata.json" + path: ${{ env.BUILD_CACHE_FILE_NAME }} key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }} - - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag + - name: Process ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} image metadata id: base_build if: ${{ matrix.build != 'snmptraps' }} env: - CACHE_FILE_NAME: "base_build_image_metadata.json" + CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} run: | echo "::group::Base build image metadata" cat "${CACHE_FILE_NAME}" @@ -954,22 +921,23 @@ jobs: env: BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} OIDC_ISSUER: ${{ env.OIDC_ISSUER }} - IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} run: | echo "::group::Image sign data" - echo "OIDC issuer=$OIDC_ISSUER" - echo "Identity=$IDENITY_REGEX" - echo "Image to verify=$BASE_IMAGE" + echo "OIDC issuer=${OIDC_ISSUER}" + echo "Identity=${IDENTITY_REGEX}" + echo "Image to verify=${BASE_IMAGE}" echo "::endgroup::" echo "::group::Verify signature" cosign verify \ - --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ - --certificate-identity-regexp "$IDENITY_REGEX" \ - "$BASE_IMAGE" + --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ + --certificate-identity-regexp "${IDENTITY_REGEX}" \ + "${BASE_IMAGE}" echo "::endgroup::" - name: Prepare cache data + if: ${{ matrix.build != 'snmptraps' }} id: cache_data env: BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }} @@ -977,7 +945,6 @@ jobs: cache_from=() cache_to=() - cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") echo "::group::Cache from data" @@ -990,12 +957,19 @@ jobs: echo "$cache_from" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name: Build and push image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} - file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile + context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} + file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} push: ${{ env.AUTO_PUSH_IMAGES == 'true' }} tags: ${{ steps.meta.outputs.tags }} @@ -1022,6 +996,7 @@ jobs: echo "::endgroup::" - name: Image metadata + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: METADATA: ${{ steps.docker_build.outputs.metadata }} run: | diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index 95beaca32..6f84de1e1 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -29,6 +29,7 @@ permissions: contents: read env: + TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch", "push"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} @@ -164,7 +165,7 @@ jobs: echo "secret_prefix=RHEL_${github_ref//.}" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - - name: Cleanup cache + - name: Cleanup existing cache shell: bash env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -205,11 +206,13 @@ jobs: fetch-depth: 1 - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 with: cosign-release: 'v2.2.3' - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} run: cosign version - name: Fix string case @@ -231,7 +234,7 @@ jobs: id: build_image uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel + context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }} layers: false tags: ${{ steps.meta.outputs.tags }} containerfiles: | @@ -240,7 +243,7 @@ jobs: --pull --iidfile=${{ github.workspace }}/iidfile - - name: Prepare image metadata + - name: Image metadata id: image_metadata env: IMAGE_TAG: ${{ steps.build_image.outputs.image-with-tag }} @@ -279,7 +282,6 @@ jobs: IMAGE_TAG: ${{ steps.image_metadata.outputs.image_tag }} IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} IMAGE_DIR: ${{ env.IMAGE_DIR }} - GITHUB_WORKSPACE: ${{ github.workspace }} run: | echo "::group::Result" echo "Image ${IMAGE_TAG} location: \"${IMAGE_DIR}/${IMAGE_TAG_ID}\"" @@ -310,13 +312,14 @@ jobs: if: ${{ (cancelled() || failure()) && ( steps.push_image.outcome == 'failure' || steps.push_image.outcome == 'cancelled') }} env: IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} + IMAGE_DIR: ${{ env.IMAGE_DIR }} run: | echo "::group::Removing orphaned image" rm -rf "${IMAGE_DIR}/${IMAGE_TAG_ID}" echo "::endgroup::" build_base_database: - timeout-minutes: 180 + timeout-minutes: 90 needs: [ "build_base", "init_build"] name: Build ${{ matrix.build }} base (${{ matrix.arch }}) strategy: @@ -348,7 +351,7 @@ jobs: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} - - name: Pull ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} image + - name: Pull ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} image from local storage id: base_build env: MATRIX_ARCH: ${{ matrix.arch }} @@ -389,7 +392,7 @@ jobs: id: build_image uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel + context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }} layers: false tags: ${{ steps.meta.outputs.tags }} containerfiles: | @@ -423,7 +426,7 @@ jobs: echo "image_tag_id=${TAG_ID}" >> $GITHUB_OUTPUT echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT - - name: Cache image digest + - name: Cache image metadata uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: | @@ -437,7 +440,6 @@ jobs: IMAGE_TAG: ${{ steps.image_metadata.outputs.image_tag }} IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} IMAGE_DIR: ${{ env.IMAGE_DIR }} - GITHUB_WORKSPACE: ${{ github.workspace }} run: | echo "::group::Result" echo "podman push \"${IMAGE_TAG}\" dir:\"${IMAGE_DIR}/${IMAGE_TAG_ID}\"" @@ -468,13 +470,14 @@ jobs: if: ${{ (cancelled() || failure()) && ( steps.push_image.outcome == 'failure' || steps.push_image.outcome == 'cancelled') }} env: IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} + IMAGE_DIR: ${{ env.IMAGE_DIR }} run: | echo "::group::Removing orphaned image" rm -rf "${IMAGE_DIR}/${IMAGE_TAG_ID}" echo "::endgroup::" build_images: - timeout-minutes: 90 + timeout-minutes: 30 needs: [ "build_base_database", "init_build"] name: Build ${{ matrix.build }} image (${{ matrix.arch }}) strategy: @@ -580,7 +583,7 @@ jobs: id: build_image uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12 with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel + context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }} layers: false tags: ${{ steps.meta.outputs.tags }} labels: | @@ -671,9 +674,13 @@ jobs: - name: Post build image if: ${{ success() || failure() }} + env: + GITHUB_WORKSPACE: ${{ github.workspace }} run: | echo "::group::Result" + rm -rf "$GITHUB_WORKSPACE/iidfile" + echo "Removing working containers" buildah rm -a 2>/dev/null || true echo "Removing container data in storage not controlled by podman" @@ -686,7 +693,7 @@ jobs: echo "::endgroup::" clear_artifacts: - timeout-minutes: 90 + timeout-minutes: 10 needs: [ "build_images", "init_build"] name: Clear ${{ matrix.build }} image cache (${{ matrix.arch }}) strategy: