extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2024-11-29 19:23:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prepare universal workflow

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-02-10 23:07:52 +09:00
parent d7ad94890d
commit d6bcfb9e73
5 changed files with 680 additions and 1219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
.github/workflows/dockerhub_description.yml vendored Normal file
View File

@ -0,0 +1,67 @@
name: DockerHub Description
on:
push:
branches:
- 'trunk'
paths:
- 'Dockerfiles/*/README.md'
- '.github/workflows/dockerhub_description.yml'
workflow_dispatch:
env:
DOCKER_REPOSITORY: "zabbix"
IMAGES_PREFIX: "zabbix-"
DOCKERFILES_DIRECTORY: "./Dockerfiles"
jobs:
main:
name: Update description
runs-on: ubuntu-latest
env:
DOCKER_REPOSITORY: "zabbix"
permissions:
contents: read
strategy:
fail-fast: false
matrix:
component:
- build-base
- build-mysql
- build-pgsql
- build-sqlite3
- agent
- agent2
- java-gateway
- proxy-mysql
- proxy-sqlite3
- server-mysql
- server-pgsql
- snmptraps
- web-apache-mysql
- web-apache-pgsql
- web-nginx-mysql
- web-nginx-pgsql
- web-service
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
hub.docker.com:443
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Update DockerHub repo description (zabbix-${{ matrix.component }})
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }}
readme-filepath: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.component }}/README.md

679
.github/workflows/images_build.yml vendored
View File

@ -6,9 +6,7 @@ on:
- published - published
push: push:
branches: branches:
- '5.0' - '[0-9]+.[0-9]+'
- '6.0'
- '6.4'
- 'trunk' - 'trunk'
paths: paths:
- 'Dockerfiles/**' - 'Dockerfiles/**'
@ -17,72 +15,130 @@ on:
- '!Dockerfiles/*/rhel/*' - '!Dockerfiles/*/rhel/*'
- '!Dockerfiles/*/windows/*' - '!Dockerfiles/*/windows/*'
- '.github/workflows/images_build.yml' - '.github/workflows/images_build.yml'
schedule:
- cron: '10 14 * * *'
workflow_dispatch:
defaults: defaults:
run: run:
shell: bash shell: bash
env: env:
DOCKER_REPOSITORY: "zabbix" TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }} LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk"
IMAGES_PREFIX: "zabbix-"
BASE_BUILD_NAME: "build-base" BASE_BUILD_NAME: "build-base"
MATRIX_FILE: "build.json"
DOCKERFILES_DIRECTORY: "./Dockerfiles"
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"
jobs: jobs:
init_build: init_build:
name: Initialize build name: Initialize build
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
outputs: outputs:
os: ${{ steps.os.outputs.list }} os: ${{ steps.os.outputs.list }}
database: ${{ steps.database.outputs.list }} database: ${{ steps.database.outputs.list }}
components: ${{ steps.components.outputs.list }} components: ${{ steps.components.outputs.list }}
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
current_branch: ${{ steps.branch_info.outputs.current_branch }}
sha_short: ${{ steps.branch_info.outputs.sha_short }}
steps: steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1 fetch-depth: 1
sparse-checkout: ${{ env.MATRIX_FILE }}
- name: Check build.json file - name: Check ${{ env.MATRIX_FILE }} file
id: build_exists id: build_exists
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
if [[ ! -f "./build.json" ]]; then if [[ ! -f "$MATRIX_FILE" ]]; then
echo "::error::File build.json is missing" echo "::error::File $MATRIX_FILE is missing"
exit 1 exit 1
fi fi
- name: Prepare Operating System list - name: Prepare Operating System list
id: os id: os
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "./build.json") os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
echo "::group::Operating System List"
echo "$os_list"
echo "::endgroup::"
echo "list=$os_list" >> $GITHUB_OUTPUT echo "list=$os_list" >> $GITHUB_OUTPUT
- name: Prepare Platform list - name: Prepare Platform list
id: platform_list id: platform_list
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
platform_list=$(jq -r '.["os-linux"] | tostring | @json' "./build.json") platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE")
echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"
echo "list=$platform_list" >> $GITHUB_OUTPUT echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Prepare Database engine list - name: Prepare Database engine list
id: database id: database
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "./build.json") database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE")
echo "::group::Database List"
echo "$database_list"
echo "::endgroup::"
echo "list=$database_list" >> $GITHUB_OUTPUT echo "list=$database_list" >> $GITHUB_OUTPUT
- name: Prepare Zabbix component list - name: Prepare Zabbix component list
id: components id: components
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "./build.json") component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
echo "::group::Zabbix Component List"
echo "$component_list"
echo "::endgroup::"
echo "list=$component_list" >> $GITHUB_OUTPUT echo "list=$component_list" >> $GITHUB_OUTPUT
- name: Get branch info - name: Get branch info
id: branch_info id: branch_info
env:
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }}
run: | run: |
github_ref="${{ github.ref }}"
result=false result=false
sha_short=$(git rev-parse --short HEAD)
if [[ "$github_ref" == "refs/tags/"* ]]; then if [[ "$github_ref" == "refs/tags/"* ]]; then
github_ref=${github_ref%.*} github_ref=${github_ref%.*}
@ -90,10 +146,19 @@ jobs:
github_ref=${github_ref##*/} github_ref=${github_ref##*/}
if [[ "$github_ref" == "${{ env.LATEST_BRANCH }}" ]]; then if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
result=true result=true
fi fi
echo "::group::Branch data"
echo "is_default_branch - $result"
echo "current_branch - $github_ref"
echo "sha_short - $sha_short"
echo "::endgroup::"
echo "is_default_branch=$result" >> $GITHUB_OUTPUT echo "is_default_branch=$result" >> $GITHUB_OUTPUT
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
build_base: build_base:
timeout-minutes: 30 timeout-minutes: 30
@ -105,12 +170,112 @@ jobs:
os: ${{ fromJson(needs.init_build.outputs.os) }} os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps: steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
archive.ubuntu.com:80
atl.mirrors.knownhost.com:443
atl.mirrors.knownhost.com:80
auth.docker.io:443
cdn03.quay.io:443
centos-stream-distro.1gservers.com:443
centos-stream-distro.1gservers.com:80
dfw.mirror.rackspace.com:443
dfw.mirror.rackspace.com:80
dl-cdn.alpinelinux.org:443
download.cf.centos.org:443
download.cf.centos.org:80
epel.mirror.constant.com:443
ftp-nyc.osuosl.org:443
ftp-nyc.osuosl.org:80
ftp-osl.osuosl.org:443
ftp-osl.osuosl.org:80
ftp.plusline.net:443
ftp.plusline.net:80
ftpmirror.your.org:80
fulcio.sigstore.dev:443
github.com:443
iad.mirror.rackspace.com:443
iad.mirror.rackspace.com:80
index.docker.io:443
lesnet.mm.fcix.net:443
mirror-mci.yuki.net.uk:443
mirror-mci.yuki.net.uk:80
mirror.arizona.edu:443
mirror.arizona.edu:80
mirror.dogado.de:443
mirror.dogado.de:80
mirror.facebook.net:443
mirror.facebook.net:80
mirror.fcix.net:443
mirror.hoobly.com:443
mirror.math.princeton.edu:443
mirror.netzwerge.de:443
mirror.pilotfiber.com:443
mirror.pilotfiber.com:80
mirror.rackspace.com:443
mirror.rackspace.com:80
mirror.scaleuptech.com:443
mirror.scaleuptech.com:80
mirror.servaxnet.com:443
mirror.servaxnet.com:80
mirror.siena.edu:80
mirror.stream.centos.org:443
mirror.stream.centos.org:80
mirror.team-cymru.com:443
mirror.team-cymru.com:80
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.fedoraproject.org:443
mirrors.fedoraproject.org:80
mirrors.iu13.net:80
mirrors.mit.edu:443
mirrors.ocf.berkeley.edu:443
mirrors.ocf.berkeley.edu:80
mirrors.sonic.net:443
mirrors.wcupa.edu:443
mirrors.wcupa.edu:80
mirrors.xtom.de:80
na.edge.kernel.org:443
nocix.mm.fcix.net:443
oauth2.sigstore.dev:443
objects.githubusercontent.com:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
quay.io:443
registry-1.docker.io:443
rekor.sigstore.dev:443
repo.ialab.dsu.edu:443
repos.eggycrew.com:443
repos.eggycrew.com:80
security.ubuntu.com:80
tuf-repo-cdn.sigstore.dev:443
uvermont.mm.fcix.net:443
yum.oracle.com:443
ziply.mm.fcix.net:443
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1 fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
with: with:
@ -130,50 +295,91 @@ jobs:
- name: Prepare Platform list - name: Prepare Platform list
id: platform id: platform
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json") platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE")
platform_list="${platform_list%,}" platform_list="${platform_list%,}"
echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"
echo "list=$platform_list" >> $GITHUB_OUTPUT echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Generate tags - name: Generate tags
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@v5
with: with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ env.BASE_BUILD_NAME }} images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
type=semver,pattern={{version}},suffix=-${{ matrix.os }} type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
type=ref,event=branch,suffix=-${{ matrix.os }}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
type=raw,enable=${{ needs.init_build.outputs.is_default_branch == 'true' }},value=${{matrix.os}}-latest type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
flavor: | flavor: |
latest=${{ (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
- name: Build ${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} and push - name: Build and publish image
id: docker_build id: docker_build
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
context: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}
file: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }} platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }} push: ${{ env.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: | labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
cache-from: |
type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }}
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image digest - name: Image digest
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
run: | run: |
echo ${{ steps.docker_build.outputs.digest }} echo "::group::Image digest"
echo "${{ steps.docker_build.outputs.digest }}" > ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} echo "$DIGEST"
echo "::endgroup::"
echo "::group::Cache file name"
echo "$CACHE_FILE_NAME"
echo "::endgroup::"
- name: Upload SHA256 tag echo "$DIGEST" > "$CACHE_FILE_NAME"
uses: actions/upload-artifact@v4
- name: Cache image digest
uses: actions/cache@v4
with: with:
name: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
if-no-files-found: error key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
build_base_database: build_base_database:
timeout-minutes: 180 timeout-minutes: 180
@ -186,9 +392,50 @@ jobs:
os: ${{ fromJson(needs.init_build.outputs.os) }} os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps: steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
git.zabbix.com:443
github.com:443
go.googlesource.com:443
go.mongodb.org:443
golang.org:443
google.golang.org:443
gopkg.in:443
index.docker.io:443
noto-website.storage.googleapis.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
registry-1.docker.io:443
storage.googleapis.com:443
fulcio.sigstore.dev:443
oauth2.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
@ -209,65 +456,135 @@ jobs:
- name: Prepare Platform list - name: Prepare Platform list
id: platform id: platform
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json") platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE")
platform_list="${platform_list%,}" platform_list="${platform_list%,}"
echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"
echo "list=$platform_list" >> $GITHUB_OUTPUT echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Generate tags - name: Generate tags
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@v5
with: with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }} images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
type=semver,pattern={{version}},suffix=-${{ matrix.os }} type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
type=ref,event=branch,suffix=-${{ matrix.os }}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
type=raw,enable=${{ needs.init_build.outputs.is_default_branch == 'true' }},value=${{matrix.os}}-latest type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
flavor: | flavor: |
latest=${{ (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
- name: Download SHA256 tag build-base:${{ matrix.os }} - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }}
uses: actions/download-artifact@v4 uses: actions/cache@v4
with: with:
name: build-base_${{ matrix.os }} path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
- name: Retrieve build-base:${{ matrix.os }} SHA256 tag - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag
id: base_build id: base_build
env:
MATRIX_OS: ${{ matrix.os }}
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
BASE_IMAGE: ${{ env.BASE_BUILD_NAME }}
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
run: | run: |
BASE_TAG=$(cat build-base_${{ matrix.os }}) BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_OS}")
BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-build-base@${BASE_TAG} BUILD_BASE_IMAGE="${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}"
echo "::group::Base build image information"
echo "base_tag=${BASE_TAG}"
echo "base_build_image=${BUILD_BASE_IMAGE}"
echo "::endgroup::"
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
run: |
echo "::group::Image sign data"
echo "OIDC issuer=$OIDC_ISSUER"
echo "Identity=$IDENITY_REGEX"
echo "Image to verify=$BASE_IMAGE"
echo "::endgroup::"
echo "::group::Verify signature"
cosign verify \
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
--certificate-identity-regexp "$IDENITY_REGEX" \
"$BASE_IMAGE"
echo "::endgroup::"
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push - name: Build ${{ matrix.build }}/${{ matrix.os }} and push
id: docker_build id: docker_build
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }} context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}
file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }} platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }} push: ${{ env.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: | labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
cache-from: |
type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }}
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image digest - name: Image digest
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.os }}
run: | run: |
echo ${{ steps.docker_build.outputs.digest }} echo "::group::Image digest"
echo "${{ steps.docker_build.outputs.digest }}" > ${{ matrix.build }}_${{ matrix.os }} echo "$DIGEST"
echo "::endgroup::"
echo "::group::Cache file name"
echo "$CACHE_FILE_NAME"
echo "::endgroup::"
echo "$DIGEST" > $CACHE_FILE_NAME
- name: Upload SHA256 tag - name: Caching SHA256 tag of the image
uses: actions/upload-artifact@v4 uses: actions/cache@v4
with: with:
name: ${{ matrix.build }}_${{ matrix.os }}
path: ${{ matrix.build }}_${{ matrix.os }} path: ${{ matrix.build }}_${{ matrix.os }}
if-no-files-found: error key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}
build_images: build_images:
timeout-minutes: 90 timeout-minutes: 90
@ -280,8 +597,141 @@ jobs:
os: ${{ fromJson(needs.init_build.outputs.os) }} os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps: steps:
- uses: actions/checkout@v4 - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
dl-cdn.alpinelinux.org:443
github.com:443
index.docker.io:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
api.github.com:443
atl.mirrors.knownhost.com:443
atl.mirrors.knownhost.com:80
auth.docker.io:443
cdn03.quay.io:443
centos-stream-distro.1gservers.com:443
centos-stream-distro.1gservers.com:80
d2lzkl7pfhq30w.cloudfront.net:443
epel.mirror.constant.com:80
forksystems.mm.fcix.net:80
ftp-nyc.osuosl.org:443
ftp-nyc.osuosl.org:80
ftp-osl.osuosl.org:443
ftp-osl.osuosl.org:80
ftp.plusline.net:80
ftpmirror.your.org:80
github.com:443
iad.mirror.rackspace.com:443
index.docker.io:443
ix-denver.mm.fcix.net:443
mirror-mci.yuki.net.uk:443
mirror.23m.com:80
mirror.arizona.edu:80
mirror.dal.nexril.net:80
mirror.de.leaseweb.net:80
mirror.dogado.de:80
mirror.facebook.net:80
mirror.hoobly.com:80
mirror.math.princeton.edu:80
mirror.netcologne.de:443
mirror.netzwerge.de:443
mirror.pilotfiber.com:443
mirror.pilotfiber.com:80
mirror.rackspace.com:443
mirror.rackspace.com:80
mirror.scaleuptech.com:443
mirror.servaxnet.com:443
mirror.servaxnet.com:80
mirror.sfo12.us.leaseweb.net:80
mirror.siena.edu:80
mirror.steadfastnet.com:80
mirror.team-cymru.com:443
mirror.team-cymru.com:80
mirror.umd.edu:443
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.fedoraproject.org:443
mirrors.iu13.net:443
mirrors.iu13.net:80
mirrors.ocf.berkeley.edu:443
mirrors.sonic.net:80
mirrors.syringanetworks.net:80
mirrors.vcea.wsu.edu:80
mirrors.wcupa.edu:80
mirrors.xtom.de:80
na.edge.kernel.org:443
nnenix.mm.fcix.net:80
ohioix.mm.fcix.net:80
production.cloudflare.docker.com:443
pubmirror1.math.uh.edu:443
pubmirror3.math.uh.edu:80
quay.io:443
registry-1.docker.io:443
repo.ialab.dsu.edu:80
repos.eggycrew.com:80
uvermont.mm.fcix.net:80
ziply.mm.fcix.net:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
oauth2.sigstore.dev:443
api.github.com:443
auth.docker.io:443
github.com:443
index.docker.io:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
yum.oracle.com:443
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
api.github.com:443
archive.ubuntu.com:80
auth.docker.io:443
deb.debian.org:80
github.com:443
index.docker.io:443
keyserver.ubuntu.com:11371
nginx.org:443
nginx.org:80
ports.ubuntu.com:80
production.cloudflare.docker.com:443
registry-1.docker.io:443
security.ubuntu.com:80
fulcio.sigstore.dev:443
objects.githubusercontent.com:443
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
@ -302,30 +752,45 @@ jobs:
- name: Prepare Platform list - name: Prepare Platform list
id: platform id: platform
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_BUILD: ${{ matrix.build }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
# Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms # Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms
if ([ "${{ matrix.os }}" == "alpine" ] || [ "${{ matrix.os }}" == "centos" ]) && [ "${{ matrix.build }}" == "web-service" ]; then if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then
platform_list="linux/amd64,linux/arm64" platform_list="linux/amd64,linux/arm64"
# Chromium on Ubuntu is not available on s390x platform # Chromium on Ubuntu is not available on s390x platform
elif [ "${{ matrix.os }}" == "ubuntu" ] && [ "${{ matrix.build }}" == "web-service" ]; then elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then
platform_list="linux/amd64,linux/arm/v7,linux/arm64" platform_list="linux/amd64,linux/arm/v7,linux/arm64"
else else
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json") platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE")
fi fi
# Build only Agent and Agent2 on 386 # Build only Agent and Agent2 on 386
if [ "${{ matrix.build }}" != "agent"* ]; then if [ "$MATRIX_BUILD" != "agent"* ]; then
platform_list="${platform_list#linux/386,}" platform_list="${platform_list#linux/386,}"
fi fi
platform_list="${platform_list%,}" platform_list="${platform_list%,}"
echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"
echo "list=$platform_list" >> $GITHUB_OUTPUT echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Detect Build Base Image - name: Detect Build Base Image
id: build_base_image id: build_base_image
env:
MATRIX_BUILD: ${{ matrix.build }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: | run: |
BUILD_BASE=$(jq -r '.components."${{ matrix.build }}"' "./build.json") BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\"" "$MATRIX_FILE")
echo "::group::Base Build Image"
echo "$BUILD_BASE"
echo "::endgroup::"
echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT
@ -333,45 +798,105 @@ jobs:
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@v5
with: with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }} images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
type=semver,pattern={{version}},suffix=-${{ matrix.os }} type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
type=ref,event=branch,prefix=${{ matrix.os }}-,suffix=-latest type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
type=ref,event=branch,suffix=-${{ matrix.os }}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest
type=raw,enable=${{ needs.init_build.outputs.is_default_branch == 'true' }},value=${{matrix.os}}-latest type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }}
flavor: | flavor: |
latest=${{ (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}
- name: Download SHA256 tag for ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
uses: actions/download-artifact@v4 uses: actions/cache@v4
if: ${{ matrix.build != 'snmptraps' }} if: ${{ matrix.build != 'snmptraps' }}
with: with:
name: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }} path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }}
key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }}
- name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag
id: base_build id: base_build
if: ${{ matrix.build != 'snmptraps' }} if: ${{ matrix.build != 'snmptraps' }}
env:
BUILD_BASE: ${{ steps.build_base_image.outputs.build_base }}
MATRIX_OS: ${{ matrix.os }}
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
run: | run: |
BASE_TAG=$(cat ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }}) BASE_TAG=$(cat "${BUILD_BASE}_${MATRIX_OS}")
BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-${{ steps.build_base_image.outputs.build_base }}@${BASE_TAG} BUILD_BASE_IMAGE=${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BUILD_BASE}@${BASE_TAG}
echo "::group::Base build image information"
echo "base_tag=${BASE_TAG}"
echo "base_build_image=${BUILD_BASE_IMAGE}"
echo "::endgroup::"
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
if: ${{ matrix.build != 'snmptraps' }}
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
run: |
echo "::group::Image sign data"
echo "OIDC issuer=$OIDC_ISSUER"
echo "Identity=$IDENITY_REGEX"
echo "Image to verify=$BASE_IMAGE"
echo "::endgroup::"
echo "::group::Verify signature"
cosign verify \
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
--certificate-identity-regexp "$IDENITY_REGEX" \
"$BASE_IMAGE"
echo "::endgroup::"
- name: Build and push image
id: docker_build id: docker_build
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }} context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}
file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }} platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }} push: ${{ env.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: | labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
cache-from: type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image digest - name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }} env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
run: |
echo "::group::Image digest"
echo "$DIGEST"
echo "::endgroup::"

15
.github/workflows/images_build_windows.yml vendored
View File

@ -13,7 +13,7 @@ on:
- '!**/README.md' - '!**/README.md'
- '.github/workflows/images_build_windows.yml' - '.github/workflows/images_build_windows.yml'
schedule: schedule:
- cron: '49 12 * * *' - cron: '05 02 * * *'
workflow_dispatch: workflow_dispatch:
defaults: defaults:
@ -21,7 +21,7 @@ defaults:
shell: pwsh shell: pwsh
env: env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule", "workflow_dispatch"]'), github.event_name) }} TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
@ -63,17 +63,6 @@ jobs:
allowed-endpoints: > allowed-endpoints: >
github.com:443 github.com:443
- name: Test
shell: bash
env:
GIT_REF_TEST: ${{ env.TRUNK_ONLY_EVENT == true && env.TRUNK_GIT_BRANCH || '' }}
GIT_REF_TEST2: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
run: |
echo $GIT_REF_TEST
echo $GIT_REF_TEST2
echo "${{ env.TRUNK_ONLY_EVENT }}"
echo "${{ env.TRUNK_GIT_BRANCH }}"
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:

350
.github/workflows/nightly_build.yml vendored
View File

@ -1,350 +0,0 @@
name: Nightly build images (DockerHub)
on:
schedule:
- cron: '5 2 * * *'
workflow_dispatch:
defaults:
run:
shell: bash
env:
DOCKER_REPOSITORY: "zabbix"
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
BASE_BUILD_NAME: "build-base"
jobs:
init_build:
name: Initialize build
runs-on: ubuntu-latest
outputs:
os: ${{ steps.os.outputs.list }}
database: ${{ steps.database.outputs.list }}
components: ${{ steps.components.outputs.list }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: "refs/heads/trunk"
fetch-depth: 1
- name: Check build.json file
id: build_exists
run: |
if [[ ! -f "./build.json" ]]; then
echo "::error::File build.json is missing"
exit 1
fi
- name: Prepare Operating System list
id: os
run: |
os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "./build.json")
echo "list=$os_list" >> $GITHUB_OUTPUT
- name: Prepare Platform list
id: platform_list
run: |
platform_list=$(jq -r '.["os-linux"] | tostring | @json' "./build.json")
echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Prepare Database engine list
id: database
run: |
database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "./build.json")
echo "list=$database_list" >> $GITHUB_OUTPUT
- name: Prepare Zabbix component list
id: components
run: |
component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "./build.json")
echo "list=$component_list" >> $GITHUB_OUTPUT
build_base:
timeout-minutes: 30
name: Build base on ${{ matrix.os }}
needs: init_build
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: "refs/heads/trunk"
fetch-depth: 1
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:latest
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:master
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Prepare Platform list
id: platform
run: |
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json")
platform_list="${platform_list%,}"
echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ env.BASE_BUILD_NAME }}
tags: |
type=raw,value=${{ matrix.os }}-trunk
type=raw,value=trunk-${{ matrix.os }}
flavor: |
latest=false
- name: Build ${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} and push
id: docker_build
uses: docker/build-push-action@v5
with:
context: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}
file: ./Dockerfiles/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Image digest
run: |
echo ${{ steps.docker_build.outputs.digest }}
echo "${{ steps.docker_build.outputs.digest }}" > ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
- name: Upload SHA256 tag
uses: actions/upload-artifact@v4
with:
name: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }}
if-no-files-found: error
build_base_database:
timeout-minutes: 180
needs: [ "build_base", "init_build"]
name: Build ${{ matrix.build }} base on ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
build: ${{ fromJson(needs.init_build.outputs.database) }}
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: "refs/heads/trunk"
fetch-depth: 1
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:latest
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:master
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Prepare Platform list
id: platform
run: |
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json")
platform_list="${platform_list%,}"
echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }}
tags: |
type=raw,value=${{ matrix.os }}-trunk
type=raw,value=trunk-${{ matrix.os }}
flavor: |
latest=false
- name: Download SHA256 tag build-base:${{ matrix.os }}
uses: actions/download-artifact@v4
with:
name: build-base_${{ matrix.os }}
- name: Retrieve build-base:${{ matrix.os }} SHA256 tag
id: base_build
run: |
BASE_TAG=$(cat build-base_${{ matrix.os }})
BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-build-base@${BASE_TAG}
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
id: docker_build
uses: docker/build-push-action@v5
with:
context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}
file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Image digest
run: |
echo ${{ steps.docker_build.outputs.digest }}
echo "${{ steps.docker_build.outputs.digest }}" > ${{ matrix.build }}_${{ matrix.os }}
- name: Upload SHA256 tag
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.build }}_${{ matrix.os }}
path: ${{ matrix.build }}_${{ matrix.os }}
if-no-files-found: error
build_images:
timeout-minutes: 90
needs: [ "build_base_database", "init_build"]
name: Build ${{ matrix.build }} on ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
build: ${{ fromJson(needs.init_build.outputs.components) }}
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: "refs/heads/trunk"
fetch-depth: 1
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:latest
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:master
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Prepare Platform list
id: platform
run: |
# Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms
if ([ "${{ matrix.os }}" == "alpine" ] || [ "${{ matrix.os }}" == "centos" ]) && [ "${{ matrix.build }}" == "web-service" ]; then
platform_list="linux/amd64,linux/arm64"
# Chromium on Ubuntu is not available on s390x platform
elif [ "${{ matrix.os }}" == "ubuntu" ] && [ "${{ matrix.build }}" == "web-service" ]; then
platform_list="linux/amd64,linux/arm/v7,linux/arm64"
else
platform_list=$(jq -r '.["os-linux"].${{ matrix.os }} | join(",")' "./build.json")
fi
# Build only Agent and Agent2 on 386
if [ "${{ matrix.build }}" != "agent"* ]; then
platform_list="${platform_list#linux/386,}"
fi
# Can not compile Java applications on ppc64le
if [ "${{ matrix.build }}" == "java-gateway" ]; then
platform_list="${platform_list%linux/ppc64le}"
fi
platform_list="${platform_list%,}"
echo "list=$platform_list" >> $GITHUB_OUTPUT
- name: Detect Build Base Image
id: build_base_image
run: |
BUILD_BASE=$(jq -r '.components."${{ matrix.build }}"' "./build.json")
echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.build }}
tags: |
type=raw,value=${{ matrix.os }}-trunk
type=raw,value=trunk-${{ matrix.os }}
flavor: |
latest=false
- name: Download SHA256 tag for ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
uses: actions/download-artifact@v4
if: ${{ matrix.build != 'snmptraps' }}
with:
name: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }}
- name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag
id: base_build
if: ${{ matrix.build != 'snmptraps' }}
run: |
BASE_TAG=$(cat ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }})
BUILD_BASE_IMAGE=${{ env.DOCKER_REPOSITORY }}/zabbix-${{ steps.build_base_image.outputs.build_base }}@${BASE_TAG}
echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT
echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
id: docker_build
uses: docker/build-push-action@v5
with:
context: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}
file: ./Dockerfiles/${{ matrix.build }}/${{ matrix.os }}/Dockerfile
platforms: ${{ steps.platform.outputs.list }}
push: ${{ secrets.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }}
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}

770
.github/workflows/nightly_build_windows.yml vendored
View File

@ -1,770 +0,0 @@
name: Nightly build images (DockerHub, Windows)
on:
schedule:
- cron: '49 12 * * *'
workflow_dispatch:
defaults:
run:
shell: pwsh
env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule", "workflow_dispatch"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk"
IMAGES_PREFIX: "zabbix-"
MSFT_BASE_BUILD_IMAGE: "mcr.microsoft.com/windows/servercore"
PWSH_BASE_IMAGE_NAME: "mcr.microsoft.com/powershell"
PWSH_BASE_IMAGE_PREFIX: "lts-nanoserver-"
BASE_IMAGE_NAME: "build-base"
BASE_BUILD_IMAGE_NAME: "build-mysql"
MATRIX_FILE: "build.json"
DOCKERFILES_DIRECTORY: "Dockerfiles"
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"
jobs:
init_build:
name: Initialize build
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
os: ${{ steps.os.outputs.list }}
components: ${{ steps.components.outputs.list }}
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
current_branch: ${{ steps.branch_info.outputs.current_branch }}
sha_short: ${{ steps.branch_info.outputs.sha_short }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
sparse-checkout: ${{ env.MATRIX_FILE }}
- name: Check ${{ env.MATRIX_FILE }} file
id: build_exists
shell: bash
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
if [[ ! -f "$MATRIX_FILE" ]]; then
echo "::error::File $MATRIX_FILE is missing"
exit 1
fi
- name: Prepare Operating System list
id: os
shell: bash
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
echo "::group::Operating System List"
echo "$os_list"
echo "::endgroup::"
echo "list=$os_list" >> $GITHUB_OUTPUT
- name: Prepare Zabbix component list
id: components
shell: bash
run: |
component_list='["agent","agent2"]'
echo "::group::Zabbix Component List"
echo "$component_list"
echo "::endgroup::"
echo "list=$component_list" >> $GITHUB_OUTPUT
- name: Get branch info
id: branch_info
shell: bash
env:
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
github_ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || github.ref }}
run: |
result=false
sha_short=$(git rev-parse --short HEAD)
if [[ "$github_ref" == "refs/tags/"* ]]; then
github_ref=${github_ref%.*}
fi
github_ref=${github_ref##*/}
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
result=true
fi
echo "::group::Branch data"
echo "is_default_branch - $result"
echo "current_branch - $github_ref"
echo "sha_short - $sha_short"
echo "::endgroup::"
echo "is_default_branch=$result" >> $GITHUB_OUTPUT
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
build_base:
name: Build ${{ matrix.component }} base on ${{ matrix.os }}
needs: init_build
runs-on: ${{ matrix.os }}
timeout-minutes: 70
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
component: ${{ fromJson(needs.init_build.outputs.components) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Base Windows OS tag
id: base_os_tag
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
$os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
echo "::group::Base Microsoft Windows OS tag"
echo "$os_tag"
echo "::endgroup::"
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }}
context: ${{ env.TRUNK_ONLY_EVENT && 'git' || 'github' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
flavor: |
latest=false
- name: Build and push image
id: docker_build
env:
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
BASE_BUILD_IMAGE: ${{ env.MSFT_BASE_BUILD_IMAGE }}
BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }}
MATRIX_COMPONENT: ${{ matrix.component }}
TAGS: ${{ steps.meta.outputs.tags }}
BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
run: |
echo "::group::Docker version"
docker version
echo "::endgroup::"
echo "::group::Docker info"
docker info
echo "::endgroup::"
$context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_IMAGE_NAME\windows\"
$dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT
$base_os_image= $Env:BASE_BUILD_IMAGE + ':' + $Env:BASE_OS_TAG
# Can not build on GitHub due existing symlink. Must be removed before build process
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
$tags_array=$( "$Env:TAGS".Split("`n") )
$tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
echo "::group::Image tags"
echo "$Env:TAGS"
echo "::endgroup::"
echo "::group::Pull base image"
docker pull $base_os_image
if (-not $?) {throw "Failed"}
echo "::endgroup::"
echo "::group::Build Image"
Write-Host @"
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
--label org.opencontainers.image.created=$Env:LABEL_CREATED
--build-arg=BUILD_BASE_IMAGE=$base_os_image
--file=$dockerfile
$tags
$context
"@
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
--build-arg=BUILD_BASE_IMAGE=$base_os_image `
--file=$dockerfile `
$tags `
$context
if (-not $?) {throw "Failed"}
echo "::endgroup::"
echo "::group::Publish Image"
if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
Foreach ($tag in $tags_array) {
echo "docker image push $tag"
docker image push $tag
if (-not $?) {throw "Failed"}
}
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
if (-not $?) {throw "Failed"}
echo "Image digest got from RepoDigests"
}
else {
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
if (-not $?) {throw "Failed"}
echo "Image digest got from Id"
}
echo "::endgroup::"
echo "::group::Digest"
echo "$digest"
echo "::endgroup::"
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
$tags_array=$( "$Env:TAGS".Split("`n") )
$tag_list=@()
foreach ($tag in $tags_array) {
$tag_name=$tag.Split(":")[0]
$tag_list+="$tag_name@$Env:DIGEST"
}
echo "::group::Images to sign"
echo "$tag_list"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $tag_list"
cosign sign --yes $tag_list
echo "::endgroup::"
- name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
run: |
echo "::group::Image digest"
echo "$Env:DIGEST"
echo "::endgroup::"
echo "::group::Cache file name"
echo "$Env:CACHE_FILE_NAME"
echo "::endgroup::"
$Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME
- name: Cache image digest
uses: actions/cache@v4
with:
path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
build_components:
name: Build ${{ matrix.component }} sources on ${{ matrix.os }}
needs: [ "build_base", "init_build"]
runs-on: ${{ matrix.os }}
timeout-minutes: 70
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
component: ${{ fromJson(needs.init_build.outputs.components) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Base OS tag
id: base_os_tag
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
$os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
echo "::group::Base Windows OS tag"
echo "$os_tag"
echo "::endgroup::"
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }}
context: ${{ env.TRUNK_ONLY_EVENT && 'git' || 'github' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
flavor: |
latest=false
- name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }}
uses: actions/cache@v4
with:
path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
- name: Retrieve ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag
id: base_build
env:
BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }}
MATRIX_OS: ${{ matrix.os }}
MATRIX_COMPONENT: ${{ matrix.component }}
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
run: |
$base_image_file=$Env:BASE_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT
$base_tag = Get-Content $base_image_file -Raw
$build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_IMAGE_NAME@" + $base_tag
echo "::group::Base image Info"
echo "base_tag=$base_tag"
echo "base_build_image=$build_base_image"
echo "::endgroup::"
echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT
- name: Verify ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} cosign
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
run: |
cosign verify `
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
--certificate-identity-regexp "$Env:IDENITY_REGEX" `
"$Env:BASE_IMAGE"
- name: Build and push image
id: docker_build
env:
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}
BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
MATRIX_COMPONENT: ${{ matrix.component }}
TAGS: ${{ steps.meta.outputs.tags }}
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
run: |
echo "::group::Docker version"
docker version
echo "::endgroup::"
echo "::group::Docker info"
docker info
echo "::endgroup::"
$context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_BUILD_IMAGE_NAME\windows\"
$dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT
$base_build_image= $Env:BASE_BUILD_IMAGE
# Can not build on GitHub due existing symlink. Must be removed before build process
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
$tags_array=$( "$Env:TAGS".Split("`n") )
$tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
echo "::group::Image tags"
echo "$Env:TAGS"
echo "::endgroup::"
echo "::group::Pull base image"
docker pull $base_build_image
if (-not $?) {throw "Failed"}
echo "::endgroup::"
echo "::group::Build Image"
Write-Host @"
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
--label org.opencontainers.image.created=$Env:LABEL_CREATED
--build-arg=BUILD_BASE_IMAGE=$base_build_image
--file=$dockerfile
$tags
$context
"@
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
--build-arg=BUILD_BASE_IMAGE=$base_build_image `
--file=$dockerfile `
$tags `
$context
if (-not $?) {throw "Failed"}
echo "::endgroup::"
echo "::group::Publish Image"
if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
Foreach ($tag in $tags_array) {
echo "docker image push $tag"
docker image push $tag
if (-not $?) {throw "Failed"}
}
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
if (-not $?) {throw "Failed"}
echo "Image digest got from RepoDigests"
}
else {
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
if (-not $?) {throw "Failed"}
echo "Image digest got from Id"
}
echo "::endgroup::"
echo "::group::Digest"
echo "$digest"
echo "::endgroup::"
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
$tags_array=$( "$Env:TAGS".Split("`n") )
$tag_list=@()
foreach ($tag in $tags_array) {
$tag_name=$tag.Split(":")[0]
$tag_list+="$tag_name@$Env:DIGEST"
}
echo "::group::Images to sign"
echo "$tag_list"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $tag_list"
cosign sign --yes $tag_list
echo "::endgroup::"
- name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
CACHE_FILE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
run: |
echo "::group::Image digest"
echo "$Env:DIGEST"
echo "::endgroup::"
echo "::group::Cache file name"
echo "$Env:CACHE_FILE_NAME"
echo "::endgroup::"
$Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME
- name: Cache image digest
uses: actions/cache@v4
with:
path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
build_images:
name: Build ${{ matrix.component }} on ${{ matrix.os }}
needs: [ "build_components", "init_build"]
runs-on: ${{ matrix.os }}
timeout-minutes: 70
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
component: ${{ fromJson(needs.init_build.outputs.components) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
run: cosign version
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Base OS tag
id: base_os_tag
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
$os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
echo "::group::Base OS tag"
echo "$os_tag"
echo "::endgroup::"
echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT
- name: Generate tags
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }}
context: ${{ env.TRUNK_ONLY_EVENT && 'git' || 'github' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}-
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }}
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}
flavor: |
latest=false
- name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }}
uses: actions/cache@v4
with:
path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }}
- name: Retrieve ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag
id: base_build
env:
BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}
MATRIX_OS: ${{ matrix.os }}
MATRIX_COMPONENT: ${{ matrix.component }}
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
run: |
$base_image_file=$Env:BASE_BUILD_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT
$base_tag = Get-Content $base_image_file -Raw
$build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_BUILD_IMAGE_NAME@" + $base_tag
echo "::group::Base image Info"
echo "base_tag=$base_tag"
echo "base_build_image=$build_base_image"
echo "::endgroup::"
echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT
echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT
- name: Verify ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} cosign
env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
IDENITY_REGEX: ${{ env.IDENITY_REGEX }}
run: |
cosign verify `
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
--certificate-identity-regexp "$Env:IDENITY_REGEX" `
"$Env:BASE_IMAGE"
- name: Build and push image
id: docker_build
env:
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }}
BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}
MATRIX_COMPONENT: ${{ matrix.component }}
TAGS: ${{ steps.meta.outputs.tags }}
BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }}
LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
PWSH_BASE_IMAGE_NAME: ${{ env.PWSH_BASE_IMAGE_NAME }}
PWSH_BASE_IMAGE_PREFIX: ${{ env.PWSH_BASE_IMAGE_PREFIX }}
AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }}
run: |
echo "::group::Docker version"
docker version
echo "::endgroup::"
echo "::group::Docker info"
docker info
echo "::endgroup::"
$context="$Env:DOCKERFILES_DIRECTORY\$Env:MATRIX_COMPONENT\windows\"
$dockerfile= $context + 'Dockerfile'
$base_build_image= $Env:BASE_BUILD_IMAGE
# Can not build on GitHub due existing symlink. Must be removed before build process
Remove-Item -ErrorAction Ignore -Force -Path $context\README.md
$tags_array=$( "$Env:TAGS".Split("`n") )
$tags=$( $tags_array | Foreach-Object { "--tag=$_" } )
# PowerShell images based on LTSC 2019 and LTSC 2016 do not have "ltsc" prefix
$os_tag_suffix=$Env:BASE_BUILD_OS_TAG
$os_tag_suffix=$os_tag_suffix -replace "ltsc2019",'1809'
$base_image=$Env:PWSH_BASE_IMAGE_NAME + ':' + $Env:PWSH_BASE_IMAGE_PREFIX + $os_tag_suffix
echo "::group::Image tags"
echo "$Env:TAGS"
echo "::endgroup::"
echo "::group::Pull build base image"
docker pull $base_build_image
if (-not $?) {throw "Failed"}
echo "::endgroup::"
echo "::group::Pull Powershell base image"
docker pull $base_image
if (-not $?) {throw "Failed"}
echo "::endgroup::"
echo "::group::Build Image"
Write-Host @"
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION
--label org.opencontainers.image.created=$Env:LABEL_CREATED
--build-arg=BUILD_BASE_IMAGE=$base_build_image
--build-arg=BASE_IMAGE=$base_image
--file=$dockerfile
$tags
$context
"@
docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION `
--label org.opencontainers.image.created=$Env:LABEL_CREATED `
--build-arg=BUILD_BASE_IMAGE=$base_build_image `
--build-arg=BASE_IMAGE=$base_image `
--file=$dockerfile `
$tags `
$context
if (-not $?) {throw "Failed"}
echo "::endgroup::"
echo "::group::Publish Image"
if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) {
Foreach ($tag in $tags_array) {
echo "docker image push $tag"
docker image push $tag
if (-not $?) {throw "Failed"}
}
$digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1]
if (-not $?) {throw "Failed"}
echo "Image digest got from RepoDigests"
}
else {
$digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}")
if (-not $?) {throw "Failed"}
echo "Image digest got from Id"
}
echo "::endgroup::"
echo "::group::Digest"
echo "$digest"
echo "::endgroup::"
echo "digest=$digest" >> $Env:GITHUB_OUTPUT
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
$tags_array=$( "$Env:TAGS".Split("`n") )
$tag_list=@()
foreach ($tag in $tags_array) {
$tag_name=$tag.Split(":")[0]
$tag_list+="$tag_name@$Env:DIGEST"
}
echo "::group::Images to sign"
echo "$tag_list"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $tag_list"
cosign sign --yes $tag_list
echo "::endgroup::"
- name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
run: |
echo "::group::Image digest"
echo "$Env:DIGEST"
echo "::endgroup::"