From e7366fb0a55e799e2bc632bacf115a0176adb3d9 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sat, 10 Feb 2024 23:04:06 +0900 Subject: [PATCH] Prepare universal workflow --- .github/workflows/images_build.yml | 14 +- .github/workflows/images_build_windows.yml | 20 +- .github/workflows/nightly_build.yml | 884 -------------------- .github/workflows/nightly_build_windows.yml | 766 ----------------- 4 files changed, 23 insertions(+), 1661 deletions(-) delete mode 100644 .github/workflows/nightly_build.yml delete mode 100644 .github/workflows/nightly_build_windows.yml diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 9c9bbcb39..f122802ce 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -15,16 +15,21 @@ on: - '!Dockerfiles/*/rhel/*' - '!Dockerfiles/*/windows/*' - '.github/workflows/images_build.yml' + schedule: + - cron: '10 14 * * *' + workflow_dispatch: defaults: run: shell: bash env: + TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} + TRUNK_GIT_BRANCH: "refs/heads/trunk" IMAGES_PREFIX: "zabbix-" BASE_BUILD_NAME: "build-base" @@ -60,6 +65,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 sparse-checkout: ${{ env.MATRIX_FILE }} @@ -129,7 +135,7 @@ jobs: id: branch_info env: LATEST_BRANCH: ${{ env.LATEST_BRANCH }} - github_ref: ${{ github.ref }} + github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }} run: | result=false sha_short=$(git rev-parse --short HEAD) @@ -259,6 +265,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign @@ -306,6 +313,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} @@ -418,6 +426,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign @@ -465,6 +474,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} @@ -712,6 +722,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign @@ -788,6 +799,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} diff --git a/.github/workflows/images_build_windows.yml b/.github/workflows/images_build_windows.yml index 1dbcfb815..e25967e04 100644 --- a/.github/workflows/images_build_windows.yml +++ b/.github/workflows/images_build_windows.yml @@ -13,7 +13,7 @@ on: - '!**/README.md' - '.github/workflows/images_build_windows.yml' schedule: - - cron: '49 12 * * *' + - cron: '05 02 * * *' workflow_dispatch: defaults: @@ -21,7 +21,7 @@ defaults: shell: pwsh env: - TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule", "workflow_dispatch2"]'), github.event_name) }} + TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} @@ -66,7 +66,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }} + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 sparse-checkout: ${{ env.MATRIX_FILE }} @@ -112,7 +112,7 @@ jobs: shell: bash env: LATEST_BRANCH: ${{ env.LATEST_BRANCH }} - github_ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || github.ref }} + github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }} run: | result=false sha_short=$(git rev-parse --short HEAD) @@ -154,7 +154,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }} + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign @@ -190,7 +190,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} - context: ${{ env.TRUNK_ONLY_EVENT && 'git' || '' }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- @@ -343,7 +343,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }} + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign @@ -379,7 +379,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} - context: ${{ env.TRUNK_ONLY_EVENT && 'git' || '' }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- @@ -570,7 +570,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - ref: ${{ env.TRUNK_ONLY_EVENT && env.TRUNK_GIT_BRANCH || '' }} + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - name: Install cosign @@ -606,7 +606,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} - context: ${{ env.TRUNK_ONLY_EVENT && 'git' || '' }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }} diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml deleted file mode 100644 index 0a1c5915c..000000000 --- a/.github/workflows/nightly_build.yml +++ /dev/null @@ -1,884 +0,0 @@ -name: Build images (DockerHub) - -on: - schedule: - - cron: '5 2 * * *' - workflow_dispatch: - -defaults: - run: - shell: bash - -env: - AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} - - DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} - LATEST_BRANCH: ${{ github.event.repository.default_branch }} - GIT_BRANCH: "refs/heads/trunk" - IMAGES_PREFIX: "zabbix-" - - BASE_BUILD_NAME: "build-base" - - MATRIX_FILE: "build.json" - DOCKERFILES_DIRECTORY: "./Dockerfiles" - - OIDC_ISSUER: "https://token.actions.githubusercontent.com" - IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" - -jobs: - init_build: - name: Initialize build - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - os: ${{ steps.os.outputs.list }} - database: ${{ steps.database.outputs.list }} - components: ${{ steps.components.outputs.list }} - is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} - current_branch: ${{ steps.branch_info.outputs.current_branch }} - sha_short: ${{ steps.branch_info.outputs.sha_short }} - steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - github.com:443 - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - sparse-checkout: ${{ env.MATRIX_FILE }} - - - name: Check ${{ env.MATRIX_FILE }} file - id: build_exists - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - if [[ ! -f "$MATRIX_FILE" ]]; then - echo "::error::File $MATRIX_FILE is missing" - exit 1 - fi - - - name: Prepare Operating System list - id: os - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") - - echo "::group::Operating System List" - echo "$os_list" - echo "::endgroup::" - - echo "list=$os_list" >> $GITHUB_OUTPUT - - - name: Prepare Platform list - id: platform_list - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE") - - echo "::group::Platform List" - echo "$platform_list" - echo "::endgroup::" - - echo "list=$platform_list" >> $GITHUB_OUTPUT - - - name: Prepare Database engine list - id: database - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE") - - echo "::group::Database List" - echo "$database_list" - echo "::endgroup::" - - echo "list=$database_list" >> $GITHUB_OUTPUT - - - name: Prepare Zabbix component list - id: components - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") - - echo "::group::Zabbix Component List" - echo "$component_list" - echo "::endgroup::" - - echo "list=$component_list" >> $GITHUB_OUTPUT - - - name: Get branch info - id: branch_info - env: - LATEST_BRANCH: ${{ env.LATEST_BRANCH }} - github_ref: ${{ github.ref }} - run: | - result=false - sha_short=$(git rev-parse --short HEAD) - - if [[ "$github_ref" == "refs/tags/"* ]]; then - github_ref=${github_ref%.*} - fi - - github_ref=${github_ref##*/} - - if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then - result=true - fi - - echo "::group::Branch data" - echo "is_default_branch - $result" - echo "current_branch - $github_ref" - echo "sha_short - $sha_short" - echo "::endgroup::" - - echo "is_default_branch=$result" >> $GITHUB_OUTPUT - echo "current_branch=$github_ref" >> $GITHUB_OUTPUT - echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - - build_base: - timeout-minutes: 30 - name: Build base on ${{ matrix.os }} - needs: init_build - strategy: - fail-fast: false - matrix: - os: ${{ fromJson(needs.init_build.outputs.os) }} - - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - archive.ubuntu.com:80 - atl.mirrors.knownhost.com:443 - atl.mirrors.knownhost.com:80 - auth.docker.io:443 - cdn03.quay.io:443 - centos-stream-distro.1gservers.com:443 - centos-stream-distro.1gservers.com:80 - dfw.mirror.rackspace.com:443 - dfw.mirror.rackspace.com:80 - dl-cdn.alpinelinux.org:443 - download.cf.centos.org:443 - download.cf.centos.org:80 - epel.mirror.constant.com:443 - ftp-nyc.osuosl.org:443 - ftp-nyc.osuosl.org:80 - ftp-osl.osuosl.org:443 - ftp-osl.osuosl.org:80 - ftp.plusline.net:443 - ftp.plusline.net:80 - ftpmirror.your.org:80 - fulcio.sigstore.dev:443 - github.com:443 - iad.mirror.rackspace.com:443 - iad.mirror.rackspace.com:80 - index.docker.io:443 - lesnet.mm.fcix.net:443 - mirror-mci.yuki.net.uk:443 - mirror-mci.yuki.net.uk:80 - mirror.arizona.edu:443 - mirror.arizona.edu:80 - mirror.dogado.de:443 - mirror.dogado.de:80 - mirror.facebook.net:443 - mirror.facebook.net:80 - mirror.fcix.net:443 - mirror.hoobly.com:443 - mirror.math.princeton.edu:443 - mirror.netzwerge.de:443 - mirror.pilotfiber.com:443 - mirror.pilotfiber.com:80 - mirror.rackspace.com:443 - mirror.rackspace.com:80 - mirror.scaleuptech.com:443 - mirror.scaleuptech.com:80 - mirror.servaxnet.com:443 - mirror.servaxnet.com:80 - mirror.siena.edu:80 - mirror.stream.centos.org:443 - mirror.stream.centos.org:80 - mirror.team-cymru.com:443 - mirror.team-cymru.com:80 - mirror1.hs-esslingen.de:443 - mirrors.centos.org:443 - mirrors.fedoraproject.org:443 - mirrors.fedoraproject.org:80 - mirrors.iu13.net:80 - mirrors.mit.edu:443 - mirrors.ocf.berkeley.edu:443 - mirrors.ocf.berkeley.edu:80 - mirrors.sonic.net:443 - mirrors.wcupa.edu:443 - mirrors.wcupa.edu:80 - mirrors.xtom.de:80 - na.edge.kernel.org:443 - nocix.mm.fcix.net:443 - oauth2.sigstore.dev:443 - objects.githubusercontent.com:443 - ports.ubuntu.com:80 - production.cloudflare.docker.com:443 - quay.io:443 - registry-1.docker.io:443 - rekor.sigstore.dev:443 - repo.ialab.dsu.edu:443 - repos.eggycrew.com:443 - repos.eggycrew.com:80 - security.ubuntu.com:80 - tuf-repo-cdn.sigstore.dev:443 - uvermont.mm.fcix.net:443 - yum.oracle.com:443 - ziply.mm.fcix.net:443 - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - - - name: Install cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - run: cosign version - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - with: - image: tonistiigi/binfmt:latest - platforms: all - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: image=moby/buildkit:master - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Prepare Platform list - id: platform - env: - MATRIX_OS: ${{ matrix.os }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") - platform_list="${platform_list%,}" - - echo "::group::Platform List" - echo "$platform_list" - echo "::endgroup::" - - echo "list=$platform_list" >> $GITHUB_OUTPUT - - - name: Generate tags - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} - tags: | - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} - flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - - name: Build and publish image - id: docker_build - uses: docker/build-push-action@v5 - with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} - file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile - platforms: ${{ steps.platform.outputs.list }} - push: ${{ env.AUTO_PUSH_IMAGES }} - tags: ${{ steps.meta.outputs.tags }} - labels: | - org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: | - type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} - type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }} - cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} - - - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - - echo "::group::Images to sign" - echo "$images" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $images" - cosign sign --yes ${images} - echo "::endgroup::" - - - name: Image digest - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} - run: | - echo "::group::Image digest" - echo "$DIGEST" - echo "::endgroup::" - echo "::group::Cache file name" - echo "$CACHE_FILE_NAME" - echo "::endgroup::" - - echo "$DIGEST" > "$CACHE_FILE_NAME" - - - name: Cache image digest - uses: actions/cache@v4 - with: - path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - build_base_database: - timeout-minutes: 180 - needs: [ "build_base", "init_build"] - name: Build ${{ matrix.build }} base on ${{ matrix.os }} - strategy: - fail-fast: false - matrix: - build: ${{ fromJson(needs.init_build.outputs.database) }} - os: ${{ fromJson(needs.init_build.outputs.os) }} - - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - auth.docker.io:443 - git.zabbix.com:443 - github.com:443 - go.googlesource.com:443 - go.mongodb.org:443 - golang.org:443 - google.golang.org:443 - gopkg.in:443 - index.docker.io:443 - noto-website.storage.googleapis.com:443 - production.cloudflare.docker.com:443 - proxy.golang.org:443 - registry-1.docker.io:443 - storage.googleapis.com:443 - fulcio.sigstore.dev:443 - oauth2.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - - - name: Install cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - run: cosign version - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - with: - image: tonistiigi/binfmt:latest - platforms: all - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: image=moby/buildkit:master - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Prepare Platform list - id: platform - env: - MATRIX_OS: ${{ matrix.os }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") - platform_list="${platform_list%,}" - - echo "::group::Platform List" - echo "$platform_list" - echo "::endgroup::" - - echo "list=$platform_list" >> $GITHUB_OUTPUT - - - name: Generate tags - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }} - tags: | - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} - flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} - uses: actions/cache@v4 - with: - path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} - key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag - id: base_build - env: - MATRIX_OS: ${{ matrix.os }} - DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} - BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} - IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} - run: | - BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_OS}") - BUILD_BASE_IMAGE="${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" - - echo "::group::Base build image information" - echo "base_tag=${BASE_TAG}" - echo "base_build_image=${BUILD_BASE_IMAGE}" - echo "::endgroup::" - - echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT - echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT - - - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign - env: - BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} - OIDC_ISSUER: ${{ env.OIDC_ISSUER }} - IDENITY_REGEX: ${{ env.IDENITY_REGEX }} - run: | - echo "::group::Image sign data" - echo "OIDC issuer=$OIDC_ISSUER" - echo "Identity=$IDENITY_REGEX" - echo "Image to verify=$BASE_IMAGE" - echo "::endgroup::" - - echo "::group::Verify signature" - cosign verify \ - --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ - --certificate-identity-regexp "$IDENITY_REGEX" \ - "$BASE_IMAGE" - echo "::endgroup::" - - - name: Build ${{ matrix.build }}/${{ matrix.os }} and push - id: docker_build - uses: docker/build-push-action@v5 - with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} - file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile - platforms: ${{ steps.platform.outputs.list }} - push: ${{ env.AUTO_PUSH_IMAGES }} - tags: ${{ steps.meta.outputs.tags }} - build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} - labels: | - org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: | - type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} - type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }} - cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} - - - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - - echo "::group::Images to sign" - echo "$images" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $images" - cosign sign --yes ${images} - echo "::endgroup::" - - - name: Image digest - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.os }} - run: | - echo "::group::Image digest" - echo "$DIGEST" - echo "::endgroup::" - echo "::group::Cache file name" - echo "$CACHE_FILE_NAME" - echo "::endgroup::" - echo "$DIGEST" > $CACHE_FILE_NAME - - - name: Caching SHA256 tag of the image - uses: actions/cache@v4 - with: - path: ${{ matrix.build }}_${{ matrix.os }} - key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} - - build_images: - timeout-minutes: 90 - needs: [ "build_base_database", "init_build"] - name: Build ${{ matrix.build }} on ${{ matrix.os }} - strategy: - fail-fast: false - matrix: - build: ${{ fromJson(needs.init_build.outputs.components) }} - os: ${{ fromJson(needs.init_build.outputs.os) }} - - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - auth.docker.io:443 - dl-cdn.alpinelinux.org:443 - github.com:443 - index.docker.io:443 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - api.github.com:443 - atl.mirrors.knownhost.com:443 - atl.mirrors.knownhost.com:80 - auth.docker.io:443 - cdn03.quay.io:443 - centos-stream-distro.1gservers.com:443 - centos-stream-distro.1gservers.com:80 - d2lzkl7pfhq30w.cloudfront.net:443 - epel.mirror.constant.com:80 - forksystems.mm.fcix.net:80 - ftp-nyc.osuosl.org:443 - ftp-nyc.osuosl.org:80 - ftp-osl.osuosl.org:443 - ftp-osl.osuosl.org:80 - ftp.plusline.net:80 - ftpmirror.your.org:80 - github.com:443 - iad.mirror.rackspace.com:443 - index.docker.io:443 - ix-denver.mm.fcix.net:443 - mirror-mci.yuki.net.uk:443 - mirror.23m.com:80 - mirror.arizona.edu:80 - mirror.dal.nexril.net:80 - mirror.de.leaseweb.net:80 - mirror.dogado.de:80 - mirror.facebook.net:80 - mirror.hoobly.com:80 - mirror.math.princeton.edu:80 - mirror.netcologne.de:443 - mirror.netzwerge.de:443 - mirror.pilotfiber.com:443 - mirror.pilotfiber.com:80 - mirror.rackspace.com:443 - mirror.rackspace.com:80 - mirror.scaleuptech.com:443 - mirror.servaxnet.com:443 - mirror.servaxnet.com:80 - mirror.sfo12.us.leaseweb.net:80 - mirror.siena.edu:80 - mirror.steadfastnet.com:80 - mirror.team-cymru.com:443 - mirror.team-cymru.com:80 - mirror.umd.edu:443 - mirror1.hs-esslingen.de:443 - mirrors.centos.org:443 - mirrors.fedoraproject.org:443 - mirrors.iu13.net:443 - mirrors.iu13.net:80 - mirrors.ocf.berkeley.edu:443 - mirrors.sonic.net:80 - mirrors.syringanetworks.net:80 - mirrors.vcea.wsu.edu:80 - mirrors.wcupa.edu:80 - mirrors.xtom.de:80 - na.edge.kernel.org:443 - nnenix.mm.fcix.net:80 - ohioix.mm.fcix.net:80 - production.cloudflare.docker.com:443 - pubmirror1.math.uh.edu:443 - pubmirror3.math.uh.edu:80 - quay.io:443 - registry-1.docker.io:443 - repo.ialab.dsu.edu:80 - repos.eggycrew.com:80 - uvermont.mm.fcix.net:80 - ziply.mm.fcix.net:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - oauth2.sigstore.dev:443 - api.github.com:443 - auth.docker.io:443 - github.com:443 - index.docker.io:443 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - yum.oracle.com:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - api.github.com:443 - archive.ubuntu.com:80 - auth.docker.io:443 - deb.debian.org:80 - github.com:443 - index.docker.io:443 - keyserver.ubuntu.com:11371 - nginx.org:443 - nginx.org:80 - ports.ubuntu.com:80 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - security.ubuntu.com:80 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - - - name: Install cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - run: cosign version - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - with: - image: tonistiigi/binfmt:latest - platforms: all - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: image=moby/buildkit:master - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Prepare Platform list - id: platform - env: - MATRIX_OS: ${{ matrix.os }} - MATRIX_BUILD: ${{ matrix.build }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - # Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms - if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then - platform_list="linux/amd64,linux/arm64" - # Chromium on Ubuntu is not available on s390x platform - elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then - platform_list="linux/amd64,linux/arm/v7,linux/arm64" - else - platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE") - fi - - # Build only Agent and Agent2 on 386 - if [ "$MATRIX_BUILD" != "agent"* ]; then - platform_list="${platform_list#linux/386,}" - fi - - platform_list="${platform_list%,}" - - echo "::group::Platform List" - echo "$platform_list" - echo "::endgroup::" - - echo "list=$platform_list" >> $GITHUB_OUTPUT - - - name: Detect Build Base Image - id: build_base_image - env: - MATRIX_BUILD: ${{ matrix.build }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\"" "$MATRIX_FILE") - - echo "::group::Base Build Image" - echo "$BUILD_BASE" - echo "::endgroup::" - - echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT - - - name: Generate tags - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }} - tags: | - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} - flavor: | - latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} - uses: actions/cache@v4 - if: ${{ matrix.build != 'snmptraps' }} - with: - path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }} - key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }} - - - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag - id: base_build - if: ${{ matrix.build != 'snmptraps' }} - env: - BUILD_BASE: ${{ steps.build_base_image.outputs.build_base }} - MATRIX_OS: ${{ matrix.os }} - DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} - IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} - run: | - BASE_TAG=$(cat "${BUILD_BASE}_${MATRIX_OS}") - BUILD_BASE_IMAGE=${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BUILD_BASE}@${BASE_TAG} - - echo "::group::Base build image information" - echo "base_tag=${BASE_TAG}" - echo "base_build_image=${BUILD_BASE_IMAGE}" - echo "::endgroup::" - - echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT - echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT - - - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign - if: ${{ matrix.build != 'snmptraps' }} - env: - BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} - OIDC_ISSUER: ${{ env.OIDC_ISSUER }} - IDENITY_REGEX: ${{ env.IDENITY_REGEX }} - run: | - echo "::group::Image sign data" - echo "OIDC issuer=$OIDC_ISSUER" - echo "Identity=$IDENITY_REGEX" - echo "Image to verify=$BASE_IMAGE" - echo "::endgroup::" - - echo "::group::Verify signature" - cosign verify \ - --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ - --certificate-identity-regexp "$IDENITY_REGEX" \ - "$BASE_IMAGE" - echo "::endgroup::" - - - name: Build and push image - id: docker_build - uses: docker/build-push-action@v5 - with: - context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} - file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile - platforms: ${{ steps.platform.outputs.list }} - push: ${{ env.AUTO_PUSH_IMAGES }} - tags: ${{ steps.meta.outputs.tags }} - build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} - labels: | - org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - cache-from: type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} - cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} - - - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - - echo "::group::Images to sign" - echo "$images" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $images" - cosign sign --yes ${images} - echo "::endgroup::" - - - name: Image digest - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - run: | - echo "::group::Image digest" - echo "$DIGEST" - echo "::endgroup::" diff --git a/.github/workflows/nightly_build_windows.yml b/.github/workflows/nightly_build_windows.yml deleted file mode 100644 index 411d0f6a6..000000000 --- a/.github/workflows/nightly_build_windows.yml +++ /dev/null @@ -1,766 +0,0 @@ -name: Build images (DockerHub, Windows) - -on: - schedule: - - cron: '5 2 * * *' - workflow_dispatch: - -defaults: - run: - shell: pwsh - -env: - AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} - - DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} - LATEST_BRANCH: ${{ github.event.repository.default_branch }} - GIT_BRANCH: "refs/heads/trunk" - IMAGES_PREFIX: "zabbix-" - - MSFT_BASE_BUILD_IMAGE: "mcr.microsoft.com/windows/servercore" - PWSH_BASE_IMAGE_NAME: "mcr.microsoft.com/powershell" - PWSH_BASE_IMAGE_PREFIX: "lts-nanoserver-" - - BASE_IMAGE_NAME: "build-base" - BASE_BUILD_IMAGE_NAME: "build-mysql" - - MATRIX_FILE: "build.json" - DOCKERFILES_DIRECTORY: "Dockerfiles" - - OIDC_ISSUER: "https://token.actions.githubusercontent.com" - IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" - -jobs: - init_build: - name: Initialize build - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - os: ${{ steps.os.outputs.list }} - components: ${{ steps.components.outputs.list }} - is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} - current_branch: ${{ steps.branch_info.outputs.current_branch }} - sha_short: ${{ steps.branch_info.outputs.sha_short }} - steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - github.com:443 - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - sparse-checkout: ${{ env.MATRIX_FILE }} - - - name: Check ${{ env.MATRIX_FILE }} file - id: build_exists - shell: bash - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - if [[ ! -f "$MATRIX_FILE" ]]; then - echo "::error::File $MATRIX_FILE is missing" - exit 1 - fi - - - name: Prepare Operating System list - id: os - shell: bash - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") - - echo "::group::Operating System List" - echo "$os_list" - echo "::endgroup::" - - echo "list=$os_list" >> $GITHUB_OUTPUT - - - name: Prepare Zabbix component list - id: components - shell: bash - run: | - component_list='["agent","agent2"]' - - echo "::group::Zabbix Component List" - echo "$component_list" - echo "::endgroup::" - - echo "list=$component_list" >> $GITHUB_OUTPUT - - - name: Get branch info - id: branch_info - shell: bash - env: - LATEST_BRANCH: ${{ env.LATEST_BRANCH }} - github_ref: ${{ github.ref }} - run: | - result=false - sha_short=$(git rev-parse --short HEAD) - - if [[ "$github_ref" == "refs/tags/"* ]]; then - github_ref=${github_ref%.*} - fi - - github_ref=${github_ref##*/} - - if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then - result=true - fi - - echo "::group::Branch data" - echo "is_default_branch - $result" - echo "current_branch - $github_ref" - echo "sha_short - $sha_short" - echo "::endgroup::" - - echo "is_default_branch=$result" >> $GITHUB_OUTPUT - echo "current_branch=$github_ref" >> $GITHUB_OUTPUT - echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - - build_base: - name: Build ${{ matrix.component }} base on ${{ matrix.os }} - needs: init_build - runs-on: ${{ matrix.os }} - timeout-minutes: 70 - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - os: ${{ fromJson(needs.init_build.outputs.os) }} - component: ${{ fromJson(needs.init_build.outputs.components) }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - - - name: Install cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - run: cosign version - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Base Windows OS tag - id: base_os_tag - env: - MATRIX_OS: ${{ matrix.os }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" - - echo "::group::Base Microsoft Windows OS tag" - echo "$os_tag" - echo "::endgroup::" - - echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - - - name: Generate tags - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} - tags: | - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - flavor: | - latest=false - - - name: Build and push image - id: docker_build - env: - DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} - BASE_BUILD_IMAGE: ${{ env.MSFT_BASE_BUILD_IMAGE }} - BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} - MATRIX_COMPONENT: ${{ matrix.component }} - TAGS: ${{ steps.meta.outputs.tags }} - BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} - LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} - run: | - echo "::group::Docker version" - docker version - echo "::endgroup::" - echo "::group::Docker info" - docker info - echo "::endgroup::" - - $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_IMAGE_NAME\windows\" - $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT - $base_os_image= $Env:BASE_BUILD_IMAGE + ':' + $Env:BASE_OS_TAG - # Can not build on GitHub due existing symlink. Must be removed before build process - Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) - - echo "::group::Image tags" - echo "$Env:TAGS" - echo "::endgroup::" - echo "::group::Pull base image" - docker pull $base_os_image - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Build Image" - Write-Host @" - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION - --label org.opencontainers.image.created=$Env:LABEL_CREATED - --build-arg=BUILD_BASE_IMAGE=$base_os_image - --file=$dockerfile - $tags - $context - "@ - - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` - --label org.opencontainers.image.created=$Env:LABEL_CREATED ` - --build-arg=BUILD_BASE_IMAGE=$base_os_image ` - --file=$dockerfile ` - $tags ` - $context - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Publish Image" - if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { - Foreach ($tag in $tags_array) { - echo "docker image push $tag" - docker image push $tag - if (-not $?) {throw "Failed"} - } - - $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] - if (-not $?) {throw "Failed"} - echo "Image digest got from RepoDigests" - } - else { - $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") - if (-not $?) {throw "Failed"} - echo "Image digest got from Id" - } - echo "::endgroup::" - - echo "::group::Digest" - echo "$digest" - echo "::endgroup::" - echo "digest=$digest" >> $Env:GITHUB_OUTPUT - - - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tag_list=@() - - - foreach ($tag in $tags_array) { - $tag_name=$tag.Split(":")[0] - $tag_list+="$tag_name@$Env:DIGEST" - } - echo "::group::Images to sign" - echo "$tag_list" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $tag_list" - cosign sign --yes $tag_list - echo "::endgroup::" - - - name: Image digest - if: ${{ env.AUTO_PUSH_IMAGES }} - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - run: | - echo "::group::Image digest" - echo "$Env:DIGEST" - echo "::endgroup::" - - echo "::group::Cache file name" - echo "$Env:CACHE_FILE_NAME" - echo "::endgroup::" - - $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - - - name: Cache image digest - uses: actions/cache@v4 - with: - path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - build_components: - name: Build ${{ matrix.component }} sources on ${{ matrix.os }} - needs: [ "build_base", "init_build"] - runs-on: ${{ matrix.os }} - timeout-minutes: 70 - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - os: ${{ fromJson(needs.init_build.outputs.os) }} - component: ${{ fromJson(needs.init_build.outputs.components) }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - - - name: Install cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - run: cosign version - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Base OS tag - id: base_os_tag - env: - MATRIX_OS: ${{ matrix.os }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" - - echo "::group::Base Windows OS tag" - echo "$os_tag" - echo "::endgroup::" - - echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - - - name: Generate tags - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} - tags: | - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - flavor: | - latest=false - - - name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} - uses: actions/cache@v4 - with: - path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - - name: Retrieve ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag - id: base_build - env: - BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} - MATRIX_OS: ${{ matrix.os }} - MATRIX_COMPONENT: ${{ matrix.component }} - DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} - IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} - run: | - $base_image_file=$Env:BASE_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT - $base_tag = Get-Content $base_image_file -Raw - $build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_IMAGE_NAME@" + $base_tag - - echo "::group::Base image Info" - echo "base_tag=$base_tag" - echo "base_build_image=$build_base_image" - echo "::endgroup::" - - echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT - echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT - - - name: Verify ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} cosign - env: - BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} - OIDC_ISSUER: ${{ env.OIDC_ISSUER }} - IDENITY_REGEX: ${{ env.IDENITY_REGEX }} - run: | - cosign verify ` - --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` - --certificate-identity-regexp "$Env:IDENITY_REGEX" ` - "$Env:BASE_IMAGE" - - - name: Build and push image - id: docker_build - env: - DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} - BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }} - BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} - BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} - MATRIX_COMPONENT: ${{ matrix.component }} - TAGS: ${{ steps.meta.outputs.tags }} - LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} - run: | - echo "::group::Docker version" - docker version - echo "::endgroup::" - echo "::group::Docker info" - docker info - echo "::endgroup::" - - $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_BUILD_IMAGE_NAME\windows\" - $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT - $base_build_image= $Env:BASE_BUILD_IMAGE - # Can not build on GitHub due existing symlink. Must be removed before build process - Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) - - echo "::group::Image tags" - echo "$Env:TAGS" - echo "::endgroup::" - echo "::group::Pull base image" - docker pull $base_build_image - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Build Image" - Write-Host @" - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION - --label org.opencontainers.image.created=$Env:LABEL_CREATED - --build-arg=BUILD_BASE_IMAGE=$base_build_image - --file=$dockerfile - $tags - $context - "@ - - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` - --label org.opencontainers.image.created=$Env:LABEL_CREATED ` - --build-arg=BUILD_BASE_IMAGE=$base_build_image ` - --file=$dockerfile ` - $tags ` - $context - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Publish Image" - if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { - Foreach ($tag in $tags_array) { - echo "docker image push $tag" - docker image push $tag - if (-not $?) {throw "Failed"} - } - - $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] - if (-not $?) {throw "Failed"} - echo "Image digest got from RepoDigests" - } - else { - $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") - if (-not $?) {throw "Failed"} - echo "Image digest got from Id" - } - echo "::endgroup::" - - echo "::group::Digest" - echo "$digest" - echo "::endgroup::" - echo "digest=$digest" >> $Env:GITHUB_OUTPUT - - - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tag_list=@() - - - foreach ($tag in $tags_array) { - $tag_name=$tag.Split(":")[0] - $tag_list+="$tag_name@$Env:DIGEST" - } - echo "::group::Images to sign" - echo "$tag_list" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $tag_list" - cosign sign --yes $tag_list - echo "::endgroup::" - - - name: Image digest - if: ${{ env.AUTO_PUSH_IMAGES }} - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - CACHE_FILE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - run: | - echo "::group::Image digest" - echo "$Env:DIGEST" - echo "::endgroup::" - - echo "::group::Cache file name" - echo "$Env:CACHE_FILE_NAME" - echo "::endgroup::" - - $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - - - name: Cache image digest - uses: actions/cache@v4 - with: - path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - build_images: - name: Build ${{ matrix.component }} on ${{ matrix.os }} - needs: [ "build_components", "init_build"] - runs-on: ${{ matrix.os }} - timeout-minutes: 70 - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - os: ${{ fromJson(needs.init_build.outputs.os) }} - component: ${{ fromJson(needs.init_build.outputs.components) }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GIT_BRANCH }} - fetch-depth: 1 - - - name: Install cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - run: cosign version - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Base OS tag - id: base_os_tag - env: - MATRIX_OS: ${{ matrix.os }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" - - echo "::group::Base OS tag" - echo "$os_tag" - echo "::endgroup::" - - echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - - - name: Generate tags - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} - tags: | - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }} - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }} - flavor: | - latest=false - - - name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} - uses: actions/cache@v4 - with: - path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} - - - name: Retrieve ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag - id: base_build - env: - BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} - MATRIX_OS: ${{ matrix.os }} - MATRIX_COMPONENT: ${{ matrix.component }} - DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} - IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} - run: | - $base_image_file=$Env:BASE_BUILD_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT - $base_tag = Get-Content $base_image_file -Raw - $build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_BUILD_IMAGE_NAME@" + $base_tag - - echo "::group::Base image Info" - echo "base_tag=$base_tag" - echo "base_build_image=$build_base_image" - echo "::endgroup::" - - echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT - echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT - - - name: Verify ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} cosign - env: - BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} - OIDC_ISSUER: ${{ env.OIDC_ISSUER }} - IDENITY_REGEX: ${{ env.IDENITY_REGEX }} - run: | - cosign verify ` - --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` - --certificate-identity-regexp "$Env:IDENITY_REGEX" ` - "$Env:BASE_IMAGE" - - - name: Build and push image - id: docker_build - env: - DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} - BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }} - BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} - MATRIX_COMPONENT: ${{ matrix.component }} - TAGS: ${{ steps.meta.outputs.tags }} - BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} - LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - PWSH_BASE_IMAGE_NAME: ${{ env.PWSH_BASE_IMAGE_NAME }} - PWSH_BASE_IMAGE_PREFIX: ${{ env.PWSH_BASE_IMAGE_PREFIX }} - AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} - run: | - echo "::group::Docker version" - docker version - echo "::endgroup::" - echo "::group::Docker info" - docker info - echo "::endgroup::" - - $context="$Env:DOCKERFILES_DIRECTORY\$Env:MATRIX_COMPONENT\windows\" - $dockerfile= $context + 'Dockerfile' - $base_build_image= $Env:BASE_BUILD_IMAGE - # Can not build on GitHub due existing symlink. Must be removed before build process - Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) - - # PowerShell images based on LTSC 2019 and LTSC 2016 do not have "ltsc" prefix - $os_tag_suffix=$Env:BASE_BUILD_OS_TAG - $os_tag_suffix=$os_tag_suffix -replace "ltsc2019",'1809' - $base_image=$Env:PWSH_BASE_IMAGE_NAME + ':' + $Env:PWSH_BASE_IMAGE_PREFIX + $os_tag_suffix - - echo "::group::Image tags" - echo "$Env:TAGS" - echo "::endgroup::" - echo "::group::Pull build base image" - docker pull $base_build_image - if (-not $?) {throw "Failed"} - echo "::endgroup::" - echo "::group::Pull Powershell base image" - docker pull $base_image - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Build Image" - Write-Host @" - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION - --label org.opencontainers.image.created=$Env:LABEL_CREATED - --build-arg=BUILD_BASE_IMAGE=$base_build_image - --build-arg=BASE_IMAGE=$base_image - --file=$dockerfile - $tags - $context - "@ - - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` - --label org.opencontainers.image.created=$Env:LABEL_CREATED ` - --build-arg=BUILD_BASE_IMAGE=$base_build_image ` - --build-arg=BASE_IMAGE=$base_image ` - --file=$dockerfile ` - $tags ` - $context - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Publish Image" - if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { - Foreach ($tag in $tags_array) { - echo "docker image push $tag" - docker image push $tag - if (-not $?) {throw "Failed"} - } - - $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] - if (-not $?) {throw "Failed"} - echo "Image digest got from RepoDigests" - } - else { - $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") - if (-not $?) {throw "Failed"} - echo "Image digest got from Id" - } - echo "::endgroup::" - - echo "::group::Digest" - echo "$digest" - echo "::endgroup::" - echo "digest=$digest" >> $Env:GITHUB_OUTPUT - - - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tag_list=@() - - - foreach ($tag in $tags_array) { - $tag_name=$tag.Split(":")[0] - $tag_list+="$tag_name@$Env:DIGEST" - } - echo "::group::Images to sign" - echo "$tag_list" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $tag_list" - cosign sign --yes $tag_list - echo "::endgroup::" - - - name: Image digest - if: ${{ env.AUTO_PUSH_IMAGES }} - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - run: | - echo "::group::Image digest" - echo "$Env:DIGEST" - echo "::endgroup::"