diff --git a/.github/workflows/base_images_build_windows.yml b/.github/workflows/base_images_build_windows.yml deleted file mode 100644 index ea37fc778..000000000 --- a/.github/workflows/base_images_build_windows.yml +++ /dev/null @@ -1,328 +0,0 @@ -name: Build base images (DockerHub, Windows) - -on: - push: - branches: - - '[0-9]+.[0-9]+' - - 'trunk' - paths: - - 'Dockerfiles/build-base/windows/*' - - '!**/README.md' - - '.github/workflows/base_images_build_windows.yml' - schedule: - - cron: '0 10 * * 2,5' - workflow_dispatch: - workflow_call: - -defaults: - run: - shell: pwsh - -permissions: - contents: read - -env: - TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} - AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} - - DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} - LATEST_BRANCH: ${{ github.event.repository.default_branch }} - TRUNK_GIT_BRANCH: "refs/heads/trunk" - IMAGES_PREFIX: "zabbix-" - - MSFT_BASE_BUILD_IMAGE: "mcr.microsoft.com/windows/servercore" - PWSH_BASE_IMAGE_NAME: "mcr.microsoft.com/powershell" - PWSH_BASE_IMAGE_PREFIX: "lts-nanoserver-" - - BASE_IMAGE_NAME: "build-base" - BASE_BUILD_IMAGE_NAME: "build-mysql" - - MATRIX_FILE: "build.json" - DOCKERFILES_DIRECTORY: "Dockerfiles" - - OIDC_ISSUER: "https://token.actions.githubusercontent.com" - IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" - -jobs: - init_build: - name: Initialize build - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - os: ${{ steps.os.outputs.list }} - components: ${{ steps.components.outputs.list }} - is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} - current_branch: ${{ steps.branch_info.outputs.current_branch }} - sha_short: ${{ steps.branch_info.outputs.sha_short }} - steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - github.com:443 - - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} - fetch-depth: 1 - sparse-checkout: ${{ env.MATRIX_FILE }} - - - name: Check ${{ env.MATRIX_FILE }} file - id: build_exists - shell: bash - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - if [[ ! -f "$MATRIX_FILE" ]]; then - echo "::error::File $MATRIX_FILE is missing" - exit 1 - fi - - - name: Prepare Operating System list - id: os - shell: bash - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") - - echo "::group::Operating System List" - echo "$os_list" - echo "::endgroup::" - - echo "list=$os_list" >> $GITHUB_OUTPUT - - - name: Prepare Zabbix component list - id: components - shell: bash - run: | - component_list='["agent","agent2"]' - - echo "::group::Zabbix Component List" - echo "$component_list" - echo "::endgroup::" - - echo "list=$component_list" >> $GITHUB_OUTPUT - - - name: Get branch info - id: branch_info - shell: bash - env: - LATEST_BRANCH: ${{ env.LATEST_BRANCH }} - github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }} - run: | - result=false - sha_short=$(git rev-parse --short HEAD) - - if [[ "$github_ref" == "refs/tags/"* ]]; then - github_ref=${github_ref%.*} - fi - - github_ref=${github_ref##*/} - - if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then - result=true - fi - - echo "::group::Branch data" - echo "is_default_branch - $result" - echo "current_branch - $github_ref" - echo "sha_short - $sha_short" - echo "::endgroup::" - - echo "is_default_branch=$result" >> $GITHUB_OUTPUT - echo "current_branch=$github_ref" >> $GITHUB_OUTPUT - echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - - build_base: - name: Build ${{ matrix.component }} base on ${{ matrix.os }} - needs: init_build - runs-on: ${{ matrix.os }} - timeout-minutes: 50 - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - os: ${{ fromJson(needs.init_build.outputs.os) }} - component: ${{ fromJson(needs.init_build.outputs.components) }} - steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} - fetch-depth: 1 - - - name: Install cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - run: cosign version - - - name: Login to DockerHub - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Base Windows OS tag - id: base_os_tag - env: - MATRIX_OS: ${{ matrix.os }} - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" - - echo "::group::Base Microsoft Windows OS tag" - echo "$os_tag" - echo "::endgroup::" - - echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT - - - name: Generate tags - id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 - with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} - context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} - tags: | - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- - type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- - flavor: | - latest=false - - - name: Build and push image - id: docker_build - env: - DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} - BASE_BUILD_IMAGE: ${{ env.MSFT_BASE_BUILD_IMAGE }} - BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} - MATRIX_COMPONENT: ${{ matrix.component }} - TAGS: ${{ steps.meta.outputs.tags }} - BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} - LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} - run: | - echo "::group::Docker version" - docker version - echo "::endgroup::" - echo "::group::Docker info" - docker info - echo "::endgroup::" - - $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_IMAGE_NAME\windows\" - $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT - $base_os_image= $Env:BASE_BUILD_IMAGE + ':' + $Env:BASE_OS_TAG - # Can not build on GitHub due existing symlink. Must be removed before build process - Remove-Item -ErrorAction Ignore -Force -Path $context\README.md - - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) - - echo "::group::Image tags" - echo "$Env:TAGS" - echo "::endgroup::" - echo "::group::Pull base image" - docker pull $base_os_image - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Build Image" - Write-Host @" - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION - --label org.opencontainers.image.created=$Env:LABEL_CREATED - --build-arg=BUILD_BASE_IMAGE=$base_os_image - --file=$dockerfile - $tags - $context - "@ - - docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` - --label org.opencontainers.image.created=$Env:LABEL_CREATED ` - --build-arg=BUILD_BASE_IMAGE=$base_os_image ` - --file=$dockerfile ` - $tags ` - $context - if (-not $?) {throw "Failed"} - echo "::endgroup::" - - echo "::group::Publish Image" - if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { - Foreach ($tag in $tags_array) { - echo "docker image push $tag" - docker image push $tag - if (-not $?) {throw "Failed"} - } - - $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] - if (-not $?) {throw "Failed"} - echo "Image digest got from RepoDigests" - } - else { - $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") - if (-not $?) {throw "Failed"} - echo "Image digest got from Id" - } - echo "::endgroup::" - - echo "::group::Digest" - echo "$digest" - echo "::endgroup::" - echo "digest=$digest" >> $Env:GITHUB_OUTPUT - - - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - $tags_array=$( "$Env:TAGS".Split("`n") ) - $tag_list=@() - - - foreach ($tag in $tags_array) { - $tag_name=$tag.Split(":")[0] - $tag_list+="$tag_name@$Env:DIGEST" - } - echo "::group::Images to sign" - echo "$tag_list" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $tag_list" - cosign sign --yes $tag_list - echo "::endgroup::" - - - name: Image digest - if: ${{ env.AUTO_PUSH_IMAGES }} - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - run: | - echo "::group::Image digest" - echo "$Env:DIGEST" - echo "::endgroup::" - - echo "::group::Cache file name" - echo "$Env:CACHE_FILE_NAME" - echo "::endgroup::" - - $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME - - - name: Cache image digest - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ needs.init_build.outputs.current_branch }} diff --git a/.github/workflows/images_build_windows.yml b/.github/workflows/images_build_windows.yml index 9207bc6d4..154f26431 100644 --- a/.github/workflows/images_build_windows.yml +++ b/.github/workflows/images_build_windows.yml @@ -141,15 +141,197 @@ jobs: echo "sha_short=$sha_short" >> $GITHUB_OUTPUT build_base: - uses: ./.github/workflows/base_images_build_windows.yml - if: ${{ github.event_name == 'release' }} + name: Build ${{ matrix.component }} base on ${{ matrix.os }} + needs: init_build + runs-on: ${{ matrix.os }} + timeout-minutes: 70 permissions: contents: read id-token: write + strategy: + fail-fast: false + matrix: + os: ${{ fromJson(needs.init_build.outputs.os) }} + component: ${{ fromJson(needs.init_build.outputs.components) }} + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Login to DockerHub + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Base Windows OS tag + id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" + + echo "::group::Base Microsoft Windows OS tag" + echo "$os_tag" + echo "::endgroup::" + + echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + flavor: | + latest=false + + - name: Build and push image + id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_IMAGE: ${{ env.MSFT_BASE_BUILD_IMAGE }} + BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} + run: | + echo "::group::Docker version" + docker version + echo "::endgroup::" + echo "::group::Docker info" + docker info + echo "::endgroup::" + + $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_IMAGE_NAME\windows\" + $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT + $base_os_image= $Env:BASE_BUILD_IMAGE + ':' + $Env:BASE_OS_TAG + # Can not build on GitHub due existing symlink. Must be removed before build process + Remove-Item -ErrorAction Ignore -Force -Path $context\README.md + + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) + + echo "::group::Image tags" + echo "$Env:TAGS" + echo "::endgroup::" + echo "::group::Pull base image" + docker pull $base_os_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Build Image" + Write-Host @" + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION + --label org.opencontainers.image.created=$Env:LABEL_CREATED + --build-arg=BUILD_BASE_IMAGE=$base_os_image + --file=$dockerfile + $tags + $context + "@ + + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=$base_os_image ` + --file=$dockerfile ` + $tags ` + $context + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Publish Image" + if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { + Foreach ($tag in $tags_array) { + echo "docker image push $tag" + docker image push $tag + if (-not $?) {throw "Failed"} + } + + $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] + if (-not $?) {throw "Failed"} + echo "Image digest got from RepoDigests" + } + else { + $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") + if (-not $?) {throw "Failed"} + echo "Image digest got from Id" + } + echo "::endgroup::" + + echo "::group::Digest" + echo "$digest" + echo "::endgroup::" + echo "digest=$digest" >> $Env:GITHUB_OUTPUT + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tag_list=@() + + + foreach ($tag in $tags_array) { + $tag_name=$tag.Split(":")[0] + $tag_list+="$tag_name@$Env:DIGEST" + } + echo "::group::Images to sign" + echo "$tag_list" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $tag_list" + cosign sign --yes $tag_list + echo "::endgroup::" + + - name: Image digest + if: ${{ env.AUTO_PUSH_IMAGES }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + run: | + echo "::group::Image digest" + echo "$Env:DIGEST" + echo "::endgroup::" + + echo "::group::Cache file name" + echo "$Env:CACHE_FILE_NAME" + echo "::endgroup::" + + $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME + + - name: Cache image digest + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} build_components: name: Build ${{ matrix.component }} sources on ${{ matrix.os }} - needs: [ "init_build" ] + needs: [ "build_base", "init_build"] runs-on: ${{ matrix.os }} timeout-minutes: 70 permissions: @@ -216,8 +398,7 @@ jobs: uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} - key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ needs.init_build.outputs.current_branch }} - fail-on-cache-miss: true + key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} - name: Retrieve ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag id: base_build