name: Build images (RedHat) on: release: types: - published workflow_dispatch: defaults: run: shell: bash permissions: contents: read env: AUTO_PUSH_IMAGES: ${{ contains(fromJSON('["workflow_dispatch"]'), github.event_name) && 'false' || vars.AUTO_PUSH_IMAGES }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" IMAGES_PREFIX: "zabbix-" BASE_BUILD_NAME: "build-base" MATRIX_FILE: "build.json" DOCKERFILES_DIRECTORY: "Dockerfiles" OIDC_ISSUER: "https://token.actions.githubusercontent.com" IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" REGISTRY: "quay.io" REGISTRY_NAMESPACE: "redhat-isv-containers" PREFLIGHT_IMAGE: "quay.io/opdev/preflight:stable" PFLT_LOGLEVEL: "warn" PFLT_ARTIFACTS: "/tmp/artifacts" jobs: init_build: name: Initialize build runs-on: ubuntu-latest permissions: contents: read outputs: platforms: ${{ steps.platform_list.outputs.list }} components: ${{ steps.components.outputs.list }} is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} current_branch: ${{ steps.branch_info.outputs.current_branch }} sha_short: ${{ steps.branch_info.outputs.sha_short }} secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }} steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true egress-policy: block allowed-endpoints: > github.com:443 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 1 - name: Check ${{ env.MATRIX_FILE }} file id: build_exists env: MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | if [[ ! -f "$MATRIX_FILE" ]]; then echo "::error::File $MATRIX_FILE is missing" exit 1 fi - name: Prepare Platform list id: platform_list env: MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | platform_list=$(jq -r '.["os-linux"].rhel | @json' "$MATRIX_FILE") echo "::group::Platform List" echo "$platform_list" echo "::endgroup::" echo "list=$platform_list" >> $GITHUB_OUTPUT - name: Prepare Zabbix component list id: components env: MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | component_list=$(jq -r '.components |map_values(select(.rhel == true)) | keys | @json' "$MATRIX_FILE") echo "::group::Zabbix Component List" echo "$component_list" echo "::endgroup::" echo "list=$component_list" >> $GITHUB_OUTPUT - name: Get branch info id: branch_info shell: bash env: LATEST_BRANCH: ${{ env.LATEST_BRANCH }} github_ref: ${{ github.ref }} run: | result=false sha_short=$(git rev-parse --short HEAD) if [[ "$github_ref" == "refs/tags/"* ]]; then github_ref=${github_ref%.*} fi github_ref=${github_ref##*/} if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then result=true fi echo "::group::Branch data" echo "is_default_branch - $result" echo "current_branch - $github_ref" echo "secret_prefix=RHEL_${github_ref//.}" echo "sha_short - $sha_short" echo "::endgroup::" echo "is_default_branch=$result" >> $GITHUB_OUTPUT echo "current_branch=$github_ref" >> $GITHUB_OUTPUT echo "secret_prefix=RHEL_${github_ref//.}" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT build_base: timeout-minutes: 30 name: Build ${{ matrix.build }} base (${{ matrix.arch }}) needs: ["init_build"] strategy: fail-fast: false matrix: build: [build-base] arch: ${{ fromJson(needs.init_build.outputs.platforms) }} runs-on: [self-hosted, linux, "${{ matrix.arch }}"] permissions: contents: read steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 1 - name: Install cosign uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 with: cosign-release: 'v2.2.3' - name: Check cosign version run: cosign version - name: Fix string case id: lc env: ARCH: ${{ matrix.arch }} run: | echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | type=sha,suffix=-${{ steps.lc.outputs.arch }} - name: Build Zabbix Build Base id: build_image uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12 with: context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel layers: false tags: ${{ steps.meta.outputs.tags }} containerfiles: | ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile extra-args: | --pull - name: Image digest env: IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} run: | DIGEST=$(podman inspect ${IMAGE_TAG} --format "{{ index .RepoDigests 0}}" | cut -d '@' -f2) echo "::group::Image digest" echo "$DIGEST" echo "::endgroup::" echo "::group::Cache file name" echo "$CACHE_FILE_NAME" echo "::endgroup::" echo "$DIGEST" > "$CACHE_FILE_NAME" - name: Cache image digest uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} build_base_database: timeout-minutes: 180 needs: [ "build_base", "init_build"] name: Build ${{ matrix.build }} base (${{ matrix.arch }}) strategy: fail-fast: false matrix: build: [build-mysql, build-sqlite3] arch: ${{ fromJson(needs.init_build.outputs.platforms) }} runs-on: [self-hosted, linux, "${{ matrix.arch }}"] permissions: contents: read id-token: write steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 1 - name: Fix string case id: lc env: ARCH: ${{ matrix.arch }} run: | echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT - name: Generate tags id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} tags: | type=sha,suffix=-${{ steps.lc.outputs.arch }} - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} SHA256 tag id: base_build env: MATRIX_ARCH: ${{ matrix.arch }} BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" echo "::group::Base build image information" echo "base_tag=${BASE_TAG}" echo "base_build_image=${BUILD_BASE_IMAGE}" echo "::endgroup::" echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT - name: Build Zabbix Build Base id: build_image uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12 with: context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel layers: false tags: ${{ steps.meta.outputs.tags }} containerfiles: | ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} - name: Image digest env: IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.arch }} run: | DIGEST=$(podman inspect ${IMAGE_TAG} --format "{{ index .RepoDigests 0}}" | cut -d '@' -f2) echo "::group::Image digest" echo "$DIGEST" echo "::endgroup::" echo "::group::Cache file name" echo "$CACHE_FILE_NAME" echo "::endgroup::" echo "$DIGEST" > "$CACHE_FILE_NAME" - name: Cache image digest uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: ${{ matrix.build }}_${{ matrix.arch }} key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }} build_images: timeout-minutes: 90 needs: [ "build_base_database", "init_build"] name: Build ${{ matrix.build }} image (${{ matrix.arch }}) strategy: fail-fast: false matrix: build: ${{ fromJson(needs.init_build.outputs.components) }} arch: ${{ fromJson(needs.init_build.outputs.platforms) }} runs-on: [self-hosted, linux, "${{ matrix.arch }}"] permissions: contents: read id-token: write steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 1 - name: Fix string case id: lc env: ARCH: ${{ matrix.arch }} run: | echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT - name: Detect Build Base Image id: build_base_image env: MATRIX_BUILD: ${{ matrix.build }} MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE") echo "::group::Base Build Image" echo "$BUILD_BASE" echo "::endgroup::" echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT - name: Log in to Quay.io uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6 if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} with: username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, matrix.build)]) }} password: ${{ secrets[format('{0}_{1}_SECRET', needs.init_build.outputs.secret_prefix, matrix.build)] }} registry: ${{ env.REGISTRY }} auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} - name: Remove smartmontools if: ${{ matrix.build == 'agent2' }} env: DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} run: | sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" - name: Generate tags id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, matrix.build)]) }} tags: | type=semver,pattern={{version}} type=sha flavor: | latest=${{ github.event_name == 'release' }} suffix=${{ matrix.arch == 'ARM64' && '-arm64' || '' }},onlatest=true - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.arch }} key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.arch }}-${{ github.run_id }} - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} SHA256 tag id: base_build env: MATRIX_ARCH: ${{ matrix.arch }} BASE_IMAGE: ${{ steps.build_base_image.outputs.build_base }} IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" echo "::group::Base build image information" echo "base_tag=${BASE_TAG}" echo "base_build_image=${BUILD_BASE_IMAGE}" echo "::endgroup::" echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT - name: Build ${{ matrix.build }} id: build_image uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2.12 with: context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel layers: false tags: ${{ steps.meta.outputs.tags }} labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} containerfiles: | ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} - name: Push to RedHat certification procedure id: push_to_registry if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: tags: ${{ steps.meta.outputs.tags }} - name: Preflight if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} PFLT_CERTIFICATION_PROJECT_ID: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, matrix.build)]) }} PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }} IMAGE_TAG: ${{ steps.build_image.outputs.image-with-tag }} PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} run: | mkdir -p $PFLT_ARTIFACTS echo "::group::Pull preflight image" podman pull "$PREFLIGHT_IMAGE" echo "::endgroup::" echo "::group::Perform certification tests" podman run \ -it \ --rm \ --security-opt=label=disable \ --env PFLT_LOGLEVEL=$PFLT_LOGLEVEL \ --env PFLT_ARTIFACTS=/artifacts \ --env PFLT_LOGFILE=/artifacts/preflight.log \ --env PFLT_CERTIFICATION_PROJECT_ID=$PFLT_CERTIFICATION_PROJECT_ID \ --env PFLT_PYXIS_API_TOKEN=$PFLT_PYXIS_API_TOKEN \ --env PFLT_DOCKERCONFIG=/temp-authfile.json \ -v $PFLT_ARTIFACTS:/artifacts \ -v $PFLT_DOCKERCONFIG:/temp-authfile.json:ro \ "$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit podman rmi -i -f "$PREFLIGHT_IMAGE" echo "::endgroup::" - name: Push to RedHat certification procedure id: push_to_registry_all_tags if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: tags: ${{ steps.meta.outputs.tags }} - name: Cleanup artifacts if: ${{ always() }} env: PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} TAGS: ${{ steps.meta.outputs.tags }} run: | echo "::group::Post build actions" echo "$TAGS" | while IFS= read -r image_name ; do podman rmi -i -f "$image_name"; done rm -rf "$PFLT_ARTIFACTS" podman rmi -i -f "$PREFLIGHT_IMAGE" echo "::endgroup::" clean_artifacts: timeout-minutes: 90 needs: [ "build_images", "init_build"] name: Build ${{ matrix.build }} image (${{ matrix.arch }}) strategy: fail-fast: false matrix: build: [build-mysql, build-sqlite3] arch: [X64, ARM64] runs-on: [self-hosted, linux, "${{ matrix.arch }}"] if: ${{ always() && needs.build_base_database.result == 'success' }} permissions: {} steps: - name: Download SHA256 tag of ${{ matrix.build }}:${{ matrix.arch }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: ${{ matrix.build }}_${{ matrix.arch }} key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }} - name: Remove ${{ matrix.build }}:${{ matrix.arch }} SHA256 tag env: MATRIX_ARCH: ${{ matrix.arch }} BASE_IMAGE: ${{ matrix.build }} IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" podman rmi -i -f "$BUILD_BASE_IMAGE" - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 with: path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} - name: Remove ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} SHA256 tag env: MATRIX_ARCH: ${{ matrix.arch }} BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} run: | BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}") BUILD_BASE_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" podman rmi -i -f "$BUILD_BASE_IMAGE"