Skip to content

Commit

Permalink
add checkout for build step
Browse files Browse the repository at this point in the history
  • Loading branch information
saisatishkarra committed Apr 25, 2024
1 parent b937fb2 commit f332408
Showing 1 changed file with 34 additions and 46 deletions.
80 changes: 34 additions & 46 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,16 @@ on:
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
# Format as <account>/<repo>
# Must be lower case for container tools to parse correctly
IMAGE_NAME: kong/insomnia-mockbin
HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.repository_owner == 'Kong' }}
# Local docker OCI archive name until the image is pushed to registry
DOCKER_OCI_ARCHIVE: "docker-archive"
# Always use Docker Hub for publishing image signatures
## docker.io/kong/notary - Use Public Notary repository for release image signatures
## docker.io/kong/notary-internal - Use Private Notary repository for internal image signatures
NOTARY_REPOSITORY: format('{0}/{1}', 'docker.io', ${{ github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal' }})
NOTARY_REPOSITORY: ${{ format('{0}/{1}', 'docker.io', github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal') }}

jobs:
check:
Expand Down Expand Up @@ -56,6 +57,9 @@ jobs:
image_tags: ${{ steps.meta.outputs.tags }}
image_tag_version: ${{ steps.meta.outputs.version }}
steps:
- name: Checkout repository
uses: actions/checkout@v3

# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
Expand Down Expand Up @@ -102,7 +106,6 @@ jobs:
retention-days: 1

scan-images:
name: Scan Images
runs-on: ubuntu-latest
permissions:
contents: read
Expand All @@ -111,78 +114,52 @@ jobs:
if: >
github.repository_owner == 'Kong'
&& needs.build-images.result == 'success'
outputs:
image_name: ${{ env.IMAGE_NAME }}
image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.sha }}
notary_repository: ${{ env.NOTARY_REPOSITORY }}
steps:

- name: Download OCI docker TAR artifact
uses: actions/download-artifact@v3
with:
name: ${{ env.DOCKER_OCI_ARCHIVE }}
path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}

path: ${{ github.workspace }}
- name: Load OCI docker TAR artifact
run: |
docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
docker image ls
# Setup regctl to parse platform specific image digest from image manifest
- name: Install regctl
uses: regclient/actions/regctl-installer@main

- name: Parse architecture specific digest from image manifest
id: image_manifest_metadata
run: |
IMAGE=${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }}
sha="$(regctl image digest "${IMAGE})"
echo "sha=${sha}" >> $GITHUB_OUTPUT
archs=${{ env.PLATFORMS }}
for arch in $(echo "$archs" | sed -e 's/,/ /g'); do
arch=${arch#*/}
echo "Fetching digest for ${arch}..."
sha="$(regctl image digest "${IMAGE}" --platform linux/${arch})"
echo "${arch}_image_sha=${IMAGE}@${sha}"
echo "${arch}_image_sha=${IMAGE}@${sha}" >> $GITHUB_OUTPUT
done
env:
PLATFORMS: "linux/amd64" # Comma separated list of any platforms built

- name: Scan AMD64 Image digest
if: ${{ steps.image_manifest_metadata.outputs.amd64_image_sha != '' }}
- name: Scan the docker OCI Tar ball
id: sbom_action_amd64
uses: Kong/public-shared-actions/security-actions/scan-docker-image@556e4d9756442828427007a7171683a99adf9a6a
with:
asset_prefix: image-${{ env.IMAGE_NAME }}-amd64
image: ${{steps.image_manifest_metadata.outputs.image}}:${{ steps.image_manifest_metadata.outputs.amd64_image_sha }}
image: ${{ env.DOCKER_OCI_ARCHIVE }}.tar
upload-sbom-release-assets: true

release-images:
name: Publish Images
runs-on: ubuntu-latest
permissions:
contents: write
packages: write # needed for signing the images
needs: [check, build-images, scan-images]
if: >
github.repository_owner == 'Kong'
&& github.event_name != 'pull_request'
&& needs.scan-images.result == 'success'
env:
IMAGE_TAGS: ${{ needs.build-images.outputs.image_tags }}
IMAGE_MANIFEST_SHA: ${{ needs.scan-images.outputs.image_manifest_sha }}
outputs:
image_name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.image_manifest_sha }}
notary_repository: ${{ env.NOTARY_REPOSITORY }}
steps:

- name: Download OCI docker TAR artifact
uses: actions/download-artifact@v3
with:
name: ${{ env.DOCKER_OCI_ARCHIVE }}
path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}
path: ${{ github.workspace }}

- name: Load OCI docker TAR artifact
run: |
docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
docker image ls
# Login against a Docker registry except on PR
Expand All @@ -198,15 +175,26 @@ jobs:
id: publish_images
run: |
for tag in ${IMAGE_TAGS//,/ }; do \
docker push $tag \
docker push $tag; \
done
# Setup regctl to parse platform specific image digest from image manifest
- name: Install regctl
uses: regclient/actions/regctl-installer@main

- name: Parse architecture specific digest from image manifest
id: image_manifest_metadata
run: |
IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }}
sha="$(regctl image digest "${IMAGE}")"
echo "sha=${sha}" >> $GITHUB_OUTPUT
- name: Sign images
id: sign_images
if: ${{ env.IMAGE_MANIFEST_SHA != '' }}
if: ${{ steps.image_manifest_metadata.outputs.sha != '' }}
uses: Kong/public-shared-actions/security-actions/sign-docker-image@556e4d9756442828427007a7171683a99adf9a6a # v2.2.1
with:
image_digest: ${{ env.IMAGE_MANIFEST_SHA }}
image_digest: ${{ steps.image_manifest_metadata.outputs.sha }}
tags: ${{ env.IMAGE_TAGS }}
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -224,9 +212,9 @@ jobs:
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
with:
image: ${{ needs.scan-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins
digest: ${{ needs.scan-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR
provenance-repository: ${{ needs.scan-images.outputs.notary_repository }}
image: ${{ needs.release-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins
digest: ${{ needs.release-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR
provenance-repository: ${{ needs.release-images.outputs.notary_repository }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
Expand Down

0 comments on commit f332408

Please sign in to comment.