From f5f40563aa87a2bd0890ba7e3e08c4fc94fde48d Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Wed, 24 Apr 2024 20:24:59 -0500 Subject: [PATCH] add checkout for build step --- .github/workflows/release.yaml | 89 ++++++++++++++++------------------ 1 file changed, 42 insertions(+), 47 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 97b6a396..ab789889 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,15 +16,16 @@ on: env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} + # Format as / + # Must be lower case for container tools to parse correctly + IMAGE_NAME: kong/insomnia-mockbin HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.repository_owner == 'Kong' }} # Local docker OCI archive name until the image is pushed to registry DOCKER_OCI_ARCHIVE: "docker-archive" # Always use Docker Hub for publishing image signatures ## docker.io/kong/notary - Use Public Notary repository for release image signatures ## docker.io/kong/notary-internal - Use Private Notary repository for internal image signatures - NOTARY_REPOSITORY: format('{0}/{1}', 'docker.io', ${{ github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal' }}) + NOTARY_REPOSITORY: ${{ github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal' }} jobs: check: @@ -56,6 +57,9 @@ jobs: image_tags: ${{ steps.meta.outputs.tags }} image_tag_version: ${{ steps.meta.outputs.version }} steps: + - name: Checkout repository + uses: actions/checkout@v3 + # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache # https://github.com/docker/setup-buildx-action @@ -102,7 +106,6 @@ jobs: retention-days: 1 scan-images: - name: Scan Images runs-on: ubuntu-latest permissions: contents: read @@ -111,59 +114,32 @@ jobs: if: > github.repository_owner == 'Kong' && needs.build-images.result == 'success' - outputs: - image_name: ${{ env.IMAGE_NAME }} - image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.sha }} - notary_repository: ${{ env.NOTARY_REPOSITORY }} steps: - name: Download OCI docker TAR artifact uses: actions/download-artifact@v3 with: name: ${{ env.DOCKER_OCI_ARCHIVE }} - path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }} - + path: ${{ github.workspace }} - name: Load OCI docker TAR artifact run: | - docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar + docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar docker image ls - # Setup regctl to parse platform specific image digest from image manifest - - name: Install regctl - uses: regclient/actions/regctl-installer@main - - - name: Parse architecture specific digest from image manifest - id: image_manifest_metadata - run: | - IMAGE=${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }} - sha="$(regctl image digest "${IMAGE})" - echo "sha=${sha}" >> $GITHUB_OUTPUT - archs=${{ env.PLATFORMS }} - for arch in $(echo "$archs" | sed -e 's/,/ /g'); do - arch=${arch#*/} - echo "Fetching digest for ${arch}..." - sha="$(regctl image digest "${IMAGE}" --platform linux/${arch})" - echo "${arch}_image_sha=${IMAGE}@${sha}" - echo "${arch}_image_sha=${IMAGE}@${sha}" >> $GITHUB_OUTPUT - done - env: - PLATFORMS: "linux/amd64" # Comma separated list of any platforms built - - - name: Scan AMD64 Image digest - if: ${{ steps.image_manifest_metadata.outputs.amd64_image_sha != '' }} + - name: Scan the docker OCI Tar ball id: sbom_action_amd64 uses: Kong/public-shared-actions/security-actions/scan-docker-image@556e4d9756442828427007a7171683a99adf9a6a with: asset_prefix: image-${{ env.IMAGE_NAME }}-amd64 - image: ${{steps.image_manifest_metadata.outputs.image}}:${{ steps.image_manifest_metadata.outputs.amd64_image_sha }} + image: ${{ env.DOCKER_OCI_ARCHIVE }}.tar upload-sbom-release-assets: true release-images: - name: Publish Images runs-on: ubuntu-latest permissions: contents: write - packages: write # needed for signing the images + packages: write # needed for publishing the images + id-token: write # needed for keyless signing of the images needs: [check, build-images, scan-images] if: > github.repository_owner == 'Kong' @@ -171,18 +147,21 @@ jobs: && needs.scan-images.result == 'success' env: IMAGE_TAGS: ${{ needs.build-images.outputs.image_tags }} - IMAGE_MANIFEST_SHA: ${{ needs.scan-images.outputs.image_manifest_sha }} + outputs: + image_name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.image_manifest_sha }} + notary_repository: ${{ env.NOTARY_REPOSITORY }} steps: - name: Download OCI docker TAR artifact uses: actions/download-artifact@v3 with: name: ${{ env.DOCKER_OCI_ARCHIVE }} - path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }} + path: ${{ github.workspace }} - name: Load OCI docker TAR artifact run: | - docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar + docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar docker image ls # Login against a Docker registry except on PR @@ -198,18 +177,34 @@ jobs: id: publish_images run: | for tag in ${IMAGE_TAGS//,/ }; do \ - docker push $tag \ + docker push $tag; \ done + # Setup regctl to parse platform specific image digest from image manifest + - name: Install regctl + uses: regclient/actions/regctl-installer@main + + # The image manifest digest/sha is generated only after the image is published to registry + - name: Parse architecture specific digest from image manifest + id: image_manifest_metadata + run: | + IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }} + sha="$(regctl image digest "${IMAGE}")" + echo "sha=${sha}" >> $GITHUB_OUTPUT + + # Signing images requires image manifest digest - name: Sign images id: sign_images - if: ${{ env.IMAGE_MANIFEST_SHA != '' }} - uses: Kong/public-shared-actions/security-actions/sign-docker-image@556e4d9756442828427007a7171683a99adf9a6a # v2.2.1 + if: ${{ steps.image_manifest_metadata.outputs.sha != '' }} + uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 with: - image_digest: ${{ env.IMAGE_MANIFEST_SHA }} + image_digest: ${{ steps.image_manifest_metadata.outputs.sha }} tags: ${{ env.IMAGE_TAGS }} + image_registry_domain: ghcr.io registry_username: ${{ github.actor }} registry_password: ${{ secrets.GITHUB_TOKEN }} + # Optional: Central notary repository for image signatures + signature_registry_domain: docker.io signature_registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} signature_registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} signature_registry: ${{ env.NOTARY_REPOSITORY }} @@ -224,9 +219,9 @@ jobs: actions: read # For getting workflow run info to build provenance packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues with: - image: ${{ needs.scan-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins - digest: ${{ needs.scan-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR - provenance-repository: ${{ needs.scan-images.outputs.notary_repository }} + image: ${{ needs.release-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins + digest: ${{ needs.release-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR + provenance-repository: ${{ needs.release-images.outputs.notary_repository }} secrets: registry-username: ${{ github.actor }} registry-password: ${{ secrets.GITHUB_TOKEN }}