Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use workflow configuration variables for quay organization names #23145

Merged
merged 1 commit into from
Jan 18, 2023
Merged

Use workflow configuration variables for quay organization names #23145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 0 additions & 9 deletions .github/actions/set-env-variables/action.yml
View file
Open in desktop

This file was deleted.

49 changes: 20 additions & 29 deletions .github/workflows/build-images-base.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,6 @@ jobs:
environment: release-base-images
runs-on: ubuntu-20.04
steps:
- name: Checkout master branch to access local actions
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with:
ref: ${{ github.event.repository.default_branch }}
persist-credentials: false

- name: Set Environment Variables
uses: ./.github/actions/set-env-variables

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325

Expand Down Expand Up @@ -66,7 +57,7 @@ jobs:
id: cilium-runtime-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then
if docker buildx imagetools inspect quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
Expand All @@ -90,14 +81,14 @@ jobs:
push: true
platforms: linux/amd64,linux/arm64
tags: |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}
quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}

- name: Sign Container Image Runtime
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}
cosign sign quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}

- name: Install Bom
shell: bash
Expand All @@ -112,22 +103,22 @@ jobs:
run: |
bom generate -o sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx \
--dirs=. \
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}
--image=quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}

- name: Attach SBOM to Container Image
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
run: |
cosign attach sbom --sbom sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}
cosign attach sbom --sbom sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}

- name: Sign SBOM Image
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: |
docker_build_release_runtime_digest="${{ steps.docker_build_release_runtime.outputs.digest }}"
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${docker_build_release_runtime_digest/:/-}.sbom"
image_name="quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${docker_build_release_runtime_digest/:/-}.sbom"
docker_build_release_runtime_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${docker_build_release_runtime_sbom_digest}"
cosign sign "quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${docker_build_release_runtime_sbom_digest}"

- name: Image Release Digest Runtime
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
Expand All @@ -136,7 +127,7 @@ jobs:
mkdir -p image-digest/
echo "## cilium-runtime" > image-digest/cilium-runtime.txt
echo "" >> image-digest/cilium-runtime.txt
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt
echo "\`quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt
echo "" >> image-digest/cilium-runtime.txt

- name: Upload artifact digests runtime
Expand All @@ -150,7 +141,7 @@ jobs:
- name: Update Runtime Image
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
run: |
images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
images/runtime/update-cilium-runtime-image.sh "quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
git commit -sam "images: update cilium-{runtime,builder}"

- name: Generating image tag for Cilium-Builder
Expand All @@ -162,7 +153,7 @@ jobs:
id: cilium-builder-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then
if docker buildx imagetools inspect quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
Expand All @@ -186,37 +177,37 @@ jobs:
push: true
platforms: linux/amd64,linux/arm64
tags: |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}
quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}

- name: Sign Container Image Builder
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}
cosign sign quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}

- name: Generate SBOM
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
shell: bash
run: |
bom generate -o sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx \
--dirs=. \
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}
--image=quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}

- name: Attach SBOM to Container Image
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
run: |
cosign attach sbom --sbom sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}
cosign attach sbom --sbom sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}

- name: Sign SBOM Image
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: |
docker_build_release_builder_digest="${{ steps.docker_build_release_builder.outputs.digest }}"
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${docker_build_release_builder_digest/:/-}.sbom"
image_name="quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder:${docker_build_release_builder_digest/:/-}.sbom"
docker_build_release_builder_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${docker_build_release_builder_sbom_digest}"
cosign sign "quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder@${docker_build_release_builder_sbom_digest}"

- name: Image Release Digest Builder
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
Expand All @@ -225,7 +216,7 @@ jobs:
mkdir -p image-digest/
echo "## cilium-builder" > image-digest/cilium-builder.txt
echo "" >> image-digest/cilium-builder.txt
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt
echo "\`quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt
echo "" >> image-digest/cilium-builder.txt

- name: Upload artifact digests builder
Expand All @@ -239,12 +230,12 @@ jobs:
- name: Update Runtime Images
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
run: |
images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
images/runtime/update-cilium-runtime-image.sh "quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"

- name: Update Builder Images
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
run: |
images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"
images/builder/update-cilium-builder-image.sh "quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"

- name: Commit changes by amending previous commit
# Run this step in case we have committed the cilium-runtime changes before
Expand All @@ -270,7 +261,7 @@ jobs:
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' || steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
run: |
git diff HEAD^
git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.QUAY_ORGANIZATION }}/cilium.git HEAD:${{ github.event.pull_request.head.ref }}
git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ vars.QUAY_ORGANIZATION }}/cilium.git HEAD:${{ github.event.pull_request.head.ref }}

image-digests:
name: Display Digests
Expand Down
25 changes: 8 additions & 17 deletions .github/workflows/build-images-beta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,6 @@ jobs:
dockerfile: ./images/cilium-docker-plugin/Dockerfile

steps:
- name: Checkout master branch to access local actions
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with:
ref: ${{ github.event.repository.default_branch }}
persist-credentials: false

- name: Set Environment Variables
uses: ./.github/actions/set-env-variables

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325

Expand All @@ -80,7 +71,7 @@ jobs:
id: tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} &>/dev/null; then
if docker buildx imagetools inspect quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} &>/dev/null; then
echo "Tag already exists!"
exit 1
fi
Expand All @@ -99,7 +90,7 @@ jobs:
push: true
platforms: linux/amd64,linux/arm64
tags: |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}
quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}
target: release
build-args: |
OPERATOR_VARIANT=${{ matrix.name }}
Expand All @@ -111,7 +102,7 @@ jobs:
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }}
cosign sign quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }}

- name: Install Bom
shell: bash
Expand All @@ -125,28 +116,28 @@ jobs:
run: |
bom generate -o sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx \
--dirs=. \
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}
--image=quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}

- name: Attach SBOM to Container Image
run: |
cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }}
cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }}

- name: Sign SBOM Image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}"
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${docker_build_release_digest/:/-}.sbom"
image_name="quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${docker_build_release_digest/:/-}.sbom"
docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${docker_build_release_sbom_digest}"
cosign sign "quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${docker_build_release_sbom_digest}"

- name: Image Release Digest
shell: bash
run: |
mkdir -p image-digest/
echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt
echo "" >> image-digest/${{ matrix.name }}.txt
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "\`quay.io/${{ vars.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "" >> image-digest/${{ matrix.name }}.txt

# Upload artifact digests
Expand Down