Feature/hive feature manager #1

Workflow file for this run

.github/workflows/build-images-base.yaml at f9d1444

	name: Base Image Release Build

	# Any change in triggers needs to be reflected in the concurrency group.
	on:
	pull_request_target:
	types:
	- opened
	- synchronize
	- reopened
	paths:
	- images/runtime/**
	- images/builder/**
	# This workflow can be reused so that renovate can execute this workflow_dispatch:
	# run from a different environment than 'release-base-images'. See
	# build-images-base-renovate.yaml
	workflow_call:
	secrets:
	QUAY_BASE_RELEASE_USERNAME:
	required: true
	QUAY_BASE_RELEASE_PASSWORD:
	required: true
	AUTO_COMMITTER_PEM:
	required: true
	AUTO_COMMITTER_APP_ID:
	required: true
	inputs:
	environment:
	required: true
	type: string
	default: "release-base-images"

	permissions:
	# To be able to access the repository with `actions/checkout`
	contents: read
	# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
	id-token: write

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: true

	jobs:
	has-credentials:
	name: Check for Quay secrets
	runs-on: ubuntu-22.04
	timeout-minutes: 2
	outputs:
	present: ${{ steps.secrets.outputs.present }}
	steps:
	- name: Check for secrets
	id: secrets
	env:
	has_credentials: ${{ secrets.QUAY_BASE_RELEASE_USERNAME && secrets.QUAY_BASE_RELEASE_PASSWORD && 1 }}
	if: ${{ env.has_credentials }}
	run:
	echo 'present=1' >> "$GITHUB_OUTPUT"

	build-and-push:
	needs: has-credentials
	# Skip this workflow for repositories without credentials and branches that are created by renovate where the event type is pull_request_target
	if: ${{ needs.has-credentials.outputs.present && ! (github.event_name == 'pull_request_target' && startsWith(github.head_ref, 'renovate/')) }}
	name: Build and Push Images
	timeout-minutes: 45
	environment: ${{ inputs.environment \|\| 'release-base-images' }}
	runs-on: ubuntu-24.04
	steps:
	- name: Checkout default branch (trusted)
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
	with:
	ref: ${{ github.event.repository.default_branch }}
	persist-credentials: false

	- name: Cleanup Disk space in runner
	uses: ./.github/actions/disk-cleanup

	- name: Checkout base branch (trusted)
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
	with:
	ref: ${{ github.base_ref }}
	persist-credentials: false

	- name: Copy scripts to trusted directory
	run: \|
	mkdir -p ../cilium-base-branch/images/runtime/
	cp ./images/runtime/update-cilium-runtime-image.sh ../cilium-base-branch/images/runtime/
	mkdir -p ../cilium-base-branch/images/builder/
	cp ./images/builder/update-cilium-builder-image.sh ../cilium-base-branch/images/builder/
	mkdir -p ../cilium-base-branch/images/scripts/
	cp ./images/scripts/get-image-digest.sh ../cilium-base-branch/images/scripts/
	mkdir -p ../cilium-base-branch/api/v1
	cp ./api/v1/Makefile ../cilium-base-branch/api/v1/
	cp ./Makefile.defs ../cilium-base-branch/Makefile.defs
	cp ./Makefile.quiet ../cilium-base-branch/Makefile.quiet

	- name: Set Environment Variables
	uses: ./.github/actions/set-env-variables

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

	- name: Set up QEMU
	id: qemu
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

	- name: Install Cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	# Warning: since this is a privileged workflow, subsequent workflow job
	# steps must take care not to execute untrusted code.
	- name: Checkout pull request branch (NOT TRUSTED)
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
	with:
	persist-credentials: false
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Set-up git
	run: \|
	git config user.name "Cilium Imagebot"
	git config user.email "noreply@cilium.io"

	- name: Generating image tag for Cilium-Runtime
	id: runtime-tag
	run: \|
	echo tag="$(git ls-tree --full-tree HEAD -- ./images/runtime \| awk '{ print $3 }')" >> $GITHUB_OUTPUT

	- name: Checking if tag for Cilium-Runtime already exists
	id: cilium-runtime-tag-in-repositories
	shell: bash
	run: \|
	if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then
	echo exists="true" >> $GITHUB_OUTPUT
	else
	echo exists="false" >> $GITHUB_OUTPUT
	fi

	- name: Login to quay.io
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }}
	password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }}

	- name: Release build cilium-runtime
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	id: docker_build_release_runtime
	with:
	provenance: false
	context: ./images/runtime
	file: ./images/runtime/Dockerfile
	push: true
	platforms: linux/amd64,linux/arm64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}

	- name: Sign Container Image Runtime
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	run: \|
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}


	- name: Generate SBOM
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
	with:
	artifact-name: sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json
	output-file: ./sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json
	image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}

	- name: Attach SBOM attestation to container image
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	run: \|
	cosign attest -r -y --predicate sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}

	- name: Image Release Digest Runtime
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "## cilium-runtime" > image-digest/cilium-runtime.txt
	echo "" >> image-digest/cilium-runtime.txt
	echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt
	echo "" >> image-digest/cilium-runtime.txt

	- name: Upload artifact digests runtime
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
	with:
	name: image-digest cilium-runtime
	path: image-digest
	retention-days: 1

	- name: Update Runtime Image
	id: update-runtime-image
	run: \|
	if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
	../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
	else
	digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}")
	../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}"
	fi
	if ! git diff --quiet; then
	git commit -sam "images: update cilium-{runtime,builder}"
	echo committed="true" >> $GITHUB_OUTPUT
	else
	echo committed="false" >> $GITHUB_OUTPUT
	fi

	- name: Generating image tag for Cilium-Builder
	id: builder-tag
	run: \|
	echo tag="$(git ls-tree --full-tree HEAD -- ./images/builder \| awk '{ print $3 }')" >> $GITHUB_OUTPUT

	- name: Checking if tag for Cilium-Builder already exists
	id: cilium-builder-tag-in-repositories
	shell: bash
	run: \|
	if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then
	echo exists="true" >> $GITHUB_OUTPUT
	else
	echo exists="false" >> $GITHUB_OUTPUT
	fi

	- name: Login to quay.io
	if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' && steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' }}
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }}
	password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }}

	- name: Release build cilium-builder
	if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	id: docker_build_release_builder
	with:
	provenance: false
	context: ./images/builder
	file: ./images/builder/Dockerfile
	push: true
	platforms: linux/amd64,linux/arm64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}

	- name: Sign Container Image Builder
	if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
	run: \|
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}

	- name: Generate SBOM
	if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
	uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
	with:
	artifact-name: sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json
	output-file: ./sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json
	image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}

	- name: Attach SBOM attestation to container image
	if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
	run: \|
	cosign attest -r -y --predicate sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}

	- name: Image Release Digest Builder
	if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "## cilium-builder" > image-digest/cilium-builder.txt
	echo "" >> image-digest/cilium-builder.txt
	echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt
	echo "" >> image-digest/cilium-builder.txt

	- name: Upload artifact digests builder
	if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
	uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
	with:
	name: image-digest cilium-builder
	path: image-digest
	retention-days: 1

	- name: Update Runtime Image
	run: \|
	if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
	../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
	else
	digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}")
	../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}"
	fi

	- name: Update Builder Images
	run: \|
	if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
	../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"
	else
	digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}")
	../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}"
	fi

	- name: Update Protobuf APIs
	# The builder image contains 'protoc', which can cause autogenerated
	# protobuf files to change. Re-generate the API to compensate.
	if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
	env:
	CONTAINER_IMAGE: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}
	run: \|
	export VOLUME=$PWD/api/v1
	make -C ../cilium-base-branch/api/v1

	- name: Commit changes
	id: update-builder-image
	run: \|
	if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
	../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"
	else
	digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}")
	../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}"
	fi
	if ! git diff --quiet; then
	if [[ "${{ steps.update-runtime-image.outputs.committed }}" == "true" ]]; then
	git commit --amend -sam "images: update cilium-{runtime,builder}"
	else
	git commit -sam "images: update cilium-{runtime,builder}"
	fi
	echo committed="true" >> $GITHUB_OUTPUT
	else
	echo committed="false" >> $GITHUB_OUTPUT
	fi

	- name: Get token
	if: ${{ steps.update-runtime-image.outputs.committed == 'true' \|\| steps.update-builder-image.outputs.committed == 'true' }}
	id: get_token
	uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
	with:
	APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }}
	APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }}

	- name: Push changes into PR
	if: ${{ steps.update-runtime-image.outputs.committed == 'true' \|\| steps.update-builder-image.outputs.committed == 'true' }}
	env:
	ref: ${{ github.event.pull_request.head.ref \|\| github.ref }}
	repository: ${{ github.event.pull_request.head.repo.full_name \|\| github.repository }}
	run: \|
	git diff HEAD^
	git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }}

	image-digests:
	name: Display Digests
	runs-on: ubuntu-24.04
	needs: build-and-push
	steps:
	- name: Downloading Image Digests
	shell: bash
	run: \|
	mkdir -p image-digest/

	- name: Download digests of all images built
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
	with:
	path: image-digest/
	pattern: "image-digest "

	- name: Image Digests Output
	shell: bash
	run: \|
	cd image-digest/
	find -type f \| sort \| xargs -d '\n' cat

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature/hive feature manager #1

Workflow file

Feature/hive feature manager #1

Jobs

Run details

Workflow file for this run