Feature/hive feature manager #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Base Image Release Build | |
# Any change in triggers needs to be reflected in the concurrency group. | |
on: | |
pull_request_target: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
paths: | |
- images/runtime/** | |
- images/builder/** | |
# This workflow can be reused so that renovate can execute this workflow_dispatch: | |
# run from a different environment than 'release-base-images'. See | |
# build-images-base-renovate.yaml | |
workflow_call: | |
secrets: | |
QUAY_BASE_RELEASE_USERNAME: | |
required: true | |
QUAY_BASE_RELEASE_PASSWORD: | |
required: true | |
AUTO_COMMITTER_PEM: | |
required: true | |
AUTO_COMMITTER_APP_ID: | |
required: true | |
inputs: | |
environment: | |
required: true | |
type: string | |
default: "release-base-images" | |
permissions: | |
# To be able to access the repository with `actions/checkout` | |
contents: read | |
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | |
id-token: write | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
has-credentials: | |
name: Check for Quay secrets | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 2 | |
outputs: | |
present: ${{ steps.secrets.outputs.present }} | |
steps: | |
- name: Check for secrets | |
id: secrets | |
env: | |
has_credentials: ${{ secrets.QUAY_BASE_RELEASE_USERNAME && secrets.QUAY_BASE_RELEASE_PASSWORD && 1 }} | |
if: ${{ env.has_credentials }} | |
run: | |
echo 'present=1' >> "$GITHUB_OUTPUT" | |
build-and-push: | |
needs: has-credentials | |
# Skip this workflow for repositories without credentials and branches that are created by renovate where the event type is pull_request_target | |
if: ${{ needs.has-credentials.outputs.present && ! (github.event_name == 'pull_request_target' && startsWith(github.head_ref, 'renovate/')) }} | |
name: Build and Push Images | |
timeout-minutes: 45 | |
environment: ${{ inputs.environment || 'release-base-images' }} | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout default branch (trusted) | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
ref: ${{ github.event.repository.default_branch }} | |
persist-credentials: false | |
- name: Cleanup Disk space in runner | |
uses: ./.github/actions/disk-cleanup | |
- name: Checkout base branch (trusted) | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
ref: ${{ github.base_ref }} | |
persist-credentials: false | |
- name: Copy scripts to trusted directory | |
run: | | |
mkdir -p ../cilium-base-branch/images/runtime/ | |
cp ./images/runtime/update-cilium-runtime-image.sh ../cilium-base-branch/images/runtime/ | |
mkdir -p ../cilium-base-branch/images/builder/ | |
cp ./images/builder/update-cilium-builder-image.sh ../cilium-base-branch/images/builder/ | |
mkdir -p ../cilium-base-branch/images/scripts/ | |
cp ./images/scripts/get-image-digest.sh ../cilium-base-branch/images/scripts/ | |
mkdir -p ../cilium-base-branch/api/v1 | |
cp ./api/v1/Makefile ../cilium-base-branch/api/v1/ | |
cp ./Makefile.defs ../cilium-base-branch/Makefile.defs | |
cp ./Makefile.quiet ../cilium-base-branch/Makefile.quiet | |
- name: Set Environment Variables | |
uses: ./.github/actions/set-env-variables | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Set up QEMU | |
id: qemu | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
# Warning: since this is a privileged workflow, subsequent workflow job | |
# steps must take care not to execute untrusted code. | |
- name: Checkout pull request branch (NOT TRUSTED) | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Set-up git | |
run: | | |
git config user.name "Cilium Imagebot" | |
git config user.email "noreply@cilium.io" | |
- name: Generating image tag for Cilium-Runtime | |
id: runtime-tag | |
run: | | |
echo tag="$(git ls-tree --full-tree HEAD -- ./images/runtime | awk '{ print $3 }')" >> $GITHUB_OUTPUT | |
- name: Checking if tag for Cilium-Runtime already exists | |
id: cilium-runtime-tag-in-repositories | |
shell: bash | |
run: | | |
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then | |
echo exists="true" >> $GITHUB_OUTPUT | |
else | |
echo exists="false" >> $GITHUB_OUTPUT | |
fi | |
- name: Login to quay.io | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} | |
password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} | |
- name: Release build cilium-runtime | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
id: docker_build_release_runtime | |
with: | |
provenance: false | |
context: ./images/runtime | |
file: ./images/runtime/Dockerfile | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} | |
- name: Sign Container Image Runtime | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
run: | | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} | |
- name: Generate SBOM | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
with: | |
artifact-name: sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json | |
output-file: ./sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json | |
image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} | |
- name: Attach SBOM attestation to container image | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
run: | | |
cosign attest -r -y --predicate sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} | |
- name: Image Release Digest Runtime | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
echo "## cilium-runtime" > image-digest/cilium-runtime.txt | |
echo "" >> image-digest/cilium-runtime.txt | |
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt | |
echo "" >> image-digest/cilium-runtime.txt | |
- name: Upload artifact digests runtime | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: image-digest cilium-runtime | |
path: image-digest | |
retention-days: 1 | |
- name: Update Runtime Image | |
id: update-runtime-image | |
run: | | |
if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then | |
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" | |
else | |
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}") | |
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}" | |
fi | |
if ! git diff --quiet; then | |
git commit -sam "images: update cilium-{runtime,builder}" | |
echo committed="true" >> $GITHUB_OUTPUT | |
else | |
echo committed="false" >> $GITHUB_OUTPUT | |
fi | |
- name: Generating image tag for Cilium-Builder | |
id: builder-tag | |
run: | | |
echo tag="$(git ls-tree --full-tree HEAD -- ./images/builder | awk '{ print $3 }')" >> $GITHUB_OUTPUT | |
- name: Checking if tag for Cilium-Builder already exists | |
id: cilium-builder-tag-in-repositories | |
shell: bash | |
run: | | |
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then | |
echo exists="true" >> $GITHUB_OUTPUT | |
else | |
echo exists="false" >> $GITHUB_OUTPUT | |
fi | |
- name: Login to quay.io | |
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' && steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' }} | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} | |
password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} | |
- name: Release build cilium-builder | |
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
id: docker_build_release_builder | |
with: | |
provenance: false | |
context: ./images/builder | |
file: ./images/builder/Dockerfile | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} | |
- name: Sign Container Image Builder | |
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} | |
run: | | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} | |
- name: Generate SBOM | |
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} | |
uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
with: | |
artifact-name: sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json | |
output-file: ./sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json | |
image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} | |
- name: Attach SBOM attestation to container image | |
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} | |
run: | | |
cosign attest -r -y --predicate sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} | |
- name: Image Release Digest Builder | |
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
echo "## cilium-builder" > image-digest/cilium-builder.txt | |
echo "" >> image-digest/cilium-builder.txt | |
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt | |
echo "" >> image-digest/cilium-builder.txt | |
- name: Upload artifact digests builder | |
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: image-digest cilium-builder | |
path: image-digest | |
retention-days: 1 | |
- name: Update Runtime Image | |
run: | | |
if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then | |
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" | |
else | |
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}") | |
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}" | |
fi | |
- name: Update Builder Images | |
run: | | |
if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then | |
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}" | |
else | |
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}") | |
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}" | |
fi | |
- name: Update Protobuf APIs | |
# The builder image contains 'protoc', which can cause autogenerated | |
# protobuf files to change. Re-generate the API to compensate. | |
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} | |
env: | |
CONTAINER_IMAGE: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }} | |
run: | | |
export VOLUME=$PWD/api/v1 | |
make -C ../cilium-base-branch/api/v1 | |
- name: Commit changes | |
id: update-builder-image | |
run: | | |
if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then | |
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}" | |
else | |
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}") | |
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}" | |
fi | |
if ! git diff --quiet; then | |
if [[ "${{ steps.update-runtime-image.outputs.committed }}" == "true" ]]; then | |
git commit --amend -sam "images: update cilium-{runtime,builder}" | |
else | |
git commit -sam "images: update cilium-{runtime,builder}" | |
fi | |
echo committed="true" >> $GITHUB_OUTPUT | |
else | |
echo committed="false" >> $GITHUB_OUTPUT | |
fi | |
- name: Get token | |
if: ${{ steps.update-runtime-image.outputs.committed == 'true' || steps.update-builder-image.outputs.committed == 'true' }} | |
id: get_token | |
uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 | |
with: | |
APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }} | |
APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }} | |
- name: Push changes into PR | |
if: ${{ steps.update-runtime-image.outputs.committed == 'true' || steps.update-builder-image.outputs.committed == 'true' }} | |
env: | |
ref: ${{ github.event.pull_request.head.ref || github.ref }} | |
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} | |
run: | | |
git diff HEAD^ | |
git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }} | |
image-digests: | |
name: Display Digests | |
runs-on: ubuntu-24.04 | |
needs: build-and-push | |
steps: | |
- name: Downloading Image Digests | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
- name: Download digests of all images built | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
path: image-digest/ | |
pattern: "*image-digest *" | |
- name: Image Digests Output | |
shell: bash | |
run: | | |
cd image-digest/ | |
find -type f | sort | xargs -d '\n' cat |