Skip to content

Feature/hive feature manager #7

Feature/hive feature manager

Feature/hive feature manager #7

name: Base Image Release Build
# Any change in triggers needs to be reflected in the concurrency group.
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
paths:
- images/runtime/**
- images/builder/**
# This workflow can be reused so that renovate can execute this workflow_dispatch:
# run from a different environment than 'release-base-images'. See
# build-images-base-renovate.yaml
workflow_call:
secrets:
QUAY_BASE_RELEASE_USERNAME:
required: true
QUAY_BASE_RELEASE_PASSWORD:
required: true
AUTO_COMMITTER_PEM:
required: true
AUTO_COMMITTER_APP_ID:
required: true
inputs:
environment:
required: true
type: string
default: "release-base-images"
permissions:
# To be able to access the repository with `actions/checkout`
contents: read
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
id-token: write
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
has-credentials:
name: Check for Quay secrets
runs-on: ubuntu-24.04
environment: ${{ inputs.environment || 'release-base-images' }}
timeout-minutes: 2
outputs:
present: ${{ steps.secrets.outputs.present }}
steps:
- name: Check for secrets
id: secrets
env:
has_credentials: ${{ secrets.QUAY_BASE_RELEASE_USERNAME && secrets.QUAY_BASE_RELEASE_PASSWORD && 1 }}
if: ${{ env.has_credentials }}
run:
echo 'present=1' >> "$GITHUB_OUTPUT"
build-and-push:
needs: has-credentials
# Skip this workflow for repositories without credentials and branches that are created by renovate where the event type is pull_request_target
if: ${{ needs.has-credentials.outputs.present && ! (github.event_name == 'pull_request_target' && startsWith(github.head_ref, 'renovate/')) }}
name: Build and Push Images
timeout-minutes: 45
environment: ${{ inputs.environment || 'release-base-images' }}
runs-on: ubuntu-24.04
steps:
- name: Checkout default branch (trusted)
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
ref: ${{ github.event.repository.default_branch }}
persist-credentials: false
- name: Cleanup Disk space in runner
uses: ./.github/actions/disk-cleanup
- name: Checkout base branch (trusted)
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
ref: ${{ github.base_ref }}
persist-credentials: false
- name: Copy scripts to trusted directory
run: |
mkdir -p ../cilium-base-branch/images/runtime/
cp ./images/runtime/update-cilium-runtime-image.sh ../cilium-base-branch/images/runtime/
mkdir -p ../cilium-base-branch/images/builder/
cp ./images/builder/update-cilium-builder-image.sh ../cilium-base-branch/images/builder/
mkdir -p ../cilium-base-branch/images/scripts/
cp ./images/scripts/get-image-digest.sh ../cilium-base-branch/images/scripts/
mkdir -p ../cilium-base-branch/api/v1
cp ./api/v1/Makefile ../cilium-base-branch/api/v1/
cp ./Makefile.defs ../cilium-base-branch/Makefile.defs
cp ./Makefile.quiet ../cilium-base-branch/Makefile.quiet
- name: Set Environment Variables
uses: ./.github/actions/set-env-variables
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
persist-credentials: false
ref: ${{ github.event.pull_request.head.sha }}
- name: Set-up git
run: |
git config user.name "Cilium Imagebot"
git config user.email "noreply@cilium.io"
- name: Generating image tag for Cilium-Runtime
id: runtime-tag
run: |
echo tag="$(git ls-tree --full-tree HEAD -- ./images/runtime | awk '{ print $3 }')" >> $GITHUB_OUTPUT
- name: Checking if tag for Cilium-Runtime already exists
id: cilium-runtime-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
fi
- name: Login to quay.io
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }}
password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }}
- name: Release build cilium-runtime
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: docker_build_release_runtime
with:
provenance: false
context: ./images/runtime
file: ./images/runtime/Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}
- name: Sign Container Image Runtime
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
run: |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}
- name: Generate SBOM
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
uses: anchore/sbom-action@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4
with:
artifact-name: sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json
output-file: ./sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json
image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}
- name: Attach SBOM attestation to container image
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
run: |
cosign attest -r -y --predicate sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}
- name: Image Release Digest Runtime
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
shell: bash
run: |
mkdir -p image-digest/
echo "## cilium-runtime" > image-digest/cilium-runtime.txt
echo "" >> image-digest/cilium-runtime.txt
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt
echo "" >> image-digest/cilium-runtime.txt
- name: Upload artifact digests runtime
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: image-digest cilium-runtime
path: image-digest
retention-days: 1
- name: Update Runtime Image
id: update-runtime-image
run: |
if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
else
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}")
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}"
fi
if ! git diff --quiet; then
git commit -sam "images: update cilium-{runtime,builder}"
echo committed="true" >> $GITHUB_OUTPUT
else
echo committed="false" >> $GITHUB_OUTPUT
fi
- name: Generating image tag for Cilium-Builder
id: builder-tag
run: |
echo tag="$(git ls-tree --full-tree HEAD -- ./images/builder | awk '{ print $3 }')" >> $GITHUB_OUTPUT
- name: Checking if tag for Cilium-Builder already exists
id: cilium-builder-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
fi
- name: Login to quay.io
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' && steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }}
password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }}
- name: Release build cilium-builder
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: docker_build_release_builder
with:
provenance: false
context: ./images/builder
file: ./images/builder/Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}
- name: Sign Container Image Builder
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
run: |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}
- name: Generate SBOM
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
uses: anchore/sbom-action@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4
with:
artifact-name: sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json
output-file: ./sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json
image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}
- name: Attach SBOM attestation to container image
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
run: |
cosign attest -r -y --predicate sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}
- name: Image Release Digest Builder
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
shell: bash
run: |
mkdir -p image-digest/
echo "## cilium-builder" > image-digest/cilium-builder.txt
echo "" >> image-digest/cilium-builder.txt
echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt
echo "" >> image-digest/cilium-builder.txt
- name: Upload artifact digests builder
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: image-digest cilium-builder
path: image-digest
retention-days: 1
- name: Update Runtime Image
run: |
if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
else
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}")
../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}"
fi
- name: Update Builder Images
run: |
if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"
else
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}")
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}"
fi
- name: Update Protobuf APIs
# The builder image contains 'protoc', which can cause autogenerated
# protobuf files to change. Re-generate the API to compensate.
if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
env:
CONTAINER_IMAGE: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}
run: |
export VOLUME=$PWD/api/v1
make -C ../cilium-base-branch/api/v1
- name: Commit changes
id: update-builder-image
run: |
if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"
else
digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}")
../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}"
fi
if ! git diff --quiet; then
if [[ "${{ steps.update-runtime-image.outputs.committed }}" == "true" ]]; then
git commit --amend -sam "images: update cilium-{runtime,builder}"
else
git commit -sam "images: update cilium-{runtime,builder}"
fi
echo committed="true" >> $GITHUB_OUTPUT
else
echo committed="false" >> $GITHUB_OUTPUT
fi
- name: Get token
if: ${{ steps.update-runtime-image.outputs.committed == 'true' || steps.update-builder-image.outputs.committed == 'true' }}
id: get_token
uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
with:
APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }}
APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }}
- name: Push changes into PR
if: ${{ steps.update-runtime-image.outputs.committed == 'true' || steps.update-builder-image.outputs.committed == 'true' }}
env:
ref: ${{ github.event.pull_request.head.ref || github.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
run: |
git diff HEAD^
git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }}
image-digests:
name: Display Digests
runs-on: ubuntu-24.04
needs: build-and-push
steps:
- name: Downloading Image Digests
shell: bash
run: |
mkdir -p image-digest/
- name: Download digests of all images built
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: image-digest/
pattern: "*image-digest *"
- name: Image Digests Output
shell: bash
run: |
cd image-digest/
find -type f | sort | xargs -d '\n' cat