build-images-base.yaml

name: Base Image Release Build

# Any change in triggers needs to be reflected in the concurrency group.
on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
    paths:
      - images/runtime/**
      - images/builder/**
  # This workflow can be reused so that renovate can execute this workflow_dispatch:
  # run from a different environment than 'release-base-images'. See
  # build-images-base-renovate.yaml
  workflow_call:
    secrets:
      QUAY_BASE_RELEASE_USERNAME:
        required: true
      QUAY_BASE_RELEASE_PASSWORD:
        required: true
      AUTO_COMMITTER_PEM:
        required: true
      AUTO_COMMITTER_APP_ID:
        required: true
    inputs:
      environment:
        required: true
        type: string
        default: "release-base-images"

permissions:
  # To be able to access the repository with `actions/checkout`
  contents: read
  # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
  id-token: write

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  has-credentials:
    name: Check for Quay secrets
    runs-on: ubuntu-24.04
    environment: ${{ inputs.environment || 'release-base-images' }}
    timeout-minutes: 2
    outputs:
      present: ${{ steps.secrets.outputs.present }}
    steps:
      - name: Check for secrets
        id: secrets
        env:
          has_credentials: ${{ secrets.QUAY_BASE_RELEASE_USERNAME && secrets.QUAY_BASE_RELEASE_PASSWORD && 1 }}
        if: ${{ env.has_credentials }}
        run:
          echo 'present=1' >> "$GITHUB_OUTPUT"

  build-and-push:
    needs: has-credentials
    # Skip this workflow for repositories without credentials and branches that are created by renovate where the event type is pull_request_target
    if: ${{ needs.has-credentials.outputs.present && ! (github.event_name == 'pull_request_target' && startsWith(github.head_ref, 'renovate/')) }}
    name: Build and Push Images
    timeout-minutes: 45
    environment: ${{ inputs.environment || 'release-base-images' }}
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout default branch (trusted)
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
        with:
          ref: ${{ github.event.repository.default_branch }}
          persist-credentials: false

      - name: Cleanup Disk space in runner
        uses: ./.github/actions/disk-cleanup

      - name: Checkout base branch (trusted)
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
        with:
          ref: ${{ github.base_ref }}
          persist-credentials: false

      - name: Copy scripts to trusted directory
        run: |
          mkdir -p ../cilium-base-branch/images/runtime/
          cp ./images/runtime/update-cilium-runtime-image.sh ../cilium-base-branch/images/runtime/
          mkdir -p ../cilium-base-branch/images/builder/
          cp ./images/builder/update-cilium-builder-image.sh ../cilium-base-branch/images/builder/
          mkdir -p ../cilium-base-branch/images/scripts/
          cp ./images/scripts/get-image-digest.sh ../cilium-base-branch/images/scripts/
          mkdir -p ../cilium-base-branch/api/v1
          cp ./api/v1/Makefile ../cilium-base-branch/api/v1/
          cp ./Makefile.defs ../cilium-base-branch/Makefile.defs
          cp ./Makefile.quiet ../cilium-base-branch/Makefile.quiet

      - name: Set Environment Variables
        uses: ./.github/actions/set-env-variables

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Set up QEMU
        id: qemu
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      # Warning: since this is a privileged workflow, subsequent workflow job
      # steps must take care not to execute untrusted code.
      - name: Checkout pull request branch (NOT TRUSTED)
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
        with:
          persist-credentials: false
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Set-up git
        run: |
          git config user.name "Cilium Imagebot"
          git config user.email "noreply@cilium.io"

      - name: Generating image tag for Cilium-Runtime
        id: runtime-tag
        run: |
          echo tag="$(git ls-tree --full-tree HEAD -- ./images/runtime | awk '{ print $3 }')" >> $GITHUB_OUTPUT

      - name: Checking if tag for Cilium-Runtime already exists
        id: cilium-runtime-tag-in-repositories
        shell: bash
        run: |
          if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{  steps.runtime-tag.outputs.tag }} &>/dev/null; then
            echo exists="true" >> $GITHUB_OUTPUT
          else
            echo exists="false" >> $GITHUB_OUTPUT
          fi

      - name: Login to quay.io
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }}
          password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }}

      - name: Release build cilium-runtime
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        id: docker_build_release_runtime
        with:
          provenance: false
          context: ./images/runtime
          file: ./images/runtime/Dockerfile
          push: true
          platforms: linux/amd64,linux/arm64
          tags: |
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}

      - name: Sign Container Image Runtime
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        run: |
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}


      - name: Generate SBOM
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        uses: anchore/sbom-action@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4
        with:
          artifact-name: sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json
          output-file: ./sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json
          image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}

      - name: Attach SBOM attestation to container image
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        run: |
          cosign attest -r -y --predicate sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }}

      - name: Image Release Digest Runtime
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        shell: bash
        run: |
          mkdir -p image-digest/
          echo "## cilium-runtime" > image-digest/cilium-runtime.txt
          echo "" >> image-digest/cilium-runtime.txt
          echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt
          echo "" >> image-digest/cilium-runtime.txt

      - name: Upload artifact digests runtime
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: image-digest cilium-runtime
          path: image-digest
          retention-days: 1

      - name: Update Runtime Image
        id: update-runtime-image
        run: |
          if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
            ../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
          else
            digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}")
            ../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}"
          fi
          if ! git diff --quiet; then
            git commit -sam "images: update cilium-{runtime,builder}"
            echo committed="true" >> $GITHUB_OUTPUT
          else
            echo committed="false" >> $GITHUB_OUTPUT
          fi

      - name: Generating image tag for Cilium-Builder
        id: builder-tag
        run: |
          echo tag="$(git ls-tree --full-tree HEAD -- ./images/builder | awk '{ print $3 }')" >> $GITHUB_OUTPUT

      - name: Checking if tag for Cilium-Builder already exists
        id: cilium-builder-tag-in-repositories
        shell: bash
        run: |
          if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{  steps.builder-tag.outputs.tag }} &>/dev/null; then
            echo exists="true" >> $GITHUB_OUTPUT
          else
            echo exists="false" >> $GITHUB_OUTPUT
          fi

      - name: Login to quay.io
        if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' && steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' }}
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }}
          password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }}

      - name: Release build cilium-builder
        if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        id: docker_build_release_builder
        with:
          provenance: false
          context: ./images/builder
          file: ./images/builder/Dockerfile
          push: true
          platforms: linux/amd64,linux/arm64
          tags: |
            quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}

      - name: Sign Container Image Builder
        if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
        run: |
          cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}

      - name: Generate SBOM
        if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
        uses: anchore/sbom-action@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4
        with:
          artifact-name: sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json
          output-file: ./sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json
          image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}

      - name: Attach SBOM attestation to container image
        if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}
        run: |
          cosign attest -r -y --predicate sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }}

      - name: Image Release Digest Builder
        if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
        shell: bash
        run: |
          mkdir -p image-digest/
          echo "## cilium-builder" > image-digest/cilium-builder.txt
          echo "" >> image-digest/cilium-builder.txt
          echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt
          echo "" >> image-digest/cilium-builder.txt

      - name: Upload artifact digests builder
        if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: image-digest cilium-builder
          path: image-digest
          retention-days: 1

      - name: Update Runtime Image
        run: |
          if [[ "${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
            ../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}"
          else
            digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}")
            ../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${digest}"
          fi

      - name: Update Builder Images
        run: |
          if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
            ../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"
          else
            digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}")
            ../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}"
          fi

      - name: Update Protobuf APIs
        # The builder image contains 'protoc', which can cause autogenerated
        # protobuf files to change. Re-generate the API to compensate.
        if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
        env:
          CONTAINER_IMAGE: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}
        run: |
          export VOLUME=$PWD/api/v1
          make -C ../cilium-base-branch/api/v1

      - name: Commit changes
        id: update-builder-image
        run: |
          if [[ "${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}" == "true" ]]; then
            ../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}"
          else
            digest=$(../cilium-base-branch/images/scripts/get-image-digest.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}")
            ../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${digest}"
          fi
          if ! git diff --quiet; then
            if [[ "${{ steps.update-runtime-image.outputs.committed }}" == "true" ]]; then
              git commit --amend -sam "images: update cilium-{runtime,builder}"
            else
              git commit -sam "images: update cilium-{runtime,builder}"
            fi
            echo committed="true" >> $GITHUB_OUTPUT
          else
            echo committed="false" >> $GITHUB_OUTPUT
          fi

      - name: Get token
        if: ${{ steps.update-runtime-image.outputs.committed == 'true' || steps.update-builder-image.outputs.committed == 'true' }}
        id: get_token
        uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
        with:
          APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }}
          APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }}

      - name: Push changes into PR
        if: ${{ steps.update-runtime-image.outputs.committed == 'true' || steps.update-builder-image.outputs.committed == 'true' }}
        env:
          ref: ${{ github.event.pull_request.head.ref || github.ref }}
          repository:  ${{ github.event.pull_request.head.repo.full_name || github.repository }}
        run: |
          git diff HEAD^
          git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }}

  image-digests:
    name: Display Digests
    runs-on: ubuntu-24.04
    needs: build-and-push
    steps:
      - name: Downloading Image Digests
        shell: bash
        run: |
          mkdir -p image-digest/

      - name: Download digests of all images built
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          path: image-digest/
          pattern: "*image-digest *"

      - name: Image Digests Output
        shell: bash
        run: |
          cd image-digest/
          find -type f | sort | xargs -d '\n' cat