buildah v1.41 not available on github runners #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Using https://github.com/redhat-actions/buildah-build | |
| # doc https://github.com/marketplace/actions/buildah-build | |
| name: "Build a container that ship with goreleaser, cosign, ko-build, trivy, syft and push to GitHub Container Registry (GHCR)" | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - release/* | |
| push: | |
| branches: | |
| - main | |
| - buildah-redhat-ga # TODO: remove after testing | |
| # Variables: | |
| # - BUILDAH_BUILD_CONTEXT is the path to the location of the Containerfile. | |
| # - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint. | |
| # - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ] | |
| env: | |
| BUILDAH_BUILD_CONTEXT: "${{ github.workspace }}" | |
| BASE_CONTAINERFILE_NAME: "Containerfile.base" | |
| OCI_REGISTRY: "ghcr.io" # must be lowercase | |
| jobs: | |
| set-lowercase-repository: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| lowercase-github-repository: ${{ steps.convert.outputs.lowercase }} | |
| steps: | |
| - name: Convert GitHub repository name to lowercase for OCI registry | |
| id: convert | |
| run: | | |
| echo "lowercase=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT | |
| shell: bash | |
| show-lowercase-repository: | |
| needs: set-lowercase-repository | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Access lowercase GitHub repository name | |
| run: | | |
| echo "Original Repository: ${{ github.repository }}" | |
| echo "Lowercase Repository: ${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}" | |
| # buildah job with oci = true | |
| build-oci-true: | |
| needs: set-lowercase-repository | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v5 | |
| - name: Extract Tools Versions from Containerfile as we use this in tags names | |
| id: extract | |
| run: | | |
| # Extract values from the Containerfile | |
| A_PARTICULAR_TAG_NAME=$(grep -m1 'ARG A_PARTICULAR_TAG_NAME=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
| echo "A_PARTICULAR_TAG_NAME=${A_PARTICULAR_TAG_NAME}" >> $GITHUB_OUTPUT | |
| A_PARTICULAR_TAG_SEMVER=$(grep -m1 'ARG A_PARTICULAR_TAG_SEMVER=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
| echo "A_PARTICULAR_TAG_SEMVER=${A_PARTICULAR_TAG_SEMVER}" >> $GITHUB_OUTPUT | |
| ALPINE_VERSION=$(grep -m1 'ARG ALPINE_VERSION=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
| echo "ALPINE_VERSION=${ALPINE_VERSION}" >> $GITHUB_OUTPUT | |
| - uses: docker/login-action@v3 | |
| id: docker-login | |
| with: | |
| registry: ${{ env.OCI_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set OCI container image URL to Github output | |
| id: set-oci-image-url | |
| run: echo "OCI_IMAGE_URL=${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}-base" >> $GITHUB_OUTPUT | |
| - name: Container metadata and tags with docker/metadata-action | |
| id: docker-metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| # image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization | |
| images: ${{ steps.set-oci-image-url.outputs.oci_image_url }} | |
| tags: | | |
| type=ref,event=branch | |
| # use tools version as tags | |
| type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-oci | |
| type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-oci | |
| type=raw,value=alpine-${{ steps.extract.outputs.alpine_version }}-oci | |
| type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-oci-alpine-${{ steps.extract.outputs.alpine_version }} | |
| type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-oci-alpine-${{ steps.extract.outputs.alpine_version }} | |
| # minimal (short sha) | |
| type=sha | |
| # full length sha | |
| type=sha,format=long | |
| - name: Build the OCI image buildah oci true | |
| id: buildah | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| #context: ${{ env.BUILDAH_BUILD_CONTEXT }} | |
| containerfiles: | | |
| ${{ env.BASE_CONTAINERFILE_NAME }} | |
| layers: true | |
| oci: true | |
| tags: ${{ steps.docker-metadata.outputs.tags }} | |
| #labels: ${{ steps.docker-metadata.outputs.labels }} | |
| ###extra-args: | # only supported by buildah v1.41+ | |
| ### --created-annotation=true # only supported by buildah v1.41+ | |
| ### --inherit-annotations=true # only supported by buildah v1.41+ | |
| ### --inherit-labels=true # only supported by buildah v1.41+ | |
| ### --unsetannotation "org.opencontainers.image.url" # only supported by buildah v1.41+ | |
| ### --unsetlabel "org.opencontainers.image.url" # only supported by buildah v1.41+ | |
| - name: Check images created by buildah | |
| run: buildah images | |
| - name: push to ghcr registry with redhat-actions/push-to-registry | |
| id: push-to-ghcr | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase | |
| tags: ${{ steps.buildah.outputs.tags }} | |
| registry: ${{ env.OCI_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| outputs: | |
| oci-image-digest: ${{ steps.buildah.outputs.digest }} | |
| oci-image-url: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase | |
| # buildah job with oci = false | |
| build-oci-false: | |
| needs: set-lowercase-repository | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v5 | |
| - name: Extract Tools Versions from Containerfile as we use this in tags names | |
| id: extract | |
| run: | | |
| # Extract values from the Containerfile | |
| A_PARTICULAR_TAG_NAME=$(grep -m1 'ARG A_PARTICULAR_TAG_NAME=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
| echo "A_PARTICULAR_TAG_NAME=${A_PARTICULAR_TAG_NAME}" >> $GITHUB_OUTPUT | |
| A_PARTICULAR_TAG_SEMVER=$(grep -m1 'ARG A_PARTICULAR_TAG_SEMVER=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
| echo "A_PARTICULAR_TAG_SEMVER=${A_PARTICULAR_TAG_SEMVER}" >> $GITHUB_OUTPUT | |
| ALPINE_VERSION=$(grep -m1 'ARG ALPINE_VERSION=' $BUILDAH_BUILD_CONTEXT/$BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
| echo "ALPINE_VERSION=${ALPINE_VERSION}" >> $GITHUB_OUTPUT | |
| - uses: docker/login-action@v3 | |
| id: docker-login | |
| with: | |
| registry: ${{ env.OCI_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set OCI container image URL to Github output | |
| id: set-oci-image-url | |
| run: echo "OCI_IMAGE_URL=${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}-base" >> $GITHUB_OUTPUT | |
| - name: Container metadata and tags with docker/metadata-action | |
| id: docker-metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| # image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization | |
| images: ${{ steps.set-oci-image-url.outputs.oci_image_url }} | |
| tags: | | |
| type=ref,event=branch | |
| # use tools version as tags | |
| type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-dockerv2 | |
| type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-dockerv2 | |
| type=raw,value=alpine-${{ steps.extract.outputs.alpine_version }}-dockerv2 | |
| type=raw,value=a-particular-tag-${{ steps.extract.outputs.a_particular_tag_name }}-dockerv2-alpine-${{ steps.extract.outputs.alpine_version }} | |
| type=raw,value=a-particular-tag-semver-${{ steps.extract.outputs.a_particular_tag_semver }}-dockerv2-alpine-${{ steps.extract.outputs.alpine_version }} | |
| # minimal (short sha) | |
| type=sha | |
| # full length sha | |
| type=sha,format=long | |
| - name: Build the OCI image buildah oci false | |
| id: buildah | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| #context: ${{ env.BUILDAH_BUILD_CONTEXT }} | |
| containerfiles: | | |
| ${{ env.BASE_CONTAINERFILE_NAME }} | |
| layers: true | |
| oci: false | |
| tags: ${{ steps.docker-metadata.outputs.tags }} | |
| #labels: ${{ steps.docker-metadata.outputs.labels }} | |
| - name: Check images created by buildah | |
| run: buildah images | |
| - name: push to ghcr registry with redhat-actions/push-to-registry | |
| id: push-to-ghcr | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase | |
| tags: ${{ steps.buildah.outputs.tags }} | |
| registry: ${{ env.OCI_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| outputs: | |
| oci-image-digest: ${{ steps.buildah.outputs.digest }} | |
| oci-image-url: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase | |
| # Job to build a SLSA provenance attestation | |
| build-oci-true-provenance: | |
| name: Generate SLSA provenance attestation for OCI v1 container manifest | |
| needs: [build-oci-true, set-lowercase-repository] # Ensure this job runs after build-oci-true | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign | |
| packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| with: | |
| image: ${{ needs.build-oci-true.outputs.oci-image-url }} # needs to be lowercase | |
| digest: ${{ needs.build-oci-true.outputs.oci-image-digest }} | |
| secrets: | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| build-oci-false-provenance: | |
| name: Generate SLSA provenance attestation for docker v2 container manifest | |
| needs: [build-oci-false, set-lowercase-repository] # Ensure this job runs after build-oci-true | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign | |
| packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| with: | |
| image: ${{ needs.build-oci-false.outputs.oci-image-url }} # needs to be lowercase | |
| digest: ${{ needs.build-oci-false.outputs.oci-image-digest }} | |
| secrets: | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} |