1- ---
2- name : Docker build and push to quay
3-
4- # This workflow uses actions that are not certified by GitHub.
5- # They are provided by a third-party and are governed by
6- # separate terms of service, privacy policy, and support
7- # documentation.
8- permissions : read-all
1+ name : Build (amd64 and arm64) and push to quay registries
92
103on :
114 push :
12- branches : ['main', 'v1']
13- # Publish semver tags as releases.
14- tags : ['v*.*.*']
5+ branches : ["main"]
6+ tags : ["v*.*.*"]
157 pull_request :
168 branches : ["main"]
179
1810 workflow_dispatch :
1911
20- env :
21- # Use docker.io for Docker Hub if empty
22- REGISTRY : quay.io
23- # The following is stored in a per-repo env config variable
24- # github.repository as <account>/<repo>
25- # QUAY_IMAGE_NAME: hybridcloudpatterns/imperative-container
12+ repository_dispatch :
13+ types : [dependency-updated]
14+
15+ permissions :
16+ contents : read
2617
18+ env :
19+ REGISTRY : localhost
20+ NAME : imperative-container
21+ TAG : ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || (github.ref_name == 'main' && 'latest' || github.ref_name) }}
2722
2823jobs :
29- test :
30- uses : ./.github/workflows/container-test.yml
24+ build-container :
25+ strategy :
26+ matrix :
27+ include :
28+ - targetarch : amd64
29+ runner : ubuntu-latest
30+ - targetarch : arm64
31+ runner : ubuntu-24.04-arm
32+
33+ runs-on : ${{ matrix.runner }}
34+ permissions :
35+ contents : read
36+
37+ steps :
38+ - name : Checkout repository
39+ uses : actions/checkout@v5
40+ with :
41+ persist-credentials : false
42+
43+ - name : Build container and save tarball
44+ env :
45+ CONTAINER : ${{ env.NAME }}:${{ env.TAG }}
46+ TARGETARCH : ${{ matrix.targetarch }}
47+ run : |
48+ make "${TARGETARCH}"
49+ buildah push "${CONTAINER}-${TARGETARCH}" "docker-archive:/tmp/image-${TARGETARCH}.tar:${CONTAINER}-${TARGETARCH}"
50+
51+ name : Upload image artifact
52+ uses : actions/upload-artifact@v4
53+ with :
54+ name : image-${{ matrix.targetarch }}-${{ github.run_id }}
55+ path : /tmp/image-${{ matrix.targetarch }}.tar
56+ retention-days : 1
57+
58+ push-multiarch-manifest :
59+ needs : [build-container]
60+ if : github.event_name != 'pull_request'
61+ strategy :
62+ matrix :
63+ include :
64+ - upload_registry : quay.io/validatedpatterns
65+ legacy : false
66+ - upload_registry : quay.io/hybridcloudpatterns
67+ legacy : true
3168
32- build-container-and-push :
33- needs : [test]
3469 runs-on : ubuntu-latest
3570 permissions :
3671 contents : read
37- packages : write
3872 # This is used to complete the identity challenge
3973 # with sigstore/fulcio when running outside of PRs.
4074 id-token : write
@@ -45,71 +79,57 @@ jobs:
4579 with :
4680 persist-credentials : false
4781
48- - name : Set up QEMU
49- uses : docker/setup-qemu-action@v3
50-
51- # Install the cosign tool except on PR
52- # https://github.com/sigstore/cosign-installer
53- - name : Install cosign
54- if : github.event_name != 'pull_request'
55- uses : sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
56- with :
57- cosign-release : ' v2.2.4'
58-
59- # Set up BuildKit Docker container builder to be able to build
60- # multi-platform images and export cache
61- # https://github.com/docker/setup-buildx-action
62- - name : Set up Docker Buildx
63- uses : docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
64-
65- # Login against a Docker registry except on PR
66- # https://github.com/docker/login-action
67- - name : Log into registry ${{ env.REGISTRY }}
68- if : github.event_name != 'pull_request'
69- uses : docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
82+ - name : Download AMD64 image
83+ uses : actions/download-artifact@v5
7084 with :
71- registry : ${{ env.REGISTRY }}
72- username : ${{ secrets.QUAY_USERNAME }}
73- password : ${{ secrets.QUAY_PASSWORD }}
74-
75- # Extract metadata (tags, labels) for Docker
76- # https://github.com/docker/metadata-action
77- # We add the latest tag only when we are on the main branch
78- - name : Extract Docker metadata
79- id : meta
80- uses : docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
85+ name : image-amd64-${{ github.run_id }}
86+ path : /tmp
87+
88+ - name : Download ARM64 image
89+ uses : actions/download-artifact@v5
8190 with :
82- images : ${{ env.REGISTRY }}/${{ vars.QUAY_IMAGE_NAME || 'hybridcloudpatterns/imperative-container' }}
83- flavor : |
84- latest=${{ github.ref == 'refs/heads/main' }}
85-
86- # https://github.com/docker/build-push-action
87- # Build Docker image with Buildx. We always disable the cache as
88- # it sometimes would not pull the new git changes for the cluster_utils,v1
89- # We only push to an actual registry when it is not a pull request (merge/push)
90- - name : Build and push Docker image
91- id : build-and-push
92- uses : docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
91+ name : image-arm64-${{ github.run_id }}
92+ path : /tmp
93+
94+ - name : Load tarballs into local containers-storage
95+ run : |
96+ buildah pull docker-archive:/tmp/image-amd64.tar
97+ buildah pull docker-archive:/tmp/image-arm64.tar
98+
99+ name : Log into Quay
100+ env :
101+ USERNAME : ${{ matrix.legacy && secrets.LEGACY_QUAY_USERNAME || secrets.QUAY_USERNAME }}
102+ PASSWORD : ${{ matrix.legacy && secrets.LEGACY_QUAY_PASSWORD || secrets.QUAY_PASSWORD }}
103+ run : |
104+ buildah login -u "${USERNAME}" -p "${PASSWORD}" quay.io
105+
106+ # The compressed manifest in Quay has a different digest than the local so we
107+ # need to use skopeo to retrieve the correct digest for signing
108+ - name : Create manifest and push to Quay
109+ id : manifest-push
110+ env :
111+ UPLOADREGISTRY : ${{ matrix.upload_registry }}
112+ CONTAINER : ${{ env.NAME }}:${{ env.TAG }}
113+ run : |
114+ make manifest
115+ buildah manifest add --arch=amd64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-amd64"
116+ buildah manifest add --arch=arm64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-arm64"
117+ make upload
118+ DIGEST=$(skopeo inspect --format "{{.Digest}}" "docker://${UPLOADREGISTRY}/${CONTAINER}")
119+ echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
120+
121+ name : Install cosign
122+ uses : sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
93123 with :
94- context : .
95- file : Containerfile
96- platforms : linux/amd64,linux/arm64
97- push : ${{ github.event_name != 'pull_request' }}
98- tags : ${{ steps.meta.outputs.tags }}
99- labels : ${{ steps.meta.outputs.labels }}
100- no-cache : true
101-
102- # Sign the resulting Docker image digest except on PRs.
103- # This will only write to the public Rekor transparency log when the Docker
104- # repository is public to avoid leaking data. If you would like to publish
105- # transparency data even for private images, pass --force to cosign below.
106- # https://github.com/sigstore/cosign
107- - name : Sign the published Docker image when not a PR
108- if : ${{ github.event_name != 'pull_request' }}
124+ cosign-release : " v2.2.4"
125+
126+ # Cosign expects the docker config.json for registry authentication so we must
127+ # copy it from buildah
128+ - name : Sign the published Docker image
109129 env :
110- # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
111- TAGS : ${{ steps.meta .outputs.tags }}
112- DIGEST : ${{ steps.build-and-push.outputs.digest }}
113- # This step uses the identity token to provision an ephemeral certificate
114- # against the sigstore community Fulcio instance.
115- run : echo "${TAGS}" | xargs -I "{}" cosign sign --yes "{ }@${DIGEST}"
130+ CONTAINER : ${{ env.NAME }}:${{ env.TAG }}
131+ DIGEST : ${{ steps.manifest-push .outputs.digest }}
132+ UPLOADREGISTRY : ${{ matrix.upload_registry }}
133+ run : |
134+ cat "${XDG_RUNTIME_DIR}/containers/auth.json" > ~/.docker/config.json
135+ cosign sign --yes "${UPLOADREGISTRY}/${CONTAINER }@${DIGEST}"
0 commit comments