utility-container/.github/workflows/docker-publish.yml at main · validatedpatterns/utility-container · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Build (amd64 and arm64) and push to quay registries

on:
  push:
    branches: ["main", "v1"]
    tags: ["v*.*.*", "v*"]
  pull_request:
    branches: ["main"]

  workflow_dispatch:

  repository_dispatch:
    types: [dependency-updated]

permissions:
  contents: read

env:
  REGISTRY: localhost
  NAME: utility-container
  TAG: ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || (github.ref_name == 'main' && 'latest' || github.ref_name) }}

jobs:
  build-container:
    strategy:
      matrix:
        include:
          - targetarch: amd64
            runner: ubuntu-latest
          - targetarch: arm64
            runner: ubuntu-24.04-arm

    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          persist-credentials: false

      - name: Build container and save tarball
        env:
          CONTAINER: ${{ env.NAME }}:${{ env.TAG }}
          TARGETARCH: ${{ matrix.targetarch }}
        run: |
          make "${TARGETARCH}"
          buildah push "${CONTAINER}-${TARGETARCH}" "docker-archive:/tmp/image-${TARGETARCH}.tar:${CONTAINER}-${TARGETARCH}"

      - name: Upload image artifact
        uses: actions/upload-artifact@v7
        with:
          name: image-${{ matrix.targetarch }}-${{ github.run_id }}
          path: /tmp/image-${{ matrix.targetarch }}.tar
          retention-days: 1

  test-container:
    needs: [build-container]
    uses: ./.github/workflows/container-test.yml

  push-multiarch-manifest:
    needs: [test-container]
    if: github.event_name != 'pull_request'
    strategy:
      matrix:
        include:
          - upload_registry: quay.io/validatedpatterns
            legacy: false
          - upload_registry: quay.io/hybridcloudpatterns
            legacy: true

    runs-on: ubuntu-latest
    permissions:
      contents: read
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          persist-credentials: false

      - name: Download AMD64 image
        uses: actions/download-artifact@v8
        with:
          name: image-amd64-${{ github.run_id }}
          path: /tmp

      - name: Download ARM64 image
        uses: actions/download-artifact@v8
        with:
          name: image-arm64-${{ github.run_id }}
          path: /tmp

      - name: Load tarballs into local containers-storage
        run: |
          buildah pull docker-archive:/tmp/image-amd64.tar
          buildah pull docker-archive:/tmp/image-arm64.tar

      - name: Log into Quay
        env:
          USERNAME: ${{ matrix.legacy && secrets.LEGACY_QUAY_USERNAME || secrets.QUAY_USERNAME }}
          PASSWORD: ${{ matrix.legacy && secrets.LEGACY_QUAY_PASSWORD || secrets.QUAY_PASSWORD }}
        run: |
          buildah login -u "${USERNAME}" -p "${PASSWORD}" quay.io

      # The compressed manifest in Quay has a different digest than the local so we
      # need to use skopeo to retrieve the correct digest for signing
      - name: Create manifest and push to Quay
        id: manifest-push
        env:
          UPLOADREGISTRY: ${{ matrix.upload_registry }}
          CONTAINER: ${{ env.NAME }}:${{ env.TAG }}
        run: |
          make manifest
          buildah manifest add --arch=amd64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-amd64"
          buildah manifest add --arch=arm64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-arm64"
          make upload
          DIGEST=$(skopeo inspect --format "{{.Digest}}" "docker://${UPLOADREGISTRY}/${CONTAINER}")
          echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"

      - name: Install cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
        with:
          cosign-release: "v2.2.4"

      # Cosign expects the docker config.json for registry authentication so we must
      # copy it from buildah
      - name: Sign the published Docker image
        env:
          CONTAINER: ${{ env.NAME }}:${{ env.TAG }}
          DIGEST: ${{ steps.manifest-push.outputs.digest }}
          UPLOADREGISTRY: ${{ matrix.upload_registry }}
        run: |
          cat "${XDG_RUNTIME_DIR}/containers/auth.json" > ~/.docker/config.json
          cosign sign --yes "${UPLOADREGISTRY}/${CONTAINER}@${DIGEST}"