Merge pull request #55 from validatedpatterns/dependabot/github_actio… #476
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build (amd64 and arm64) and push to quay registries | |
| on: | |
| push: | |
| branches: ["main", "v1"] | |
| tags: ["v*.*.*", "v*"] | |
| pull_request: | |
| branches: ["main"] | |
| workflow_dispatch: | |
| repository_dispatch: | |
| types: [dependency-updated] | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: localhost | |
| NAME: imperative-container | |
| TAG: ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || (github.ref_name == 'main' && 'latest' || github.ref_name) }} | |
| jobs: | |
| build-container: | |
| strategy: | |
| matrix: | |
| include: | |
| - targetarch: amd64 | |
| runner: ubuntu-latest | |
| - targetarch: arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Build container and save tarball | |
| env: | |
| CONTAINER: ${{ env.NAME }}:${{ env.TAG }} | |
| TARGETARCH: ${{ matrix.targetarch }} | |
| run: | | |
| make "${TARGETARCH}" | |
| buildah push "${CONTAINER}-${TARGETARCH}" "docker-archive:/tmp/image-${TARGETARCH}.tar:${CONTAINER}-${TARGETARCH}" | |
| - name: Upload image artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: image-${{ matrix.targetarch }}-${{ github.run_id }} | |
| path: /tmp/image-${{ matrix.targetarch }}.tar | |
| retention-days: 1 | |
| push-multiarch-manifest: | |
| needs: [build-container] | |
| if: github.event_name != 'pull_request' | |
| strategy: | |
| matrix: | |
| include: | |
| - upload_registry: quay.io/validatedpatterns | |
| legacy: false | |
| - upload_registry: quay.io/hybridcloudpatterns | |
| legacy: true | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| # This is used to complete the identity challenge | |
| # with sigstore/fulcio when running outside of PRs. | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Download AMD64 image | |
| uses: actions/download-artifact@v6 | |
| with: | |
| name: image-amd64-${{ github.run_id }} | |
| path: /tmp | |
| - name: Download ARM64 image | |
| uses: actions/download-artifact@v6 | |
| with: | |
| name: image-arm64-${{ github.run_id }} | |
| path: /tmp | |
| - name: Load tarballs into local containers-storage | |
| run: | | |
| buildah pull docker-archive:/tmp/image-amd64.tar | |
| buildah pull docker-archive:/tmp/image-arm64.tar | |
| - name: Log into Quay | |
| env: | |
| USERNAME: ${{ matrix.legacy && secrets.LEGACY_QUAY_USERNAME || secrets.QUAY_USERNAME }} | |
| PASSWORD: ${{ matrix.legacy && secrets.LEGACY_QUAY_PASSWORD || secrets.QUAY_PASSWORD }} | |
| run: | | |
| buildah login -u "${USERNAME}" -p "${PASSWORD}" quay.io | |
| # The compressed manifest in Quay has a different digest than the local so we | |
| # need to use skopeo to retrieve the correct digest for signing | |
| - name: Create manifest and push to Quay | |
| id: manifest-push | |
| env: | |
| UPLOADREGISTRY: ${{ matrix.upload_registry }} | |
| CONTAINER: ${{ env.NAME }}:${{ env.TAG }} | |
| run: | | |
| make manifest | |
| buildah manifest add --arch=amd64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-amd64" | |
| buildah manifest add --arch=arm64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-arm64" | |
| make upload | |
| DIGEST=$(skopeo inspect --format "{{.Digest}}" "docker://${UPLOADREGISTRY}/${CONTAINER}") | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: "v2.2.4" | |
| # Cosign expects the docker config.json for registry authentication so we must | |
| # copy it from buildah | |
| - name: Sign the published Docker image | |
| env: | |
| CONTAINER: ${{ env.NAME }}:${{ env.TAG }} | |
| DIGEST: ${{ steps.manifest-push.outputs.digest }} | |
| UPLOADREGISTRY: ${{ matrix.upload_registry }} | |
| run: | | |
| cat "${XDG_RUNTIME_DIR}/containers/auth.json" > ~/.docker/config.json | |
| cosign sign --yes "${UPLOADREGISTRY}/${CONTAINER}@${DIGEST}" |