tetragon: un/pin fixes #10256
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image CI Build | |
| on: | |
| pull_request_target: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| paths-ignore: | |
| - 'docs/**' | |
| push: | |
| branches: | |
| - main | |
| - test* | |
| paths-ignore: | |
| - 'docs/**' | |
| # Since this workflow can execute on pull_request_target, drop all the | |
| # permissions of the GITHUB_TOKEN except `contents: read` for access to the repo | |
| # with the actions/checkout action. | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-and-push: | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| include: | |
| - name: tetragon | |
| dockerfile: ./Dockerfile | |
| - name: tetragon-operator | |
| dockerfile: ./Dockerfile.operator | |
| - name: tetragon-rthooks | |
| dockerfile: ./Dockerfile.rthooks | |
| env: | |
| IMAGE: quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci | |
| steps: | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| with: | |
| platforms: arm64 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
| - name: Getting image tag | |
| id: tag | |
| env: | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| SHA: ${{ github.sha }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| echo "tag=${HEAD_SHA:-$SHA}" | tee -a $GITHUB_OUTPUT | |
| if [ "$EVENT_NAME" == "push" ]; then | |
| echo "name=$( [ "$REF_NAME" == "main" ] && echo "latest" || echo "$REF_NAME" )" | tee -a $GITHUB_OUTPUT | |
| fi | |
| - name: Checkout main branch | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ github.event.repository.default_branch }} | |
| fetch-depth: 0 | |
| # Install Go after checkout for caching mechanism to work | |
| - name: Install Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| # renovate: datasource=golang-version depName=go | |
| go-version: '1.23.2' | |
| # Warning: this must run before checking out the untrusted code | |
| - name: Get version | |
| run: echo "TETRAGON_VERSION=$(make version)" >> $GITHUB_ENV | |
| # Warning: since this is a privileged workflow, subsequent workflow job | |
| # steps must take care not to execute untrusted code. | |
| - name: Checkout pull request branch (NOT TRUSTED) | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ steps.tag.outputs.tag }} | |
| fetch-depth: 0 | |
| - name: Login to quay.io for CI | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME_CI }} | |
| password: ${{ secrets.QUAY_PASSWORD_CI }} | |
| # main branch pushes | |
| - name: CI Build (main) | |
| if: ${{ github.event_name == 'push' }} | |
| uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 | |
| id: docker_build_ci_main | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} | |
| tags: | | |
| ${{ env.IMAGE }}:${{ steps.tag.outputs.tag }} | |
| ${{ env.IMAGE }}:${{ steps.tag.outputs.name }} | |
| - name: CI Image Releases digests (main) | |
| if: github.event_name == 'push' | |
| run: | | |
| echo "| Info | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Image** | \`$IMAGE\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Tag** | \`${{ steps.tag.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **SHA256** | \`${{ steps.docker_build_ci_main.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Pull by tag** | \`$IMAGE:${{ steps.tag.outputs.tag }}\`|" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Pull by digest** | \`$IMAGE@${{ steps.docker_build_ci_main.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY | |
| # PR updates | |
| - name: CI Build (PR) | |
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
| uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 | |
| id: docker_build_ci_pr | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} | |
| tags: | | |
| ${{ env.IMAGE }}:${{ steps.tag.outputs.tag }} | |
| - name: CI Image Releases digests (PR) | |
| if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' | |
| run: | | |
| echo "| Info | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Image** | \`$IMAGE\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Tag** | \`${{ steps.tag.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **SHA256** | \`${{ steps.docker_build_ci_pr.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Pull by tag** | \`$IMAGE:${{ steps.tag.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Pull by digest** | \`$IMAGE@${{ steps.docker_build_ci_pr.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY |