Skip to content
Create docker image

use official python img, google distroless doesn't support minor vers… #134

Sign in to view logs

use official python img, google distroless doesn't support minor vers…

use official python img, google distroless doesn't support minor vers… #134

Workflow file for this run

.github/workflows/main.yaml at e0f37aa
name: Create docker image
on:
push:
paths:
- 'aiven_poke/**'
- 'tests/**'
- 'Earthfile'
- 'pyproject.toml'
- 'poetry.lock'
- '.prospector.yaml'
- '.github/workflows/*'
env:
REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images
EARTHLY_USE_INLINE_CACHE: true
EARTHLY_SAVE_INLINE_CACHE: true
EARTHLY_VERBOSE: true
EARTHLY_FULL_TARGET: true
EARTHLY_OUTPUT: true
IMAGE_NAME: aiven-poke
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
packages: "write"
steps:
- name: Install earthly
uses: earthly/actions-setup@135d686cdc4619918fd1b542d0a08d61dd104518 # ratchet:earthly/actions-setup@v1
with:
version: "latest" # or pin to an specific version, e.g. "v0.6.10"
- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@main
with:
cosign-release: 'v2.0.0'
- name: Verify runner image
run: cosign verify --certificate-identity https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com cgr.dev/chainguard/python:3.11
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
- id: "auth"
name: "Authenticate to Google Cloud"
if: github.ref == 'refs/heads/main'
uses: "google-github-actions/auth@v1.1.1" # ratchet:google-github-actions/auth@v1.0.0
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "gh-aiven-poke@nais-io.iam.gserviceaccount.com"
token_format: "access_token"
- name: Login to Google Artifact Registry
if: github.ref == 'refs/heads/main'
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: "Set image tag"
id: set-image-tag
run: |
export IMAGE_TAG="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')"
echo "IMAGE_TAG=${IMAGE_TAG}" >> ${GITHUB_ENV}
echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
export IMAGE="${REGISTRY}/${IMAGE_NAME}"
echo "IMAGE=${IMAGE}" >> $GITHUB_ENV
echo "image=${IMAGE}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
- name: Build and possibly push
env:
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}"
run: |
earthly --version
earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --BASEIMAGE="${IMAGE}"
- name: Retrieve image digest
id: imgdigest
if: github.ref == 'refs/heads/main'
run: |
docker pull ${{ steps.set-image-tag.outputs.image }}
echo "digest=$(docker inspect ${{ steps.set-image-tag.outputs.image }} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT
- name: Sign the container image
if: github.ref == 'refs/heads/main'
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }}
- name: Create SBOM
if: github.ref == 'refs/heads/main'
run: |
sudo apt-get update && sudo apt-get install -y python3-pip
pip3 install cyclonedx-bom
cyclonedx-py -p --format json -o sbom.json
- name: Attest image
if: github.ref == 'refs/heads/main'
run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }}
outputs:
image: "${{ steps.set-image-tag.outputs.image }}"
image_tag: "${{ steps.set-image-tag.outputs.image_tag }}"
# XXX: Deploy to fasit doesn't work when feature is only available in legacy clusters because of no CI cluster
# deploy-fasit:
# name: Deploy to Fasit
# if: github.ref == 'refs/heads/main'
# runs-on: fasit-deploy
# permissions:
# contents: read
# id-token: write
# needs:
# - build
# steps:
# - uses: nais/fasit-deploy@main
# with:
# json: '{"image": {"tag": "${{ needs.build.outputs.image_tag }}"}}'
# feature_name: aiven-poke