[main] Add image build on tag workflow (#105)

* add initial image build workflow * add arm64 image build --------- Co-authored-by: joshmeranda <joshua.meranda@gmail.com>
rancher · Feb 21, 2025 · 64d0093 · 64d0093
1 parent 2e32f62
commit 64d0093
Showing 1 changed file with 114 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,6 +5,13 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: write
+
+env:
+  REGISTRY: docker.io
+  REPO: rancher
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -23,3 +30,110 @@ jobs:
           else
             gh --repo "${{ github.repository }}" release create ${{ github.ref_name }} --verify-tag --generate-notes
           fi
+  image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        arch:
+        - amd64
+        - arm64
+    name: Build and push proxy image
+    steps:
+      - name : Checkout repository
+        # https://github.com/actions/checkout/releases/tag/v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: "Read vault secrets"
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+
+      - name: Set up QEMU
+        # https://github.com/docker/setup-qemu-action/releases/tag/v3.1.0
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        # https://github.com/docker/setup-buildx-action/releases/tag/v3.4.0
+
+      - name: Log in to the Container registry
+        # https://github.com/docker/login-action/releases/tag/v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+
+      - name: Build and push the remotedialer image
+        id: build
+        # https://github.com/docker/build-push-action/releases/tag/v6.3.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+        with:
+          context: .
+          file: ./Dockerfile.proxy
+          platforms: "linux/${{ matrix.arch }}"
+          outputs: type=image,name=${{ env.REPO }}/remotedialer-proxy,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        # https://github.com/actions/upload-artifact/releases/tag/v4.3.3
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge-images:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: image
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        # https://github.com/actions/download-artifact/releases/tag/v4.1.7
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        # https://github.com/docker/setup-buildx-action/releases/tag/v3.4.0
+
+      - name: "Read vault secrets"
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        # https://github.com/docker/login-action/releases/tag/v3.2.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+
+      # setup tag name
+      - if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.REPO }}/remotedialer-proxy:${{ env.TAG_NAME }} \
+            $(printf '${{ env.REPO }}/remotedialer-proxy@sha256:%s ' *)