-
Notifications
You must be signed in to change notification settings - Fork 4
100 lines (98 loc) · 4.5 KB
/
dev.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
---
name: Publish 0.0.0-dev images
on:
push:
branches:
- main
jobs:
development:
name: ${{ matrix.product }} 0.0.0-dev
permissions:
id-token: write
runs-on: ubuntu-latest
strategy:
# fail-fast: true
# This setting can be changed to throttle the build load
# max-parallel: 1
matrix:
product:
- airflow
- druid
- hadoop
- hbase
- hive
- kafka
- krb5
- nifi
- opa
- spark-k8s
- superset
- testing-tools
- trino
- tools
- zookeeper
shard_count:
- 5
shard_index: [0, 1, 2, 3, 4] # between 0 and shard_count-1
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v3.0.0
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # tag=v3.0.0
- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # tag=v5.0.0
with:
python-version: '3.x'
- name: Set up Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # tag=v3.3.0
- name: Install image-tools-stackabletech
run: pip install image-tools-stackabletech==0.0.5
- uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # tag=v3.0.0
with:
registry: docker.stackable.tech
username: github
password: ${{ secrets.NEXUS_PASSWORD }}
- name: Login to Stackable Harbor
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # tag=v3
with:
registry: oci.stackable.tech
username: robot$sdp+github-action-build
password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
- name: Publish dev images
id: publish_images
run: |
# Bake images and load them to local docker repo for signing
# TODO: buildx cannot --load and --push at the same time
bake --product "${{ matrix.product }}" \
--image-version 0.0.0-dev \
--shard-count "${{matrix.shard_count}}" \
--shard-index "${{matrix.shard_index}}" \
--export-tags-file bake-target-tags
# Push images to image repository
if [ -f bake-target-tags ]; then
echo "bake-target-tags: "$(< bake-target-tags)
IMAGE_NAME=$(cat bake-target-tags | cut -d ":" -f 1)
TAG_NAME=$(cat bake-target-tags | cut -d ":" -f 2)
echo "image: $IMAGE_NAME"
echo "tag: $TAG_NAME"
# Store the output of `docker image push` into a variable, so we can parse it for the digest
PUSH_OUTPUT=$(docker image push "$(< bake-target-tags)" 2>&1)
echo "$PUSH_OUTPUT"
# Obtain the digest of the pushed image from the output of `docker image push`, because signing by tag is deprecated and will be removed from cosign in the future
DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
# Refer to image via its digest (docker.stackable.tech/stackable/airflow@sha256:0a1b2c...)
# This generates a signature and publishes it to the registry, next to the image
# Uses the keyless signing flow with Github Actions as identity provider
cosign sign -y "$IMAGE_NAME@$DIGEST"
# Push to oci.stackable.tech as well
IMAGE_NAME=oci.stackable.tech/sdp/${{ matrix.product }}
echo "image: $IMAGE_NAME"
docker tag "$(< bake-target-tags)" "$IMAGE_NAME:$TAG_NAME"
# Store the output of `docker image push` into a variable, so we can parse it for the digest
PUSH_OUTPUT=$(docker image push "$IMAGE_NAME:$TAG_NAME" 2>&1)
echo "$PUSH_OUTPUT"
# Obtain the digest of the pushed image from the output of `docker image push`, because signing by tag is deprecated and will be removed from cosign in the future
DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
# Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
# This generates a signature and publishes it to the registry, next to the image
# Uses the keyless signing flow with Github Actions as identity provider
cosign sign -y "$IMAGE_NAME@$DIGEST"
fi