Merge pull request #479 from wallarm/NODE-5870 #112
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build release images | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| - 'stable/**' | |
| paths: | |
| - 'NGINX_BASE' | |
| - 'TAG' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| changes: | |
| name: Changes | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| runs-on: ubuntu-latest | |
| outputs: | |
| controller: ${{ steps.filter.outputs.controller }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2 | |
| - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v2.10.2 | |
| id: filter | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| base: ${{ github.ref }} | |
| filters: | | |
| controller: | |
| - 'TAG' | |
| build: | |
| name: Build and push images | |
| runs-on: self-hosted-amd64-4cpu | |
| if: needs.changes.outputs.controller == 'true' | |
| needs: | |
| - changes | |
| outputs: | |
| matrix: ${{ steps.items.outputs.matrix }} | |
| steps: | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
| id: secrets | |
| with: | |
| exportEnv: false | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| path: kubernetes-ci | |
| secrets: | | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2 | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v2.0.0 | |
| with: | |
| version: latest | |
| use: false | |
| - name: Docker login | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 | |
| with: | |
| username: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Build and push controller images | |
| env: | |
| ARCH: amd64 | |
| PLATFORMS: amd64 arm64 | |
| BUILDX_PLATFORMS: linux/amd64,linux/arm64 | |
| USER: runner | |
| run: make release | |
| - name: Prepare list of images to sign | |
| id: items | |
| run: | | |
| cat <<EOF > matrix.json | |
| { | |
| "include": [ | |
| { | |
| "item": "controller", | |
| "image": "wallarm/ingress-controller:$(cat TAG)" | |
| }, | |
| { | |
| "item": "controller-chroot", | |
| "image": "wallarm/ingress-controller-chroot:$(cat TAG)" | |
| } | |
| ] | |
| } | |
| EOF | |
| cat matrix.json | |
| echo "matrix=$(cat matrix.json | jq -c '.')" >> $GITHUB_OUTPUT | |
| sign: | |
| name: Sign images | |
| runs-on: self-hosted-amd64-1cpu | |
| needs: | |
| - changes | |
| - build | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.build.outputs.matrix) }} | |
| steps: | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
| id: secrets | |
| with: | |
| exportEnv: false | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| path: kubernetes-ci | |
| secrets: | | |
| kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ; | |
| kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
| - name: Docker login | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 | |
| with: | |
| username: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Sign image ${{ matrix.image }} | |
| id: sign | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ steps.secrets.outputs.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ steps.secrets.outputs.COSIGN_PASSWORD }} | |
| run: | | |
| IMAGE_NAME="${{ matrix.image }}" | |
| docker pull -q ${IMAGE_NAME} | |
| IMAGE_TAG=$(echo ${IMAGE_NAME} | awk -F':' '{print $2}') | |
| IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME}) | |
| IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/') | |
| SBOM_SPDX="${{ matrix.item }}_${IMAGE_TAG}_spdx.json" | |
| syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX} | |
| cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST} | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom" | |
| cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST} | |
| echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a | |
| with: | |
| retention-days: 30 | |
| name: ${{ steps.sign.outputs.sbom }} | |
| path: ${{ steps.sign.outputs.sbom }} |