enhancement(ci): Add release docker image #20
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: docker | |
on: | |
push: | |
# TODO: Build on main? | |
branches: | |
- main | |
tags: | |
- '**' | |
# TODO: Remove pull_request before merging | |
pull_request: | |
branches: | |
- main | |
permissions: | |
contents: read | |
packages: write | |
# Ensure cosign can request for Github's OIDC JWT ID token | |
# See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings | |
id-token: write | |
jobs: | |
# This job builds the binaries and uploads it as github artifacts. | |
# This allows us to use the same binaries for any release CI jobs. | |
build: | |
name: Build all linux architectures | |
runs-on: ubuntu-latest | |
steps: | |
- name: setup go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- uses: actions/checkout@v3 | |
with: | |
# Fetch all tags | |
fetch-depth: 0 | |
- name: Build on all supported architectures | |
run: | | |
set -e | |
./scripts/release.sh | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: binaries-${{ github.sha }} | |
path: | | |
release*/* | |
# This job downloads the binaries previously uploaded as artifacts, and builds multi-arch images | |
build-docker-image: | |
needs: [build] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
# Fetch all tags | |
fetch-depth: 0 | |
- name: Prepare | |
id: prep | |
run: | | |
set -e | |
TAG=$( git describe --tags --dirty ) # E.g. v1.2.0-23-g60ee190 | |
echo "TAG=$TAG" >> $GITHUB_ENV | |
# This step generates the docker tags | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: | | |
${{ github.repository }} | |
ghcr.io/${{ github.repository }} | |
# type=ref,event=pr generates tag(s) on PRs only. E.g. 'pr-123', 'pr-123-abc0123' | |
# type=ref,event=branch generates tag(s) on branch only. E.g. 'main-abc0123' | |
# type=semver generates tag(s) on tags only. E.g. 'v0', 'v0.0', 'v0.0.0', and 'latest' | |
tags: | | |
type=ref,event=pr | |
type=ref,suffix=-{{sha}},event=branch | |
type=semver,pattern=v{{major}} | |
type=semver,pattern=v{{major}}.{{minor}} | |
type=semver,pattern=v{{major}}.{{minor}}.{{patch}} | |
# The rest of the org.opencontainers.image.xxx labels are dynamically generated | |
labels: | | |
org.opencontainers.image.description=CNI Plugins | |
org.opencontainers.image.licenses=Apache License 2.0 | |
# See: https://github.com/docker/build-push-action/blob/v2.6.1/docs/advanced/cache.md#github-cache | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Cache Docker layers | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Login to Docker Hub registry | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/download-artifact@v3 | |
with: | |
name: binaries-${{ github.sha }} | |
- run: | | |
ls -al release*/ | |
- name: Build and push | |
id: build-and-push | |
# TODO: Remove pull_request before merging | |
if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') | |
uses: docker/build-push-action@v3 | |
with: | |
build-args: | | |
TAG=${{ env.TAG }} | |
context: '.' | |
file: Dockerfile | |
platforms: linux/amd64,linux/arm,linux/arm64,linux/mips64le,linux/ppc64le,linux/riscv64,linux/s390x | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
- name: Install cosign | |
uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1 | |
# This signs the image using ACTIONS_ID_TOKEN_REQUEST_TOKEN | |
- name: Sign the published Docker image | |
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} | |
# Temp fix | |
# https://github.com/docker/build-push-action/issues/252 | |
# https://github.com/moby/buildkit/issues/1896 | |
- name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache |