-
Notifications
You must be signed in to change notification settings - Fork 797
157 lines (138 loc) · 5.06 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
name: docker
on:
push:
# Build on main
branches:
- main
tags:
- '**'
# TODO: Remove pull_request before merging
pull_request:
branches:
- main
permissions:
contents: read
packages: write
# Ensure cosign can request for Github's OIDC JWT ID token
# See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings
id-token: write
jobs:
# This job builds the binaries and uploads it as github artifacts.
# This allows us to use the same binaries for any release CI jobs.
build:
name: Build all linux architectures
runs-on: ubuntu-latest
steps:
- name: setup go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v3
with:
# Fetch all tags
fetch-depth: 0
- name: Build on all supported architectures
run: |
set -e
./scripts/release.sh
- uses: actions/upload-artifact@v3
with:
name: binaries-${{ github.sha }}
path: |
release*/*
# This job downloads the binaries previously uploaded as artifacts, and builds multi-arch images
build-docker-image:
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
# Fetch all tags
fetch-depth: 0
- name: Prepare
id: prep
run: |
set -e
TAG=$( git describe --tags --dirty ) # E.g. v1.2.0-23-g60ee190
echo "TAG=$TAG" >> $GITHUB_ENV
# This step generates the docker tags
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: |
${{ github.repository }}
ghcr.io/${{ github.repository }}
# type=ref,event=pr generates tag(s) on PRs only. E.g. 'pr-123', 'pr-123-abc0123'
# type=ref,event=branch generates tag(s) on branch only. E.g. 'main-abc0123'
# type=semver generates tag(s) on tags only. E.g. 'v0', 'v0.0', 'v0.0.0', and 'latest'
tags: |
type=ref,event=pr
type=ref,suffix=-{{sha}},event=branch
type=semver,pattern=v{{major}}
type=semver,pattern=v{{major}}.{{minor}}
type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
# The rest of the org.opencontainers.image.xxx labels are dynamically generated
labels: |
org.opencontainers.image.description=CNI Plugins
org.opencontainers.image.licenses=Apache License 2.0
# See: https://github.com/docker/build-push-action/blob/v2.6.1/docs/advanced/cache.md#github-cache
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Login to Docker Hub registry
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/download-artifact@v3
with:
name: binaries-${{ github.sha }}
- run: |
ls -al release*/
- name: Build and push
id: build-and-push
# TODO: Remove pull_request before merging
if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
uses: docker/build-push-action@v3
with:
build-args: |
TAG=${{ env.TAG }}
context: '.'
file: Dockerfile
platforms: linux/amd64,linux/arm,linux/arm64,linux/mips64le,linux/ppc64le,linux/riscv64,linux/s390x
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
- name: Check install!
run: cosign version
# This signs the image using ACTIONS_ID_TOKEN_REQUEST_TOKEN
- name: Sign the published Docker image
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
# Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache