-
Notifications
You must be signed in to change notification settings - Fork 65
91 lines (81 loc) · 3.42 KB
/
build-multiarch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: Build and push a multi-arch manifest
# Usage example:
# uses: ./.github/workflows/build-multiarch.yml
# with:
# name: preflight
# tag: 89123ab
# secrets:
# registry: ${{ secrets.IMAGE_REGISTRY }}
# user: ${{ secrets.REGISTRY_USER }}
# password: ${{ secrets.REGISTRY_PASSWORD }}
on:
workflow_call:
inputs:
name:
required: true
type: string
tag:
required: true
type: string
sign:
type: boolean
default: false
required: false
secrets:
registry:
required: true
user:
required: true
password:
required: true
token:
required: false
description: "The token used for cosign. Typically GITHUB_TOKEN within GitHub Actions."
jobs:
create-and-push-multiarch-manifest:
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
name: create and push a multiarch manifest to the repo
runs-on: ubuntu-latest
steps:
- name: Install cosign
if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }}
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #v3.6.0
with:
cosign-release: 'v2.2.4'
# Authenticate to container image registry to push the image
- name: Podman Login
uses: redhat-actions/podman-login@v1
with:
registry: ${{ secrets.registry }}
username: ${{ secrets.user }}
password: ${{ secrets.password }}
- name: Create and add to manifest
run: |
buildah manifest create ${{ inputs.name }}
buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-amd64
buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-ppc64le
buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-arm64
buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-s390x
- name: Push manifest
id: push-manifest
run: |
podman manifest push --digestfile imagedigest ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }} --all
echo "digest=$(cat imagedigest)" | tee -a $GITHUB_OUTPUT
- name: Sign the published manifest
# only sign if release is published, not for ghactions branch push
# which is used for testing and development.
if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }}
run: |
cosign sign --yes --recursive ${{ secrets.registry }}/${{ inputs.name }}@${{ steps.push-manifest.outputs.digest }}
- name: Verify the image signature
if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }}
run: |
cosign verify \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/build-multiarch.yml@refs/tags/${{ inputs.tag }} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}