add and use ocm-oci-build action

Add an opinionated action for building OCI-Images that will as an additional output expose a (customisable) OCM-Resource-Fragment (which can be used to generate an OCM-Component-Descriptor.
gardener · Nov 12, 2024 · b4aa98d · b4aa98d
1 parent 5b13fb8
commit b4aa98d
Show file tree

Hide file tree

Showing 2 changed files with 145 additions and 28 deletions.
diff --git a/.github/actions/ocm-oci-build/action.yaml b/.github/actions/ocm-oci-build/action.yaml
@@ -0,0 +1,132 @@
+name: Build and Push OCI-Image / OCM-Resource
+description: |
+  Builds an OCI Image using `docker/build-push-action@v6`, and exposes a (customisable)
+  OCM Resource fragment as output (for being added to OCM Component-Descriptor).
+  For convenience, the action tries to authenticate against target-OCI-Registry using
+  github.com/gardener/cc-utils/.github/actions/gar-auth.
+inputs:
+  name:
+    description: |
+      resource-name (used in OCM Resource Fragment; must be unique within component)
+    required: true
+  repository:
+    description: |
+      OCI Repository to push to (including registry, but excluding tag)
+      For example: `europe-docker.pkg.dev/gardener-project/snapshots/my-image`
+    required: true
+  version:
+    description: |
+      Used for both image-tag, and OCM Resource fragment.
+    required: true
+  extra-tags:
+    description: |
+      An optional list of additional image-tags (for example: latest)
+    required: false
+  ocm_labels:
+    description: |
+      An optional list of OCM Labels to add into OCM Resource fragment.
+    required: false
+  target:
+    description: |
+      docker-build target (similar to `docker build --target`)
+    required: no
+    default: null
+  oci_platforms:
+    description: |
+      OCI Platforms to build (comma-separated)
+    required: false
+    default: linux/amd64
+  dockerfile:
+    description: |
+      path to dockerfile to use; relative to `context`
+    required: false
+    default: Dockerfile
+  context:
+    description: |
+      passed to build-push-action's `context`
+      see:
+        -  https://github.com/docker/build-push-action#git-context
+        -  https://github.com/docker/build-push-action#path-context
+    required: false
+outputs:
+  ocm_resource:
+    description: |
+      The OCM Resource fragment
+    value: ${{ steps.export.outputs.ocm_resource }}
+  image_reference:
+    description: |
+      The (default) target-image-reference
+    value: ${{ steps.preprocess.outputs.image_reference }}
+  tags:
+    description: |
+      All push-targets (image-reference + extra-tags)
+    value: ${{ steps.preprocess.outputs.tags }}
+
+runs:
+  using: composite
+  steps:
+    - name: GAR-Auth
+      id: auth
+      uses: gardener/cc-utils/.github/actions/gar-auth@master
+    - name: Preprocess Parameters
+      shell: bash
+      id: preprocess
+      run: |
+        echo preparing..
+        image_reference=${{ inputs.repository }}:${{ inputs.version }}
+        echo "image_reference=${image_reference}" >> "${GITHUB_OUTPUT}"
+        tags="${image_reference}"
+        if [ ${{ inputs.extra-tags | false }}; then
+          for tag in $(echo -n ${{ inputs.extra-tags }}); do
+            tags="${tags},${{ inputs.repository }}:$tag"
+          done
+        fi
+        echo "tags=${tags}"
+      uses: docker/setup-buildx-action@v3
+    - name: Build and Push
+      id: build
+      uses: docker/build-push-action@v6
+      with:
+        push: true
+        platforms: ${{ inputs.oci_platforms }}
+        tags: ${{ steps.preprocess.outputs.image_reference }}
+        context: ${{ inputs.context }}
+        target: ${{ inputs.target }}
+        file: ${{ inputs.dockerfile }}
+    - name: Write OCM Resource fragment
+      shell: bash
+      id: export
+      run: |
+        r=ocm-resource.yaml
+        cat << EOF > $r
+        name: ${{ inputs.name }}
+        version: ${{ inputs.version }}
+        type: ociImage
+        relation: local
+        access:
+          type: ociRegistry
+          imageReference: ${{ steps.preprocess.outputs.image_reference }}
+        EOF
+        labels="${{ inputs.ocm_labels }}"
+        if [ -n "${labels}" ]; then
+          echo -e "labels:\n${labels}" >> $r
+        fi
+
+        (
+          echo 'ocm_resource<<EOF'
+          cat $r
+          echo EOF
+        ) >> "${GITHUB_OUTPUT}"
+
+        cat << EOF > ${GITHUB_STEP_SUMMARY}
+        ## OCI Image Build Summary
+        target oci image-ref: \`${{ steps.preprocess.outputs.image_reference }}\`
+        tags: \`${{ steps.preprocess.outputs.tags }}\`
+        oci platforms: \`${{ inputs.oci_platforms }}\`
+        image-digest: \`${{ steps.build.outputs.digest }}\`
+
+        *OCM Resource Fragment*
+        \`\`\`
+        $(cat ${GITHUB_OUTPUT})
+        \`\`\`
+        EOF
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -340,9 +340,8 @@ jobs:
           python3 -m ocm append resource \
             --file component-descriptor.yaml
 
-          echo "${{ needs.images.outputs.ocm_resources }}" | base64 -d > oci_ocm_resources.yaml
-
-          cat oci_ocm_resources.yaml | \
+          echo "adding image-resource"
+          echo "${{ needs.images.outputs.ocm_resources }} " | \
           python3 -m ocm append resource \
             --file component-descriptor.yaml
 
@@ -507,20 +506,15 @@ jobs:
       - package
       - params
     outputs:
-      oci_image_ref: ${{ steps.prepare.outputs.oci_image_ref }}
-      ocm_resources: ${{ steps.prepare.outputs.ocm_resources }}
+      oci_image_ref: ${{ steps.image-build.outputs.image_reference }}
+      ocm_resources: ${{ steps.image-build.outputs.ocm_resource }}
     runs-on: ubuntu-latest
     environment: build
     permissions:
       contents: read
       id-token: write
     steps:
       - uses: actions/checkout@v4
-      - name: Setup Docker-Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: GAR-Auth
-        id: auth
-        uses: ./.github/actions/gar-auth
       - name: Retrieve Distribution Packages
         uses: actions/download-artifact@v4
         with:
@@ -542,15 +536,16 @@ jobs:
           image_ref=${oci_repo}/cicd/job-image:${image_tag}
 
           echo "oci_image_ref=${image_ref}" >> ${GITHUB_OUTPUT}
-          cat << EOF > ocm_resources.yaml
+      - name: Build OCI Image (using ocm-oci-build-action)
+        uses: ./.github/actions/ocm-oci-build
+        id: image-build
+        with:
           name: job-image
-          version: ${image_tag}
-          type: ociImage
-          access:
-            type: ociRegistry
-            imageReference: ${image_ref}
-          relation: local
-          labels:
+          repository: ${{ needs.params.outputs.oci_repository }}/cicd/job-image
+          version: ${{ needs.version.outputs.effective_version }}
+          oci_platforms: ${{ needs.params.outputs.oci_platforms }}
+          context: . # pass modified path rather than clean checkout
+          ocm_labels: |
             - name: cloud.gardener.cnudie/dso/scanning-hints/package-versions
               value:
                 - name: containerd
@@ -563,16 +558,6 @@ jobs:
                 integrity_requirement: high
                 network_exposure: protected
                 user_interaction: gardener-operator
-          EOF
-          echo "ocm_resources=$(cat ocm_resources.yaml | base64 -w0)" >> ${GITHUB_OUTPUT}
-
-      - name: Build OCI Image
-        uses: docker/build-push-action@v6
-        with:
-          push: true
-          platforms: ${{ needs.params.outputs.oci_platforms }}
-          tags: ${{ steps.prepare.outputs.oci_image_ref }}
-          context: . # pass modified path rather than clean checkout
 
   documentation:
     name: Generate Documentation