-
Notifications
You must be signed in to change notification settings - Fork 333
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(ci): tie fluentd image releases to LO release workflow
Signed-off-by: Bence Csati <[email protected]>
- Loading branch information
Showing
19 changed files
with
176 additions
and
652 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,161 @@ | ||
| name: Dependency images | ||
|
|
||
| on: | ||
| workflow_call: | ||
| outputs: | ||
| fluentd-image-name: | ||
| description: Container image name | ||
| value: ${{ jobs.fluentd.outputs.name }} | ||
| fluentd-image-digest: | ||
| description: Container image digest | ||
| value: ${{ jobs.fluentd.outputs.digest }} | ||
| fluentd-image-tag: | ||
| description: Container image tag | ||
| value: ${{ jobs.fluentd.outputs.tag }} | ||
| fluentd-image-ref: | ||
| description: Container image ref | ||
| value: ${{ jobs.fluentd.outputs.ref }} | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| fluentd: | ||
| name: Fluentd | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| security-events: write | ||
|
|
||
| outputs: | ||
| name: ${{ steps.image-name.outputs.value }} | ||
| digest: ${{ steps.build.outputs.digest }} | ||
| tag: ${{ steps.meta.outputs.version }} | ||
| ref: ${{ steps.image-ref.outputs.value }} | ||
|
|
||
| strategy: | ||
| matrix: | ||
| image-type: | ||
| - base | ||
| - filters | ||
| - full | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | ||
| with: | ||
| platforms: all | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | ||
|
|
||
| - name: Set up Cosign | ||
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | ||
|
|
||
| - name: Set image name | ||
| id: image-name | ||
| run: echo "value=ghcr.io/${{ github.repository }}/fluentd" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Gather build metadata | ||
| id: meta | ||
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | ||
| with: | ||
| images: ${{ steps.image-name.outputs.value }} | ||
| flavor: | | ||
| latest = false | ||
| tags: | | ||
| type=ref,event=branch | ||
| type=ref,event=pr,prefix=pr- | ||
| type=semver,pattern={{raw}} | ||
| type=raw,value=latest,enable={{is_default_branch}} | ||
| labels: | | ||
| org.opencontainers.image.description=Custom Fluentd image for the Logging operator. | ||
| org.opencontainers.image.title=Logging operator Fluentd image | ||
| org.opencontainers.image.authors=Kube logging authors | ||
| org.opencontainers.image.documentation=https://kube-logging.dev/docs/ | ||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ github.token }} | ||
|
|
||
| - name: Build and push fluentd-${{ matrix.image-type }} | ||
| id: build | ||
| uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | ||
| with: | ||
| context: images/fluentd | ||
| platforms: linux/amd64,linux/arm64 | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| target: ${{ matrix.image-type }} | ||
| outputs: type=image,push=true,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} | ||
|
|
||
| - name: Sign image with GitHub OIDC Token | ||
| if: ${{ github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization | ||
| env: | ||
| DIGEST: ${{ steps.build.outputs.digest }} | ||
| TAGS: ${{ steps.meta.outputs.tags }} | ||
| run: | | ||
| images="" | ||
| for tag in ${TAGS[@]}; do | ||
| images+="${tag}@${DIGEST} " | ||
| done | ||
| cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images} | ||
| - name: Verify signed image with cosign | ||
| if: ${{ github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization | ||
| env: | ||
| DIGEST: ${{ steps.build.outputs.digest }} | ||
| TAGS: ${{ steps.meta.outputs.tags }} | ||
| run: | | ||
| for tag in ${TAGS[@]}; do | ||
| cosign verify "${tag}@${DIGEST}" \ | ||
| --rekor-url "https://rekor.sigstore.dev/" \ | ||
| --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/dependency-images.yaml@${{ github.ref }}" \ | ||
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq | ||
| done | ||
| - name: Set image ref | ||
| id: image-ref | ||
| run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Fetch image | ||
| run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar | ||
|
|
||
| - name: Extract OCI tarball | ||
| run: | | ||
| mkdir -p image | ||
| tar -xf image.tar -C image | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | ||
| env: | ||
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | ||
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 | ||
| with: | ||
| input: image | ||
| format: sarif | ||
| output: trivy-results.sarif | ||
|
|
||
| - name: Upload Trivy scan results as artifact | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: "[${{ github.job }}] Trivy scan results" | ||
| path: trivy-results.sarif | ||
| retention-days: 5 | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 | ||
| with: | ||
| sarif_file: trivy-results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.