Skip to content

Commit

Permalink
feat: immutable digest for the most specific tags (#188)
Browse files Browse the repository at this point in the history
Signed-off-by: Niccolò Fei <[email protected]>
  • Loading branch information
NiccoloFei authored Sep 5, 2024
1 parent aec0d3a commit 01afb53
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 6 deletions.
30 changes: 29 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,29 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

# When publishing new images from main, we should not overwrite an existing
# tag in order to guarantee the tag's SHA digest consistency.
- name: Verify primary tag is not overwritten
run: |
echo "MISSING_TAG=false" >> $GITHUB_ENV
# if we are not on the main branch, always push
if [ "${GITHUB_REF#refs/heads/}" != main ]; then
echo "MISSING_TAG=true" >> $GITHUB_ENV
exit 0
fi
IMAGE="${IMAGE_GHCR}:${{ matrix.fullTag }}"
# If the primary tag already exists, skip the building phase
if skopeo inspect docker://${IMAGE} >/dev/null 2>/dev/null; then
echo "Image ${IMAGE} already exists"
# We still need to grab the digest to build the imageCatalog
echo "OLD_DIGEST=$(skopeo inspect docker://${IMAGE} --format '{{ .Digest }}')" >> $GITHUB_ENV
else
echo "MISSING_TAG=true" >> $GITHUB_ENV
fi
- name: Build and load
uses: docker/build-push-action@v6
if: ${{ env.MISSING_TAG == 'true' }}
with:
context: ${{ matrix.dir }}
provenance: false
Expand All @@ -99,6 +120,7 @@ jobs:
- name: Dockle scan
uses: erzz/dockle-action@v1
if: ${{ env.MISSING_TAG == 'true' }}
env:
DOCKLE_IGNORES: CIS-DI-0009
with:
Expand All @@ -111,6 +133,7 @@ jobs:
- name: Build and push
id: build
uses: docker/build-push-action@v6
if: ${{ env.MISSING_TAG == 'true' }}
with:
context: ${{ matrix.dir }}
file: ${{ matrix.file }}
Expand Down Expand Up @@ -170,7 +193,12 @@ jobs:
REGISTRY_SUFFIX="-ghcr"
fi
IMAGE=${BASE_IMAGE}:${{ matrix.fullTag }}@${{ steps.build.outputs.digest }} \
DIGEST="${{ steps.build.outputs.digest }}"
if [[ "${{ env.MISSING_TAG }}" == "false" ]]; then
DIGEST="${{ env.OLD_DIGEST }}"
fi
IMAGE=${BASE_IMAGE}:${{ matrix.fullTag }}@${DIGEST} \
MAJOR=${{ matrix.version }} \
NAME=${CATALOG_NAME} \
yq --null-input '{
Expand Down
34 changes: 29 additions & 5 deletions UBI/update.sh
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,11 @@ generate_redhat() {
return
fi

# Update root files
rm -fr "${version:?}/root" \
"${version:?}/Dockerfile*${ubiRelease}"
cp -r src/* "$version/"

newRelease="false"

# Detect an update of UBI image
Expand All @@ -288,6 +293,18 @@ generate_redhat() {
record_version "${versionFile}" "BARMAN_VERSION" "${barmanVersion}"
fi

# Detect an update of Dockerfile template
if [[ -n $(git diff --name-status Dockerfile.template Dockerfile-multilang.template Dockerfile-multiarch.template Dockerfile-plv8.template) ]]; then
echo "Detected update of a Dockerfile template"
newRelease="true"
fi

# Detect an update of requirements.txt
if [[ -n $(git diff --name-status "$version/root/requirements.txt") ]]; then
echo "Detected update of requirements.txt dependencies"
newRelease="true"
fi

# Detect an update of PostgreSQL
if [ "$oldPostgresqlVersion" != "$postgresqlVersion" ]; then
echo "PostgreSQL changed from $oldPostgresqlVersion to $postgresqlVersion"
Expand All @@ -299,9 +316,6 @@ generate_redhat() {
record_version "${versionFile}" "IMAGE_RELEASE_VERSION" $imageReleaseVersion
fi

rm -fr "${version:?}/root" \
"${version:?}/Dockerfile*${ubiRelease}"

sed -e 's/%%UBI_VERSION%%/'"$ubiVersion"'/g' \
-e 's/%%UBI_MAJOR_VERSION%%/'"$ubiRelease"'/g' \
-e 's/%%PG_MAJOR%%/'"$version"'/g' \
Expand Down Expand Up @@ -343,8 +357,6 @@ generate_redhat() {
Dockerfile-plv8.template \
>"$version/Dockerfile.plv8.ubi${ubiRelease}"
fi

cp -r src/* "$version/"
}

generate_redhat_postgis() {
Expand Down Expand Up @@ -452,6 +464,18 @@ generate_redhat_postgis() {
record_version "${versionFile}" "BARMAN_VERSION" "${barmanVersion}"
fi

# Detect an update of Dockerfile template
if [[ -n $(git diff --name-status Dockerfile-postgis.template Dockerfile-postgis-multilang.template Dockerfile-postgis-multiarch.template) ]]; then
echo "Detected update of a Dockerfile template"
newRelease="true"
fi

# Detect an update of requirements.txt
if [[ -n $(git diff --name-status "$version/root/requirements.txt") ]]; then
echo "Detected update of requirements.txt dependencies"
newRelease="true"
fi

if [ "$newRelease" = "true" ]; then
imageReleaseVersion=$((oldImageReleaseVersion + 1))
record_version "${versionFile}" "IMAGE_RELEASE_VERSION" $imageReleaseVersion
Expand Down

0 comments on commit 01afb53

Please sign in to comment.