refactor: pin and alias base images in the Dockerfile (#381) #168
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Retina Container Images | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["v*"] | |
| permissions: | |
| contents: read | |
| packages: write | |
| # This is used to complete the identity challenge | |
| # with sigstore/fulcio when running outside of PRs. | |
| id-token: write | |
| jobs: | |
| retina-images: | |
| name: Build Agent Images | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| platform: ["linux"] | |
| arch: ["amd64", "arm64"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "TAG=$(make version)" >> $GITHUB_ENV | |
| make retina-image \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| BUILDX_ACTION=--push | |
| - name: Sign container image | |
| run: | | |
| for image in retina-agent retina-init; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | |
| DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done | |
| retina-win-images: | |
| name: Build Agent Windows Images | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| platform: ["windows"] | |
| arch: ["amd64"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "TAG=$(make version)" >> $GITHUB_ENV | |
| make retina-image-win \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| BUILDX_ACTION=--push | |
| - name: Sign container image | |
| run: | | |
| for year in 2019 2022; do | |
| for image in retina-agent ; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-windows-ltsc$year-${{ matrix.arch }}" | |
| DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-windows-ltsc$year-${{ matrix.arch }}.json) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done | |
| done | |
| operator-images: | |
| name: Build Operator Images | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| platform: ["linux"] | |
| arch: ["amd64"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "TAG=$(make version)" >> $GITHUB_ENV | |
| make retina-operator-image \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| BUILDX_ACTION=--push | |
| - name: Sign container image | |
| run: | | |
| for image in retina-operator ; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | |
| DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done | |
| manifests: | |
| name: Generate Manifests | |
| runs-on: ubuntu-latest | |
| needs: [retina-images, retina-win-images, operator-images] | |
| strategy: | |
| matrix: | |
| component: ["retina", "operator"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Generate Manifests | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| make manifest \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| COMPONENT=${{ matrix.component }} | |
| - name: Sign manifest | |
| run: | | |
| export TAG="$(make version)" | |
| images=("retina-agent" "retina-init") | |
| if [[ ${{ matrix.component }} == "operator" ]]; then | |
| images=("retina-operator") | |
| fi | |
| for image in "${images[@]}"; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG" | |
| DIGEST=$(docker buildx imagetools inspect $IMAGE_PATH --format "{{json .Manifest}}" | jq -r .digest) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done |