diff --git a/.github/workflows/arch-images-pr.yaml b/.github/workflows/arch-images-pr.yaml deleted file mode 100644 index 5f0c7cfaf..000000000 --- a/.github/workflows/arch-images-pr.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: Build the arch-toolbox image for PRs - -on: - pull_request: - branches: - - main - paths: - - images/arch/** - - .github/workflows/arch-images-pr.yaml - -jobs: - build-and-push-images: - name: Build the arch-toolbox image for PRs - - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Build the arch-toolbox image - uses: docker/build-push-action@v3 - with: - context: images/arch - file: images/arch/Containerfile - platforms: linux/amd64 - push: false - no-cache: true - tags: quay.io/toolbx/arch-toolbox:latest diff --git a/.github/workflows/arch-images.yaml b/.github/workflows/arch-images.yaml index d2e855501..dc26a24fb 100644 --- a/.github/workflows/arch-images.yaml +++ b/.github/workflows/arch-images.yaml @@ -1,6 +1,14 @@ -name: Build and push the arch-toolbox image +name: "Arch Linux: Build and push arch-toolbox image" + +permissions: read-all on: + pull_request: + branches: + - main + paths: + - images/arch/** + - .github/workflows/arch-images.yaml push: branches: - main @@ -10,34 +18,66 @@ on: schedule: - cron: '0 0 * * MON' -# Prevent multiple workflow runs from racing -concurrency: ${{ github.workflow }} +env: + distro: 'arch' + platforms: 'linux/amd64' + registry: 'quay.io/toolbx' + username: 'toolbx+github' + +# Prevent multiple workflow runs from racing to ensure that pushes are made +# sequentially for the main branch. Also cancel in progress workflow runs for +# pull requests only. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: - build-and-push-images: + build-push-images: name: Build and push the arch-toolbox image runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Build container image (latest tag) + uses: redhat-actions/buildah-build@v2 + if: env.latest_release == matrix.release + with: + platforms: ${{ env.platforms }} + context: images/${{ env.distro }} + image: ${{ env.distro }}-toolbox + tags: latest + containerfiles: images/${{ env.distro }}/Containerfile + layers: false + oci: true - - name: Log in to Quay.io - uses: docker/login-action@v2 + - name: Push to Container Registry (latest tag) + uses: redhat-actions/push-to-registry@v2 + id: push-latest + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' with: - registry: quay.io - username: 'toolbx+github' + username: ${{ env.username }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} + image: ${{ env.distro }}-toolbox + registry: ${{ env.registry }} + tags: latest - - name: Build and push the arch-toolbox image - uses: docker/build-push-action@v3 + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' with: - context: images/arch - file: images/arch/Containerfile - platforms: linux/amd64 - push: true - no-cache: true - tags: quay.io/toolbx/arch-toolbox:latest + registry: ${{ env.registry }} + username: ${{ env.username }} + password: ${{ secrets.QUAY_ROBOT_TOKEN }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + run: | + cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/ubuntu-images.yaml b/.github/workflows/ubuntu-images.yaml index c9656d0e4..95ae895c7 100644 --- a/.github/workflows/ubuntu-images.yaml +++ b/.github/workflows/ubuntu-images.yaml @@ -1,6 +1,14 @@ -name: "Images: Build and push Ubuntu toolbx images" +name: "Ubuntu: Build and push ubuntu-toolbox images" + +permissions: read-all on: + pull_request: + branches: + - main + paths: + - images/ubuntu/** + - .github/workflows/ubuntu-images.yaml push: branches: - main @@ -10,14 +18,22 @@ on: schedule: - cron: '0 0 * * MON' -# Prevent multiple workflow runs from racing -concurrency: ${{ github.workflow }} - env: + distro: 'ubuntu' latest_release: '22.04' + platforms: 'linux/amd64, linux/arm64' + registry: 'quay.io/toolbx' + username: 'toolbx+github' + +# Prevent multiple workflow runs from racing to ensure that pushes are made +# sequentially for the main branch. Also cancel in progress workflow runs for +# pull requests only. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: - build-and-push-images: + build-push-images: strategy: matrix: release: ['16.04', '18.04', '20.04', '22.04', '23.04', '23.10'] @@ -25,37 +41,83 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + - name: Set up QEMU for multi-arch builds + shell: bash + run: | + sudo apt update + sudo apt install qemu-user-static - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Build container image + uses: redhat-actions/buildah-build@v2 + if: env.latest_release != matrix.release + with: + platforms: ${{ env.platforms }} + context: images/${{ env.distro }}/${{ matrix.release }} + image: ${{ env.distro }}-toolbox + tags: ${{ matrix.release }} + containerfiles: images/${{ env.distro }}/${{ matrix.release }}/Containerfile + layers: false + oci: true - - name: Login to Quay.io - uses: docker/login-action@v2 + - name: Build container image (latest tag) + uses: redhat-actions/buildah-build@v2 + if: env.latest_release == matrix.release with: - registry: quay.io - username: 'toolbx+github' + platforms: ${{ env.platforms }} + context: images/${{ env.distro }}/${{ matrix.release }} + image: ${{ env.distro }}-toolbox + tags: ${{ matrix.release }} latest + containerfiles: images/${{ env.distro }}/${{ matrix.release }}/Containerfile + layers: false + oci: true + + - name: Push to Container Registry + uses: redhat-actions/push-to-registry@v2 + id: push + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + with: + username: ${{ env.username }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} + image: ${{ env.distro }}-toolbox + registry: ${{ env.registry }} + tags: ${{ matrix.release }} - - name: Build and push Ubuntu ${{ matrix.release }} toolbox image - uses: docker/build-push-action@v3 + - name: Push to Container Registry (latest tag) + uses: redhat-actions/push-to-registry@v2 + id: push-latest + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: - context: images/ubuntu/${{ matrix.release }} - file: images/ubuntu/${{ matrix.release }}/Containerfile - platforms: linux/amd64,linux/arm64,linux/ppc64le - push: true - no-cache: true - tags: quay.io/toolbx/ubuntu-toolbox:${{ matrix.release }} - - - name: Push latest tag - if: env.latest_release == matrix.release - uses: docker/build-push-action@v3 + username: ${{ env.username }} + password: ${{ secrets.QUAY_ROBOT_TOKEN }} + image: ${{ env.distro }}-toolbox + registry: ${{ env.registry }} + tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' with: - context: images/ubuntu/${{ matrix.release }} - file: images/ubuntu/${{ matrix.release }}/Containerfile - platforms: linux/amd64,linux/arm64,linux/ppc64le - push: true - tags: quay.io/toolbx/ubuntu-toolbox:latest + registry: ${{ env.registry }} + username: ${{ env.username }} + password: ${{ secrets.QUAY_ROBOT_TOKEN }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}