Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

github/workflows: Sign Ubuntu and Arch images using cosign #1440

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

github/workflows: Sign Ubuntu and Arch images using cosign #1440

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9c82206
github/workflows/arch: Unified workflow, use buildah & podman
travier Jan 22, 2024
c8060a8
github/workflows/ubuntu: Unified workflow, use buildah & podman
travier Jan 22, 2024
3fd1365
github/workflows: Sign Arch & Ubuntu images with cosign
travier Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 0 additions & 31 deletions .github/workflows/arch-images-pr.yaml
View file
Open in desktop

This file was deleted.

78 changes: 59 additions & 19 deletions .github/workflows/arch-images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
name: Build and push the arch-toolbox image
name: "Arch Linux: Build and push arch-toolbox image"

permissions: read-all

on:
pull_request:
branches:
- main
paths:
- images/arch/**
- .github/workflows/arch-images.yaml
push:
branches:
- main
Expand All @@ -10,34 +18,66 @@ on:
schedule:
- cron: '0 0 * * MON'

# Prevent multiple workflow runs from racing
concurrency: ${{ github.workflow }}
env:
distro: 'arch'
platforms: 'linux/amd64'
registry: 'quay.io/toolbx'
username: 'toolbx+github'

# Prevent multiple workflow runs from racing to ensure that pushes are made
# sequentially for the main branch. Also cancel in progress workflow runs for
# pull requests only.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
build-and-push-images:
build-push-images:
name: Build and push the arch-toolbox image

runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build container image (latest tag)
uses: redhat-actions/buildah-build@v2
if: env.latest_release == matrix.release
with:
platforms: ${{ env.platforms }}
context: images/${{ env.distro }}
image: ${{ env.distro }}-toolbox
tags: latest
containerfiles: images/${{ env.distro }}/Containerfile
layers: false
oci: true

- name: Log in to Quay.io
uses: docker/login-action@v2
- name: Push to Container Registry (latest tag)
uses: redhat-actions/push-to-registry@v2
id: push-latest
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
with:
registry: quay.io
username: 'toolbx+github'
username: ${{ env.username }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
image: ${{ env.distro }}-toolbox
registry: ${{ env.registry }}
tags: latest

- name: Build and push the arch-toolbox image
uses: docker/build-push-action@v3
- name: Login to Container Registry
uses: redhat-actions/podman-login@v1
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
with:
context: images/arch
file: images/arch/Containerfile
platforms: linux/amd64
push: true
no-cache: true
tags: quay.io/toolbx/arch-toolbox:latest
registry: ${{ env.registry }}
username: ${{ env.username }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}

- uses: sigstore/[email protected]
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'

- name: Sign container image (latest)
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
run: |
cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
124 changes: 93 additions & 31 deletions .github/workflows/ubuntu-images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
name: "Images: Build and push Ubuntu toolbx images"
name: "Ubuntu: Build and push ubuntu-toolbox images"

permissions: read-all

on:
pull_request:
branches:
- main
paths:
- images/ubuntu/**
- .github/workflows/ubuntu-images.yaml
push:
branches:
- main
Expand All @@ -10,52 +18,106 @@ on:
schedule:
- cron: '0 0 * * MON'

# Prevent multiple workflow runs from racing
concurrency: ${{ github.workflow }}

env:
distro: 'ubuntu'
latest_release: '22.04'
platforms: 'linux/amd64, linux/arm64'
registry: 'quay.io/toolbx'
username: 'toolbx+github'

# Prevent multiple workflow runs from racing to ensure that pushes are made
# sequentially for the main branch. Also cancel in progress workflow runs for
# pull requests only.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
build-and-push-images:
build-push-images:
strategy:
matrix:
release: ['16.04', '18.04', '20.04', '22.04', '23.04', '23.10']

runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up QEMU for multi-arch builds
shell: bash
run: |
sudo apt update
sudo apt install qemu-user-static

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build container image
uses: redhat-actions/buildah-build@v2
if: env.latest_release != matrix.release
with:
platforms: ${{ env.platforms }}
context: images/${{ env.distro }}/${{ matrix.release }}
image: ${{ env.distro }}-toolbox
tags: ${{ matrix.release }}
containerfiles: images/${{ env.distro }}/${{ matrix.release }}/Containerfile
layers: false
oci: true

- name: Login to Quay.io
uses: docker/login-action@v2
- name: Build container image (latest tag)
uses: redhat-actions/buildah-build@v2
if: env.latest_release == matrix.release
with:
registry: quay.io
username: 'toolbx+github'
platforms: ${{ env.platforms }}
context: images/${{ env.distro }}/${{ matrix.release }}
image: ${{ env.distro }}-toolbox
tags: ${{ matrix.release }} latest
containerfiles: images/${{ env.distro }}/${{ matrix.release }}/Containerfile
layers: false
oci: true

- name: Push to Container Registry
uses: redhat-actions/push-to-registry@v2
id: push
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
with:
username: ${{ env.username }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
image: ${{ env.distro }}-toolbox
registry: ${{ env.registry }}
tags: ${{ matrix.release }}

- name: Build and push Ubuntu ${{ matrix.release }} toolbox image
uses: docker/build-push-action@v3
- name: Push to Container Registry (latest tag)
uses: redhat-actions/push-to-registry@v2
id: push-latest
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
with:
context: images/ubuntu/${{ matrix.release }}
file: images/ubuntu/${{ matrix.release }}/Containerfile
platforms: linux/amd64,linux/arm64,linux/ppc64le
push: true
no-cache: true
tags: quay.io/toolbx/ubuntu-toolbox:${{ matrix.release }}

- name: Push latest tag
if: env.latest_release == matrix.release
uses: docker/build-push-action@v3
username: ${{ env.username }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
image: ${{ env.distro }}-toolbox
registry: ${{ env.registry }}
tags: ${{ matrix.release }} latest

- name: Login to Container Registry
uses: redhat-actions/podman-login@v1
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
with:
context: images/ubuntu/${{ matrix.release }}
file: images/ubuntu/${{ matrix.release }}/Containerfile
platforms: linux/amd64,linux/arm64,linux/ppc64le
push: true
tags: quay.io/toolbx/ubuntu-toolbox:latest
registry: ${{ env.registry }}
username: ${{ env.username }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}

- uses: sigstore/[email protected]
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'

- name: Sign container image
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
run: |
cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

- name: Sign container image (latest)
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
run: |
cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}