mirror of
https://mirror.skon.top/github.com/zabbix/zabbix-docker
synced 2026-04-20 21:00:35 +08:00
605 lines
25 KiB
YAML
605 lines
25 KiB
YAML
name: Build images (DockerHub, Windows)
|
|
|
|
on:
|
|
release:
|
|
types:
|
|
- published
|
|
push:
|
|
branches:
|
|
- '[0-9]+.[0-9]+'
|
|
- 'trunk'
|
|
paths:
|
|
- 'build.json'
|
|
- 'Dockerfiles/*/windows/*'
|
|
- '!**/README.md'
|
|
- '.github/workflows/images_build_windows.yml'
|
|
- '.github/actions/docker-build-push-windows/*'
|
|
schedule:
|
|
- cron: '05 02 * * *'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: windows-build-${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
defaults:
|
|
run:
|
|
shell: pwsh
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
|
|
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}
|
|
|
|
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
|
|
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
|
|
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
|
|
TRUNK_GIT_BRANCH: "refs/heads/trunk"
|
|
IMAGES_PREFIX: "zabbix-"
|
|
|
|
MSFT_BASE_BUILD_IMAGE: "mcr.microsoft.com/windows/servercore"
|
|
OS_BASE_IMAGE_NAME: "mcr.microsoft.com/windows/nanoserver"
|
|
|
|
BASE_IMAGE_NAME: "build-base"
|
|
BASE_BUILD_IMAGE_NAME: "build-mysql"
|
|
|
|
MATRIX_FILE: "build.json"
|
|
DOCKERFILES_DIRECTORY: "Dockerfiles"
|
|
|
|
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
|
|
IDENTITY_REGEX: "${{ github.server_url }}/${{ github.repository }}/.github/"
|
|
|
|
jobs:
|
|
init_build:
|
|
name: Initialize build
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
outputs:
|
|
os: ${{ steps.os.outputs.list }}
|
|
components: ${{ steps.components.outputs.list }}
|
|
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
|
|
current_branch: ${{ steps.branch_info.outputs.current_branch }}
|
|
sha_short: ${{ steps.branch_info.outputs.sha_short }}
|
|
steps:
|
|
- name: Block egress traffic
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
disable-sudo: true
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
github.com:443
|
|
release-assets.githubusercontent.com:443
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
|
fetch-depth: 1
|
|
sparse-checkout: ${{ env.MATRIX_FILE }}
|
|
|
|
- name: Check matrix file
|
|
env:
|
|
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
|
run: |
|
|
if [[ ! -f "$MATRIX_FILE" ]]; then
|
|
echo "::error::File $MATRIX_FILE is missing"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Prepare Operating System list
|
|
id: os
|
|
env:
|
|
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
|
run: |
|
|
os_list="$(jq -c '.["os-windows"] | keys' "$MATRIX_FILE")"
|
|
|
|
echo "::group::Operating System List"
|
|
echo "$os_list"
|
|
echo "::endgroup::"
|
|
|
|
echo "list=$os_list" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Prepare Zabbix component list
|
|
id: components
|
|
shell: bash
|
|
run: |
|
|
component_list='["agent","agent2"]'
|
|
|
|
echo "::group::Zabbix Component List"
|
|
echo "$component_list"
|
|
echo "::endgroup::"
|
|
|
|
echo "list=$component_list" >> $GITHUB_OUTPUT
|
|
|
|
- name: Get branch info
|
|
id: branch_info
|
|
shell: bash
|
|
env:
|
|
LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
|
|
GITHUB_REF_RAW: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }}
|
|
run: |
|
|
github_ref="$GITHUB_REF_RAW"
|
|
sha_short="$(git rev-parse --short HEAD)"
|
|
|
|
if [[ "$github_ref" == refs/tags/* ]]; then
|
|
github_ref="${github_ref%.*}"
|
|
fi
|
|
|
|
github_ref="${github_ref##*/}"
|
|
|
|
is_default_branch=false
|
|
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
|
|
is_default_branch=true
|
|
fi
|
|
|
|
echo "::group::Branch data"
|
|
echo "is_default_branch=$is_default_branch"
|
|
echo "current_branch=$github_ref"
|
|
echo "sha_short=$sha_short"
|
|
echo "::endgroup::"
|
|
|
|
echo "is_default_branch=$is_default_branch" >> "$GITHUB_OUTPUT"
|
|
echo "current_branch=$github_ref" >> "$GITHUB_OUTPUT"
|
|
echo "sha_short=$sha_short" >> "$GITHUB_OUTPUT"
|
|
|
|
build_base:
|
|
name: Build ${{ matrix.component }} base on ${{ matrix.os }}
|
|
needs: init_build
|
|
runs-on: ${{ matrix.os }}
|
|
timeout-minutes: 70
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
attestations: write
|
|
artifact-metadata: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
|
component: ${{ fromJson(needs.init_build.outputs.components) }}
|
|
|
|
steps:
|
|
- name: Block egress traffic
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
disable-sudo: true
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
aka.ms:443
|
|
api.github.com:443
|
|
auth.docker.io:443
|
|
curl.se:443
|
|
dc.services.visualstudio.com:443
|
|
definitionupdates.microsoft.com:443
|
|
dl.google.com:443
|
|
download.visualstudio.microsoft.com:443
|
|
fulcio.sigstore.dev:443
|
|
github.com:443
|
|
go.dev:443
|
|
go.microsoft.com:443
|
|
index.docker.io:443
|
|
mcr.microsoft.com:443
|
|
mobile.events.data.microsoft.com:443
|
|
ocsp.digicert.com:80
|
|
ocsp.sectigo.com:80
|
|
production.cloudflare.docker.com:443
|
|
r12.c.lencr.org:80
|
|
raw.githubusercontent.com:443
|
|
registry-1.docker.io:443
|
|
rekor.sigstore.dev:443
|
|
tuf-repo-cdn.sigstore.dev:443
|
|
www.nasm.us:443
|
|
x1.c.lencr.org:80
|
|
zlib.net:443
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
|
fetch-depth: 1
|
|
|
|
- name: Install cosign
|
|
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
|
uses: ./.github/actions/cosign-install
|
|
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Base Windows OS tag
|
|
id: base_os_tag
|
|
env:
|
|
MATRIX_OS: ${{ matrix.os }}
|
|
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
|
run: |
|
|
$osTag = (Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
|
|
|
|
if ([string]::IsNullOrWhiteSpace($osTag)) {
|
|
throw "Failed to detect Windows base OS tag for '$Env:MATRIX_OS'"
|
|
}
|
|
|
|
echo "::group::Base Microsoft Windows OS tag"
|
|
echo "$osTag"
|
|
echo "::endgroup::"
|
|
|
|
echo "os_tag=$osTag" >> $Env:GITHUB_OUTPUT
|
|
|
|
- name: Generate tags
|
|
id: meta
|
|
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
with:
|
|
images: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_IMAGE_NAME ) }}
|
|
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
|
tags: |
|
|
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
|
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
|
|
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
|
flavor: |
|
|
latest=false
|
|
|
|
- name: Build and push image
|
|
id: docker_build
|
|
uses: ./.github/actions/docker-build-push-windows
|
|
with:
|
|
context: ${{ env.DOCKERFILES_DIRECTORY }}\${{ env.BASE_IMAGE_NAME }}\windows
|
|
dockerfile: ${{ env.DOCKERFILES_DIRECTORY }}\${{ env.BASE_IMAGE_NAME }}\windows\Dockerfile.${{ matrix.component }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
label_revision: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
|
label_created: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
|
pull_images: |
|
|
${{ env.MSFT_BASE_BUILD_IMAGE }}:${{ steps.base_os_tag.outputs.os_tag }}
|
|
build_args: |
|
|
OS_BASE_IMAGE=${{ env.MSFT_BASE_BUILD_IMAGE }}:${{ steps.base_os_tag.outputs.os_tag }}
|
|
push: true
|
|
|
|
- name: Sign the images with GitHub OIDC Token
|
|
uses: ./.github/actions/cosign-sign
|
|
with:
|
|
digest: ${{ steps.docker_build.outputs.digest }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
|
|
- name: Attest images
|
|
uses: ./.github/actions/attest-image
|
|
with:
|
|
subject_name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_IMAGE_NAME ) }}
|
|
subject_digest: ${{ steps.docker_build.outputs.digest }}
|
|
|
|
- name: Image digest
|
|
env:
|
|
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
|
CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
|
run: |
|
|
echo "::group::Image digest"
|
|
echo "$Env:DIGEST"
|
|
echo "::endgroup::"
|
|
|
|
echo "::group::Cache file name"
|
|
echo "$Env:CACHE_FILE_NAME"
|
|
echo "::endgroup::"
|
|
|
|
Set-Content -Path $Env:CACHE_FILE_NAME -Value $Env:DIGEST -NoNewline
|
|
|
|
- name: Upload artifact metadata
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
|
name: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ matrix.component }}-${{ github.run_id }}
|
|
|
|
build_components:
|
|
name: Build ${{ matrix.component }} sources on ${{ matrix.os }}
|
|
needs: ["build_base", "init_build"]
|
|
runs-on: ${{ matrix.os }}
|
|
timeout-minutes: 70
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
attestations: write
|
|
artifact-metadata: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
|
component: ${{ fromJson(needs.init_build.outputs.components) }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
|
fetch-depth: 1
|
|
|
|
- name: Install cosign
|
|
uses: ./.github/actions/cosign-install
|
|
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Base OS tag
|
|
id: base_os_tag
|
|
env:
|
|
MATRIX_OS: ${{ matrix.os }}
|
|
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
|
run: |
|
|
$osTag = (Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
|
|
|
|
if ([string]::IsNullOrWhiteSpace($osTag)) {
|
|
throw "Failed to detect Windows base OS tag for '$Env:MATRIX_OS'"
|
|
}
|
|
|
|
echo "::group::Base Windows OS tag"
|
|
echo "$osTag"
|
|
echo "::endgroup::"
|
|
|
|
echo "os_tag=$osTag" >> $Env:GITHUB_OUTPUT
|
|
|
|
- name: Generate tags
|
|
id: meta
|
|
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
with:
|
|
images: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_IMAGE_NAME ) }}
|
|
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
|
tags: |
|
|
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
|
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}-
|
|
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}-
|
|
flavor: |
|
|
latest=false
|
|
|
|
- name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }}
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ matrix.component }}-${{ github.run_id }}
|
|
|
|
- name: Retrieve ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag
|
|
id: base_build
|
|
env:
|
|
BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }}
|
|
MATRIX_OS: ${{ matrix.os }}
|
|
MATRIX_COMPONENT: ${{ matrix.component }}
|
|
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
|
|
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
|
run: |
|
|
$baseImageFile = "$Env:BASE_IMAGE_NAME" + "_" + "$Env:MATRIX_OS" + "_" + "$Env:MATRIX_COMPONENT"
|
|
|
|
if (-not (Test-Path $baseImageFile)) {
|
|
throw "Missing cached base image digest file: $baseImageFile"
|
|
}
|
|
|
|
$baseTag = (Get-Content $baseImageFile -Raw).Trim()
|
|
if ([string]::IsNullOrWhiteSpace($baseTag)) {
|
|
throw "Base image digest is empty in file: $baseImageFile"
|
|
}
|
|
|
|
$buildBaseImage = "$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_IMAGE_NAME@" + $baseTag
|
|
|
|
echo "::group::Base image info"
|
|
echo "base_tag=$baseTag"
|
|
echo "base_build_image=$buildBaseImage"
|
|
echo "::endgroup::"
|
|
|
|
echo "base_tag=$baseTag" >> $Env:GITHUB_OUTPUT
|
|
echo "base_build_image=$buildBaseImage" >> $Env:GITHUB_OUTPUT
|
|
|
|
- name: Verify ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} cosign
|
|
uses: ./.github/actions/cosign-verify
|
|
with:
|
|
image: ${{ steps.base_build.outputs.base_build_image }}
|
|
oidc_issuer: ${{ env.OIDC_ISSUER }}
|
|
identity_regexp: ${{ env.IDENTITY_REGEX }}
|
|
|
|
- name: Build and push image
|
|
id: docker_build
|
|
uses: ./.github/actions/docker-build-push-windows
|
|
with:
|
|
context: ${{ env.DOCKERFILES_DIRECTORY }}\${{ env.BASE_BUILD_IMAGE_NAME }}\windows
|
|
dockerfile: ${{ env.DOCKERFILES_DIRECTORY }}\${{ env.BASE_BUILD_IMAGE_NAME }}\windows\Dockerfile.${{ matrix.component }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
label_revision: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
|
label_created: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
|
pull_images: |
|
|
${{ steps.base_build.outputs.base_build_image }}
|
|
build_args: |
|
|
BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
|
|
push: true
|
|
|
|
- name: Attest images
|
|
uses: ./.github/actions/attest-image
|
|
with:
|
|
subject_name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_IMAGE_NAME ) }}
|
|
subject_digest: ${{ steps.docker_build.outputs.digest }}
|
|
|
|
- name: Sign the images with GitHub OIDC Token
|
|
uses: ./.github/actions/cosign-sign
|
|
with:
|
|
digest: ${{ steps.docker_build.outputs.digest }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
|
|
- name: Image digest
|
|
env:
|
|
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
|
CACHE_FILE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
|
run: |
|
|
echo "::group::Image digest"
|
|
echo "$Env:DIGEST"
|
|
echo "::endgroup::"
|
|
|
|
echo "::group::Cache file name"
|
|
echo "$Env:CACHE_FILE_NAME"
|
|
echo "::endgroup::"
|
|
|
|
Set-Content -Path $Env:CACHE_FILE_NAME -Value $Env:DIGEST -NoNewline
|
|
|
|
- name: Upload artifact metadata
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }}
|
|
name: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ matrix.component }}-${{ github.run_id }}
|
|
|
|
build_images:
|
|
name: Build ${{ matrix.component }} on ${{ matrix.os }}
|
|
needs: ["build_components", "init_build"]
|
|
runs-on: ${{ matrix.os }}
|
|
timeout-minutes: 70
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
attestations: write
|
|
artifact-metadata: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: ${{ fromJson(needs.init_build.outputs.os) }}
|
|
component: ${{ fromJson(needs.init_build.outputs.components) }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
|
fetch-depth: 1
|
|
|
|
- name: Install cosign
|
|
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
|
uses: ./.github/actions/cosign-install
|
|
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
|
|
- name: Base OS tag
|
|
id: base_os_tag
|
|
env:
|
|
MATRIX_OS: ${{ matrix.os }}
|
|
MATRIX_FILE: ${{ env.MATRIX_FILE }}
|
|
run: |
|
|
$osTag = (Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS"
|
|
|
|
if ([string]::IsNullOrWhiteSpace($osTag)) {
|
|
throw "Failed to detect Windows base OS tag for '$Env:MATRIX_OS'"
|
|
}
|
|
|
|
echo "::group::Base OS tag"
|
|
echo "$osTag"
|
|
echo "::endgroup::"
|
|
|
|
echo "os_tag=$osTag" >> $Env:GITHUB_OUTPUT
|
|
|
|
- name: Generate tags
|
|
id: meta
|
|
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
with:
|
|
images: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.component ) }}
|
|
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
|
tags: |
|
|
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}-
|
|
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }}
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest
|
|
type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-
|
|
type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}
|
|
flavor: |
|
|
latest=false
|
|
|
|
- name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }}
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ matrix.component }}-${{ github.run_id }}
|
|
|
|
- name: Retrieve ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag
|
|
id: base_build
|
|
env:
|
|
BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}
|
|
MATRIX_OS: ${{ matrix.os }}
|
|
MATRIX_COMPONENT: ${{ matrix.component }}
|
|
DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }}
|
|
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }}
|
|
run: |
|
|
$baseImageFile = "$Env:BASE_BUILD_IMAGE_NAME" + "_" + "$Env:MATRIX_OS" + "_" + "$Env:MATRIX_COMPONENT"
|
|
|
|
if (-not (Test-Path $baseImageFile)) {
|
|
throw "Missing cached build-components digest file: $baseImageFile"
|
|
}
|
|
|
|
$baseTag = (Get-Content $baseImageFile -Raw).Trim()
|
|
if ([string]::IsNullOrWhiteSpace($baseTag)) {
|
|
throw "Build-components digest is empty in file: $baseImageFile"
|
|
}
|
|
|
|
$buildBaseImage = "$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_BUILD_IMAGE_NAME@" + $baseTag
|
|
|
|
echo "::group::Base image info"
|
|
echo "base_tag=$baseTag"
|
|
echo "base_build_image=$buildBaseImage"
|
|
echo "::endgroup::"
|
|
|
|
echo "base_tag=$baseTag" >> $Env:GITHUB_OUTPUT
|
|
echo "base_build_image=$buildBaseImage" >> $Env:GITHUB_OUTPUT
|
|
|
|
- name: Verify ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} cosign
|
|
uses: ./.github/actions/cosign-verify
|
|
with:
|
|
image: ${{ steps.base_build.outputs.base_build_image }}
|
|
oidc_issuer: ${{ env.OIDC_ISSUER }}
|
|
identity_regexp: ${{ env.IDENTITY_REGEX }}
|
|
|
|
- name: Build and push image
|
|
id: docker_build
|
|
uses: ./.github/actions/docker-build-push-windows
|
|
with:
|
|
context: ${{ env.DOCKERFILES_DIRECTORY }}\${{ matrix.component }}\windows
|
|
dockerfile: ${{ env.DOCKERFILES_DIRECTORY }}\${{ matrix.component }}\windows\Dockerfile
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
label_revision: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
|
label_created: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
|
pull_images: |
|
|
${{ steps.base_build.outputs.base_build_image }}
|
|
${{ env.OS_BASE_IMAGE_NAME }}:${{ steps.base_os_tag.outputs.os_tag }}
|
|
build_args: |
|
|
BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
|
|
OS_BASE_IMAGE=${{ env.OS_BASE_IMAGE_NAME }}:${{ steps.base_os_tag.outputs.os_tag }}
|
|
push: ${{ env.AUTO_PUSH_IMAGES }}
|
|
|
|
- name: Sign the images with GitHub OIDC Token
|
|
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
|
uses: ./.github/actions/cosign-sign
|
|
with:
|
|
digest: ${{ steps.docker_build.outputs.digest }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
|
|
- name: Attest images
|
|
uses: ./.github/actions/attest-image
|
|
with:
|
|
subject_name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.component ) }}
|
|
subject_digest: ${{ steps.docker_build.outputs.digest }}
|
|
|
|
- name: Print final image digest
|
|
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
|
env:
|
|
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
|
run: |
|
|
echo "::group::Image digest"
|
|
echo "$Env:DIGEST"
|
|
echo "::endgroup::"
|