github-mirrors/zabbix-docker
1
0
Fork 0
mirror of https://mirror.skon.top/github.com/zabbix/zabbix-docker synced 2026-04-20 21:00:35 +08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
Files
c8605b95ace473ecb21b5ab757398738f9abefd9
zabbix-docker/.github/workflows/images_build.yml
Alexey Pustovalov c8605b95ac
Some checks failed
Build images (DockerHub) / Initialize build (push) Has been cancelled
Details
Build images (DockerHub) / Build base on ${{ matrix.os }} (push) Has been cancelled
Details
Build images (DockerHub) / Build ${{ matrix.build }} base on ${{ matrix.os }} (push) Has been cancelled
Details
Build images (DockerHub) / Build ${{ matrix.build }} on ${{ matrix.os }} (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
SonarCloud analysis / Analysis (push) Has been cancelled
Details
Build images (DockerHub, Windows) / Initialize build (push) Has been cancelled
Details
Build images (DockerHub, Windows) / Build ${{ matrix.component }} base on ${{ matrix.os }} (push) Has been cancelled
Details
Build images (DockerHub, Windows) / Build ${{ matrix.component }} sources on ${{ matrix.os }} (push) Has been cancelled
Details
Build images (DockerHub, Windows) / Build ${{ matrix.component }} on ${{ matrix.os }} (push) Has been cancelled
Details
Updated Windows / Linux / RHEL workflow
2026-03-30 17:08:51 +09:00

819 lines
30 KiB
YAML
Raw Blame History

name: Build images (DockerHub)
on:
release:
types:
- published
push:
branches:
- '[0-9]+.[0-9]+'
- 'trunk'
paths:
- 'Dockerfiles/**'
- 'build.json'
- '!**/README.md'
- '!Dockerfiles/*/rhel/*'
- '!Dockerfiles/*/windows/*'
- '.github/workflows/images_build.yml'
- '.github/actions/*'
schedule:
- cron: '50 02 * * *'
workflow_dispatch:
concurrency:
group: images-build-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
permissions:
contents: read
env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
TRUNK_GIT_BRANCH: "refs/heads/trunk"
IMAGES_PREFIX: "zabbix-"
BASE_BUILD_NAME: "build-base"
BASE_CACHE_FILE_NAME: "base_image_metadata.json"
BUILD_CACHE_FILE_NAME: "base_build_image_metadata.json"
MATRIX_FILE: "build.json"
DOCKERFILES_DIRECTORY: "./Dockerfiles"
OIDC_ISSUER: "https://token.actions.githubusercontent.com"
IDENTITY_REGEX: "${{ github.server_url }}/${{ github.repository }}/.github/"
jobs:
init_build:
name: Initialize build
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
os: ${{ steps.os.outputs.list }}
database: ${{ steps.database.outputs.list }}
components: ${{ steps.components.outputs.list }}
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
current_branch: ${{ steps.branch_info.outputs.current_branch }}
sha_short: ${{ steps.branch_info.outputs.sha_short }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
disable-sudo: true
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
release-assets.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
sparse-checkout: |
${{ env.MATRIX_FILE }}
.github
- name: Check matrix file
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
if [[ ! -f "$MATRIX_FILE" ]]; then
echo "::error::File $MATRIX_FILE is missing"
exit 1
fi
- name: Prepare OS list
id: os
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
os_list="$(jq -c '.["os-linux"] | keys | map(select(. != "rhel"))' "$MATRIX_FILE")"
echo "::group::Operating System List"
echo "$os_list"
echo "::endgroup::"
echo "list=$os_list" >> "$GITHUB_OUTPUT"
- name: Prepare database list
id: database
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
database_list="$(jq -c '
[.components | values[].base]
| map(select(length > 0))
| unique
' "$MATRIX_FILE")"
echo "::group::Database List"
echo "$database_list"
echo "::endgroup::"
echo "list=$database_list" >> "$GITHUB_OUTPUT"
- name: Prepare component list
id: components
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
component_list="$(jq -c '.components | keys' "$MATRIX_FILE")"
echo "::group::Zabbix Component List"
echo "$component_list"
echo "::endgroup::"
echo "list=$component_list" >> "$GITHUB_OUTPUT"
- name: Get branch info
id: branch_info
uses: ./.github/actions/get-branch-info
with:
trunk_version: ${{ inputs.trunk_version }}
trunk_git_branch: ${{ env.TRUNK_GIT_BRANCH }}
build_base:
timeout-minutes: 30
name: Build base on ${{ matrix.os }}
needs: init_build
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
attestations: write
artifact-metadata: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
disable-sudo: true
egress-policy: audit
disable-telemetry: true
allowed-endpoints: >
api.github.com:443
archive.ubuntu.com:80
atl.mirrors.knownhost.com:80
atl.mirrors.knownhost.com:443
auth.docker.io:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
centos-stream-distro.1gservers.com:80
centos-stream-distro.1gservers.com:443
container-registry.oracle.com:443
dfw.mirror.rackspace.com:80
dfw.mirror.rackspace.com:443
dl-cdn.alpinelinux.org:443
download.cf.centos.org:80
download.cf.centos.org:443
epel.mirror.constant.com:443
ftp-nyc.osuosl.org:80
ftp-nyc.osuosl.org:443
ftp-osl.osuosl.org:80
ftp-osl.osuosl.org:443
ftp.plusline.net:80
ftp.plusline.net:443
ftpmirror.your.org:80
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
iad.mirror.rackspace.com:80
iad.mirror.rackspace.com:443
index.docker.io:443
lesnet.mm.fcix.net:443
mirror-mci.yuki.net.uk:80
mirror-mci.yuki.net.uk:443
mirror.arizona.edu:80
mirror.arizona.edu:443
mirror.dogado.de:80
mirror.dogado.de:443
mirror.facebook.net:80
mirror.facebook.net:443
mirror.fcix.net:443
mirror.gcr.io:443
mirror.hoobly.com:443
mirror.math.princeton.edu:443
mirror.netzwerge.de:443
mirror.pilotfiber.com:80
mirror.pilotfiber.com:443
mirror.rackspace.com:80
mirror.rackspace.com:443
mirror.scaleuptech.com:80
mirror.scaleuptech.com:443
mirror.servaxnet.com:80
mirror.servaxnet.com:443
mirror.siena.edu:80
mirror.stream.centos.org:80
mirror.stream.centos.org:443
mirror.team-cymru.com:80
mirror.team-cymru.com:443
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.fedoraproject.org:80
mirrors.fedoraproject.org:443
mirrors.iu13.net:80
mirrors.mit.edu:443
mirrors.ocf.berkeley.edu:80
mirrors.ocf.berkeley.edu:443
mirrors.sonic.net:443
mirrors.wcupa.edu:80
mirrors.wcupa.edu:443
mirrors.xtom.de:80
na.edge.kernel.org:443
nocix.mm.fcix.net:443
oauth2.sigstore.dev:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
quay.io:443
raw.githubusercontent.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
release-assets.githubusercontent.com:443
repo.ialab.dsu.edu:443
repos.eggycrew.com:80
repos.eggycrew.com:443
security.ubuntu.com:80
timestamp.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
uvermont.mm.fcix.net:443
yum.oracle.com:443
ziply.mm.fcix.net:443
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
uses: ./.github/actions/cosign-install
- name: Prepare platform list
id: platform
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
platform_list="$(jq -r --arg os "$MATRIX_OS" '.["os-linux"][$os] | join(",")' "$MATRIX_FILE")"
echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"
echo "list=$platform_list" >> "$GITHUB_OUTPUT"
- name: Generate tags
id: meta
uses: ./.github/actions/docker-meta
with:
image: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
os: ${{ matrix.os }}
current_branch: ${{ needs.init_build.outputs.current_branch }}
is_default_branch: ${{ needs.init_build.outputs.is_default_branch }}
trunk_only_event: ${{ env.TRUNK_ONLY_EVENT }}
event_name: ${{ github.event_name }}
- name: Set up Docker tooling
uses: ./.github/actions/docker-linux-setup
with:
auto_push_images: true
docker_username: ${{ secrets.DOCKER_USERNAME }}
docker_password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and publish image
id: docker_build
uses: ./.github/actions/docker-build-push-linux
with:
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
platforms: ${{ steps.platform.outputs.list }}
push: true
sbom: true
tags: ${{ steps.meta.outputs.tags }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Scan for vulnerabilities
if: ${{ matrix.os != 'centos' }}
uses: crazy-max/ghaction-container-scan@a0a3900b79d158c85ccf034e5368fae620a9233a # v4.0.0
with:
image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
annotations: true
dockerfile: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
- name: Sign the images with GitHub OIDC Token
uses: ./.github/actions/cosign-sign
with:
digest: ${{ steps.docker_build.outputs.digest }}
tags: ${{ steps.meta.outputs.tags }}
- name: Attest images
uses: ./.github/actions/attest-image
with:
subject_name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
subject_digest: ${{ steps.docker_build.outputs.digest }}
- name: Image metadata
env:
CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
METADATA: ${{ steps.docker_build.outputs.metadata }}
run: |
echo "::group::Image metadata"
echo "${METADATA}"
echo "::endgroup::"
echo "::group::Cache file name"
echo "${CACHE_FILE_NAME}"
echo "::endgroup::"
printf '%s' "${METADATA}" > "$CACHE_FILE_NAME"
- name: Upload artifact metadata
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
path: ${{ env.BASE_CACHE_FILE_NAME }}
name: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
build_base_database:
timeout-minutes: 1240
needs: ["build_base", "init_build"]
name: Build ${{ matrix.build }} base on ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
build: ${{ fromJson(needs.init_build.outputs.database) }}
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
artifact-metadata: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
disable-sudo: true
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
fulcio.sigstore.dev:443
ghcr.io:443
git.zabbix.com:443
github.com:443
go.googlesource.com:443
go.mongodb.org:443
golang.org:443
golang.zabbix.com:443
google.golang.org:443
gopkg.in:443
index.docker.io:443
noto-website-2.storage.googleapis.com:443
mirror.gcr.io:443
oauth2.sigstore.dev:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
timestamp.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
uses: ./.github/actions/cosign-install
- name: Prepare platform list
id: platform
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
platform_list="$(jq -r --arg os "$MATRIX_OS" '.["os-linux"][$os] | join(",")' "$MATRIX_FILE")"
echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"
echo "list=$platform_list" >> "$GITHUB_OUTPUT"
- name: Generate tags
id: meta
uses: ./.github/actions/docker-meta
with:
image: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build) }}
os: ${{ matrix.os }}
current_branch: ${{ needs.init_build.outputs.current_branch }}
is_default_branch: ${{ needs.init_build.outputs.is_default_branch }}
trunk_only_event: ${{ env.TRUNK_ONLY_EVENT }}
event_name: ${{ github.event_name }}
- name: Download artifact metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }}
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}
- name: Process ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} image metadata
id: base_build
env:
CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
run: |
[[ -f "$CACHE_FILE_NAME" ]] || { echo "::error::Missing metadata file: $CACHE_FILE_NAME"; exit 1; }
echo "::group::Base image metadata"
cat "$CACHE_FILE_NAME"
echo "::endgroup::"
image_digest="$(jq -r '."containerimage.digest"' "$CACHE_FILE_NAME")"
image_name="$(jq -r '."image.name"' "$CACHE_FILE_NAME" | cut -d: -f1)"
[[ -n "$image_digest" && "$image_digest" != "null" ]] || { echo "::error::containerimage.digest is empty"; exit 1; }
[[ -n "$image_name" && "$image_name" != "null" ]] || { echo "::error::image.name is empty"; exit 1; }
echo "base_build_image=${image_name}@${image_digest}" >> "$GITHUB_OUTPUT"
- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
uses: ./.github/actions/cosign-verify
with:
image: ${{ steps.base_build.outputs.base_build_image }}
oidc_issuer: ${{ env.OIDC_ISSUER }}
identity_regexp: ${{ env.IDENTITY_REGEX }}
- name: Set up Docker tooling
uses: ./.github/actions/docker-linux-setup
with:
auto_push_images: true
docker_username: ${{ secrets.DOCKER_USERNAME }}
docker_password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
id: docker_build
uses: ./.github/actions/docker-build-push-linux
with:
context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
platforms: ${{ steps.platform.outputs.list }}
push: true
sbom: true
tags: ${{ steps.meta.outputs.tags }}
build_contexts: |
sources=./sources/
config_templates=./config_templates/
build_args: |
BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: ./.github/actions/cosign-sign
with:
digest: ${{ steps.docker_build.outputs.digest }}
tags: ${{ steps.meta.outputs.tags }}
- name: Attest images
id: attest
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image metadata
env:
CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
METADATA: ${{ steps.docker_build.outputs.metadata }}
run: |
echo "::group::Image metadata"
echo "${METADATA}"
echo "::endgroup::"
echo "::group::Cache file name"
echo "${CACHE_FILE_NAME}"
echo "::endgroup::"
printf '%s' "${METADATA}" > "$CACHE_FILE_NAME"
- name: Upload artifact metadata
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
path: ${{ env.BUILD_CACHE_FILE_NAME }}
name: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}
build_images:
timeout-minutes: 90
needs: ["build_base_database", "init_build"]
name: Build ${{ matrix.build }} on ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
build: ${{ fromJson(needs.init_build.outputs.components) }}
os: ${{ fromJson(needs.init_build.outputs.os) }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
artifact-metadata: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
disable-sudo: true
egress-policy: audit
disable-telemetry: true
allowed-endpoints: >
api.github.com:443
apt.postgresql.org:80
archive.ubuntu.com:80
atl.mirrors.knownhost.com:80
atl.mirrors.knownhost.com:443
auth.docker.io:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
centos-stream-distro.1gservers.com:80
centos-stream-distro.1gservers.com:443
container-registry.oracle.com:443
d2lzkl7pfhq30w.cloudfront.net:443
deb.debian.org:80
dl-cdn.alpinelinux.org:443
download.cf.centos.org:80
download.cf.centos.org:443
epel.mirror.constant.com:80
forksystems.mm.fcix.net:80
ftp-nyc.osuosl.org:80
ftp-nyc.osuosl.org:443
ftp-osl.osuosl.org:80
ftp-osl.osuosl.org:443
ftp.plusline.net:80
ftpmirror.your.org:80
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
iad.mirror.rackspace.com:443
index.docker.io:443
ix-denver.mm.fcix.net:443
keyserver.ubuntu.com:11371
mirror-mci.yuki.net.uk:443
mirror.23m.com:80
mirror.arizona.edu:80
mirror.dal.nexril.net:80
mirror.de.leaseweb.net:80
mirror.dogado.de:80
mirror.facebook.net:80
mirror.gcr.io:443
mirror.hoobly.com:80
mirror.math.princeton.edu:80
mirror.netcologne.de:443
mirror.netzwerge.de:443
mirror.pilotfiber.com:80
mirror.pilotfiber.com:443
mirror.rackspace.com:80
mirror.rackspace.com:443
mirror.scaleuptech.com:443
mirror.servaxnet.com:80
mirror.servaxnet.com:443
mirror.sfo12.us.leaseweb.net:80
mirror.siena.edu:80
mirror.steadfastnet.com:80
mirror.team-cymru.com:80
mirror.team-cymru.com:443
mirror.umd.edu:443
mirror1.hs-esslingen.de:443
mirrors.centos.org:443
mirrors.fedoraproject.org:443
mirrors.iu13.net:80
mirrors.iu13.net:443
mirrors.ocf.berkeley.edu:443
mirrors.sonic.net:80
mirrors.syringanetworks.net:80
mirrors.vcea.wsu.edu:80
mirrors.wcupa.edu:80
mirrors.xtom.de:80
na.edge.kernel.org:443
nginx.org:80
nginx.org:443
nnenix.mm.fcix.net:80
oauth2.sigstore.dev:443
objects.githubusercontent.com:443
ohioix.mm.fcix.net:80
pkg-containers.githubusercontent.com:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
pubmirror1.math.uh.edu:443
pubmirror3.math.uh.edu:80
quay.io:443
raw.githubusercontent.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
release-assets.githubusercontent.com:443
repo.ialab.dsu.edu:80
repos.eggycrew.com:80
security.ubuntu.com:80
timestamp.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
uvermont.mm.fcix.net:80
yum.oracle.com:443
ziply.mm.fcix.net:443
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: ./.github/actions/cosign-install
- name: Prepare platform list
id: platform
env:
MATRIX_OS: ${{ matrix.os }}
MATRIX_BUILD: ${{ matrix.build }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
if [[ "$MATRIX_BUILD" == "web-service" ]]; then
case "$MATRIX_OS" in
alpine|centos|ubuntu)
platform_list="linux/amd64,linux/arm64"
;;
ol)
platform_list="linux/amd64"
;;
*)
platform_list="$(jq -r --arg os "$MATRIX_OS" '.["os-linux"][$os] | join(",")' "$MATRIX_FILE")"
;;
esac
else
platform_list="$(jq -r --arg os "$MATRIX_OS" '.["os-linux"][$os] | join(",")' "$MATRIX_FILE")"
fi
if [[ "$MATRIX_BUILD" != agent* ]]; then
platform_list="${platform_list#linux/386,}"
fi
platform_list="${platform_list%,}"
echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"
echo "list=$platform_list" >> "$GITHUB_OUTPUT"
- name: Detect build base image
id: build_base_image
if: ${{ matrix.build != 'snmptraps' }}
env:
MATRIX_BUILD: ${{ matrix.build }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
build_base="$(jq -r --arg build "$MATRIX_BUILD" '.components[$build].base' "$MATRIX_FILE")"
[[ -n "$build_base" && "$build_base" != "null" ]] || { echo "::error::Base image is not defined for $MATRIX_BUILD"; exit 1; }
echo "::group::Base Build Image"
echo "$build_base"
echo "::endgroup::"
echo "build_base=$build_base" >> "$GITHUB_OUTPUT"
- name: Generate tags
id: meta
uses: ./.github/actions/docker-meta
with:
image: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build) }}
os: ${{ matrix.os }}
current_branch: ${{ needs.init_build.outputs.current_branch }}
is_default_branch: ${{ needs.init_build.outputs.is_default_branch }}
trunk_only_event: ${{ env.TRUNK_ONLY_EVENT }}
event_name: ${{ github.event_name }}
- name: Download artifact metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
if: ${{ matrix.build != 'snmptraps' }}
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }}
- name: Process ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} image metadata
id: base_build
if: ${{ matrix.build != 'snmptraps' }}
env:
CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
run: |
[[ -f "$CACHE_FILE_NAME" ]] || { echo "::error::Missing metadata file: $CACHE_FILE_NAME"; exit 1; }
echo "::group::Base image metadata"
cat "$CACHE_FILE_NAME"
echo "::endgroup::"
image_digest="$(jq -r '."containerimage.digest"' "$CACHE_FILE_NAME")"
image_name="$(jq -r '."image.name"' "$CACHE_FILE_NAME" | cut -d: -f1)"
[[ -n "$image_digest" && "$image_digest" != "null" ]] || { echo "::error::containerimage.digest is empty"; exit 1; }
[[ -n "$image_name" && "$image_name" != "null" ]] || { echo "::error::image.name is empty"; exit 1; }
echo "base_build_image=${image_name}@${image_digest}" >> "$GITHUB_OUTPUT"
- name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
if: ${{ matrix.build != 'snmptraps' }}
uses: ./.github/actions/cosign-verify
with:
image: ${{ steps.base_build.outputs.base_build_image }}
oidc_issuer: ${{ env.OIDC_ISSUER }}
identity_regexp: ${{ env.IDENTITY_REGEX }}
- name: Set up Docker tooling
uses: ./.github/actions/docker-linux-setup
with:
auto_push_images: ${{ env.AUTO_PUSH_IMAGES }}
docker_username: ${{ secrets.DOCKER_USERNAME }}
docker_password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push image
if: ${{ matrix.build != 'snmptraps' }}
id: docker_build
uses: ./.github/actions/docker-build-push-linux
with:
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
platforms: ${{ steps.platform.outputs.list }}
push: ${{ env.AUTO_PUSH_IMAGES }}
sbom: ${{ env.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }}
build_args: |
BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Build and push snmptraps image
if: ${{ matrix.build == 'snmptraps' }}
id: docker_build_snmptraps
uses: ./.github/actions/docker-build-push-linux
with:
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
platforms: ${{ steps.platform.outputs.list }}
push: ${{ env.AUTO_PUSH_IMAGES }}
sbom: ${{ env.AUTO_PUSH_IMAGES }}
tags: ${{ steps.meta.outputs.tags }}
labels: |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: ./.github/actions/cosign-sign
with:
digest: ${{ matrix.build == 'snmptraps' && steps.docker_build_snmptraps.outputs.digest || steps.docker_build.outputs.digest }}
tags: ${{ steps.meta.outputs.tags }}
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build) }}
subject-digest: ${{ matrix.build == 'snmptraps' && steps.docker_build_snmptraps.outputs.digest || steps.docker_build.outputs.digest }}
push-to-registry: true
Reference in New Issue View Git Blame Copy Permalink