-
Notifications
You must be signed in to change notification settings - Fork 381
148 lines (133 loc) · 5.55 KB
/
build-images-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Image CI Build
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
paths-ignore:
- 'docs/**'
push:
branches:
- main
- test*
paths-ignore:
- 'docs/**'
# Since this workflow can execute on pull_request_target, drop all the
# permissions of the GITHUB_TOKEN except `contents: read` for access to the repo
# with the actions/checkout action.
permissions:
contents: read
jobs:
build-and-push:
runs-on: ubuntu-22.04
strategy:
matrix:
include:
- name: tetragon
dockerfile: ./Dockerfile
- name: tetragon-operator
dockerfile: ./Dockerfile.operator
- name: tetragon-rthooks
dockerfile: ./Dockerfile.rthooks
env:
IMAGE: quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
with:
platforms: arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- name: Getting image tag
id: tag
env:
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
SHA: ${{ github.sha }}
EVENT_NAME: ${{ github.event_name }}
REF_NAME: ${{ github.ref_name }}
run: |
echo "tag=${HEAD_SHA:-$SHA}" | tee -a $GITHUB_OUTPUT
if [ "$EVENT_NAME" == "push" ]; then
echo "name=$( [ "$REF_NAME" == "main" ] && echo "latest" || echo "$REF_NAME" )" | tee -a $GITHUB_OUTPUT
fi
- name: Checkout main branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
ref: ${{ github.event.repository.default_branch }}
fetch-depth: 0
# Install Go after checkout for caching mechanism to work
- name: Install Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
# renovate: datasource=golang-version depName=go
go-version: '1.23.5'
# Warning: this must run before checking out the untrusted code
- name: Get version
run: echo "TETRAGON_VERSION=$(make version)" >> $GITHUB_ENV
# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
ref: ${{ steps.tag.outputs.tag }}
fetch-depth: 0
- name: Login to quay.io for CI
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME_CI }}
password: ${{ secrets.QUAY_PASSWORD_CI }}
# main branch pushes
- name: CI Build (main)
if: ${{ github.event_name == 'push' }}
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
id: docker_build_ci_main
with:
provenance: false
context: .
file: ${{ matrix.dockerfile }}
push: true
platforms: linux/amd64,linux/arm64
build-args: |
TETRAGON_VERSION=${{ env.TETRAGON_VERSION }}
tags: |
${{ env.IMAGE }}:${{ steps.tag.outputs.tag }}
${{ env.IMAGE }}:${{ steps.tag.outputs.name }}
- name: CI Image Releases digests (main)
if: github.event_name == 'push'
run: |
echo "| Info | Value |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| **Image** | \`$IMAGE\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Tag** | \`${{ steps.tag.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| **SHA256** | \`${{ steps.docker_build_ci_main.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Pull by tag** | \`$IMAGE:${{ steps.tag.outputs.tag }}\`|" >> $GITHUB_STEP_SUMMARY
echo "| **Pull by digest** | \`$IMAGE@${{ steps.docker_build_ci_main.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY
# PR updates
- name: CI Build (PR)
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
id: docker_build_ci_pr
with:
provenance: false
context: .
file: ${{ matrix.dockerfile }}
push: true
platforms: linux/amd64,linux/arm64
build-args: |
TETRAGON_VERSION=${{ env.TETRAGON_VERSION }}
tags: |
${{ env.IMAGE }}:${{ steps.tag.outputs.tag }}
- name: CI Image Releases digests (PR)
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
run: |
echo "| Info | Value |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| **Image** | \`$IMAGE\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Tag** | \`${{ steps.tag.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| **SHA256** | \`${{ steps.docker_build_ci_pr.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Pull by tag** | \`$IMAGE:${{ steps.tag.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Pull by digest** | \`$IMAGE@${{ steps.docker_build_ci_pr.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY