From 0f5316e5a96c397d6d6e1fa2a72b7c36155f2ead Mon Sep 17 00:00:00 2001 From: Dan Barr Date: Tue, 8 Oct 2024 14:42:03 -0400 Subject: [PATCH] Handle mixed case names in build-image workflows The workflows fail if the GitHub organization name or repository name use mixed case, since Docker only supports lower-cased image names. Updated to use the docker/metadata-action tags output since that action handles the normalization. --- .../build-image-signed-cosign-malicious.yml | 11 ++++++++--- .../build-image-signed-cosign-static-copied.yml | 7 +++++-- .../build-image-signed-cosign-static.yml | 8 +++++--- .github/workflows/build-image-signed-cosign.yml | 10 ++++++---- .../build-image-signed-ghat-malicious.yml | 16 +++++++++++++++- .../build-image-signed-ghat-static-copied.yml | 14 +++++++++++++- .../build-image-signed-ghat-static.yml | 14 +++++++++++++- .github/workflows/build-image-signed-ghat.yml | 14 +++++++++++++- .github/workflows/build-image-unsigned.yml | 17 ++++------------- Makefile | 3 +++ 10 files changed, 85 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build-image-signed-cosign-malicious.yml b/.github/workflows/build-image-signed-cosign-malicious.yml index f4f0848..929fbc9 100644 --- a/.github/workflows/build-image-signed-cosign-malicious.yml +++ b/.github/workflows/build-image-signed-cosign-malicious.yml @@ -20,6 +20,8 @@ jobs: uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - name: The malicious step + env: + IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} run: | make build-malicious-image @@ -41,6 +43,9 @@ jobs: uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + type=raw,value=daily - name: Build and push Docker image id: build-and-push @@ -48,7 +53,7 @@ jobs: with: context: . push: ${{ github.event_name != 'pull_request' }} - tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max @@ -56,8 +61,8 @@ jobs: - name: Sign the published Docker image env: + TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | cosign version - echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} - echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign-static-copied.yml b/.github/workflows/build-image-signed-cosign-static-copied.yml index 0532b2b..cd749b2 100644 --- a/.github/workflows/build-image-signed-cosign-static-copied.yml +++ b/.github/workflows/build-image-signed-cosign-static-copied.yml @@ -37,20 +37,23 @@ jobs: uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=static - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: push: true - tags: ghcr.io/${{ github.repository }}:static + tags: ${{ steps.meta.outputs.tags }} context: . file : Dockerfile.static - name: Sign the published Docker image env: + TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | cosign version - echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign-static.yml b/.github/workflows/build-image-signed-cosign-static.yml index 90b9346..dfb1ba0 100644 --- a/.github/workflows/build-image-signed-cosign-static.yml +++ b/.github/workflows/build-image-signed-cosign-static.yml @@ -37,20 +37,22 @@ jobs: uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=static - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: push: true - tags: ghcr.io/${{ github.repository }}:static + tags: ${{ steps.meta.outputs.tags }} context: . file : Dockerfile.static - - name: Sign the published Docker image env: + TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | cosign version - echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign.yml b/.github/workflows/build-image-signed-cosign.yml index 9220232..84369bc 100644 --- a/.github/workflows/build-image-signed-cosign.yml +++ b/.github/workflows/build-image-signed-cosign.yml @@ -37,6 +37,9 @@ jobs: uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + type=raw,value=daily - name: Build and push Docker image id: build-and-push @@ -44,16 +47,15 @@ jobs: with: context: . push: ${{ github.event_name != 'pull_request' }} - tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - - name: Sign the published Docker image env: + TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | cosign version - echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} - echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-ghat-malicious.yml b/.github/workflows/build-image-signed-ghat-malicious.yml index 47c0497..56fb309 100644 --- a/.github/workflows/build-image-signed-ghat-malicious.yml +++ b/.github/workflows/build-image-signed-ghat-malicious.yml @@ -2,6 +2,10 @@ name: image-signed-ghat(latest)-malicious on: workflow_dispatch: +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: runs-on: ubuntu-latest @@ -16,6 +20,8 @@ jobs: uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - name: The malicious step + env: + IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} run: | make build-malicious-image @@ -26,12 +32,20 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: push: true - tags: ghcr.io/${{ github.repository }}:latest + tags: ${{ steps.meta.outputs.tags }} context: . - name: Attest image diff --git a/.github/workflows/build-image-signed-ghat-static-copied.yml b/.github/workflows/build-image-signed-ghat-static-copied.yml index dc719c5..12da64f 100644 --- a/.github/workflows/build-image-signed-ghat-static-copied.yml +++ b/.github/workflows/build-image-signed-ghat-static-copied.yml @@ -2,6 +2,10 @@ name: image-signed-ghat(static)-copied on: workflow_dispatch: +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: runs-on: ubuntu-latest @@ -22,12 +26,20 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=static + - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: push: true - tags: ghcr.io/${{ github.repository }}:static + tags: ${{ steps.meta.outputs.tags }} context: . file : Dockerfile.static diff --git a/.github/workflows/build-image-signed-ghat-static.yml b/.github/workflows/build-image-signed-ghat-static.yml index 195ad21..c05ae55 100644 --- a/.github/workflows/build-image-signed-ghat-static.yml +++ b/.github/workflows/build-image-signed-ghat-static.yml @@ -2,6 +2,10 @@ name: image-signed-ghat(static) on: workflow_dispatch: +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: runs-on: ubuntu-latest @@ -22,12 +26,20 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=static + - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: push: true - tags: ghcr.io/${{ github.repository }}:static + tags: ${{ steps.meta.outputs.tags }} context: . file : Dockerfile.static diff --git a/.github/workflows/build-image-signed-ghat.yml b/.github/workflows/build-image-signed-ghat.yml index d91b6fc..8ad9135 100644 --- a/.github/workflows/build-image-signed-ghat.yml +++ b/.github/workflows/build-image-signed-ghat.yml @@ -2,6 +2,10 @@ name: image-signed-ghat(latest) on: workflow_dispatch: +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: runs-on: ubuntu-latest @@ -22,12 +26,20 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + - name: Build and push image id: push-step uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: push: true - tags: ghcr.io/${{ github.repository }}:latest + tags: ${{ steps.meta.outputs.tags }} context: . - name: Attest image diff --git a/.github/workflows/build-image-unsigned.yml b/.github/workflows/build-image-unsigned.yml index 255ccb2..3759df4 100644 --- a/.github/workflows/build-image-unsigned.yml +++ b/.github/workflows/build-image-unsigned.yml @@ -19,11 +19,6 @@ jobs: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 -# - name: Install Cosign -# uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 -# with: -# cosign-release: 'v2.1.1' - - name: Setup Docker buildx uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf @@ -39,6 +34,9 @@ jobs: uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + type=raw,value=daily - name: Build and push Docker image id: build-and-push @@ -46,14 +44,7 @@ jobs: with: context: . push: ${{ github.event_name != 'pull_request' }} - tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - -# - name: Sign the published Docker image -# env: -# DIGEST: ${{ steps.build-and-push.outputs.digest }} -# run: | -# echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} -# echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/Makefile b/Makefile index 43c3ff8..58ccda3 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,9 @@ # Replace this with your image name, i.e. ghcr.io//demo-repo-js:latest IMAGE_NAME?=ghcr.io/stacklok/demo-repo-js:latest +# Lowercase the image name to handle mixed-case GitHub org/repo names +IMAGE_NAME := $(shell echo $(IMAGE_NAME) | tr '[:upper:]' '[:lower:]') + # Replace this with your GitHub username and PAT. # This is used to authenticate with GitHub Container Registry (GHCR) # and push the image to your repository.