forked from TrueCloudLab/certificates
[action] cosign over docker image digest
This commit is contained in:
parent
c43d59a69a
commit
c36b36f070
3 changed files with 23 additions and 125 deletions
45
.github/workflows/release.yml
vendored
45
.github/workflows/release.yml
vendored
|
@ -15,8 +15,12 @@ jobs:
|
||||||
name: Create Release
|
name: Create Release
|
||||||
needs: ci
|
needs: ci
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
DOCKER_IMAGE: smallstep/step-ca
|
||||||
outputs:
|
outputs:
|
||||||
|
version: ${{ steps.extract-tag.outputs.VERSION }}
|
||||||
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
||||||
|
docker_tags: ${{ env.DOCKER_TAGS }}
|
||||||
steps:
|
steps:
|
||||||
- name: Is Pre-release
|
- name: Is Pre-release
|
||||||
id: is_prerelease
|
id: is_prerelease
|
||||||
|
@ -26,6 +30,16 @@ jobs:
|
||||||
OUT=$?
|
OUT=$?
|
||||||
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
||||||
echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
|
echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
|
||||||
|
- name: Extract Tag Names
|
||||||
|
id: extract-tag
|
||||||
|
run: |
|
||||||
|
VERSION=${GITHUB_REF#refs/tags/v}
|
||||||
|
echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
|
||||||
|
echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
|
||||||
|
- name: Add Latest Tag
|
||||||
|
if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
|
||||||
|
run: |
|
||||||
|
echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
|
||||||
- name: Create Release
|
- name: Create Release
|
||||||
id: create_release
|
id: create_release
|
||||||
uses: actions/create-release@v1
|
uses: actions/create-release@v1
|
||||||
|
@ -68,34 +82,19 @@ jobs:
|
||||||
args: release --rm-dist
|
args: release --rm-dist
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
|
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
|
||||||
RELEASE_DATE: ${RELEASE_DATE}
|
RELEASE_DATE: ${{ env.RELEASE_DATE }}
|
||||||
COSIGN_EXPERIMENTAL: 1
|
COSIGN_EXPERIMENTAL: 1
|
||||||
|
|
||||||
build_upload_docker:
|
build_upload_docker:
|
||||||
name: Build & Upload Docker Images
|
name: Build & Upload Docker Images
|
||||||
runs-on: ubuntu-latest
|
needs: create_release
|
||||||
needs: ci
|
|
||||||
permissions:
|
permissions:
|
||||||
id-token: write
|
id-token: write
|
||||||
contents: write
|
contents: write
|
||||||
steps:
|
uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v3
|
|
||||||
- name: Setup Go
|
|
||||||
uses: actions/setup-go@v3
|
|
||||||
with:
|
with:
|
||||||
go-version: '1.19'
|
platforms: linux/amd64,linux/386,linux/arm,linux/arm64
|
||||||
check-latest: true
|
tags: ${{ needs.create_release.outputs.docker_tags }}
|
||||||
- name: Install cosign
|
docker_image: smallstep/step-ca
|
||||||
uses: sigstore/cosign-installer@v2
|
docker_file: docker/Dockerfile.step-ca
|
||||||
with:
|
secrets: inherit
|
||||||
cosign-release: 'v1.13.1'
|
|
||||||
- name: Build
|
|
||||||
id: build
|
|
||||||
run: |
|
|
||||||
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
|
|
||||||
make docker-artifacts
|
|
||||||
env:
|
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
|
||||||
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
|
||||||
COSIGN_EXPERIMENTAL: 1
|
|
||||||
|
|
10
Makefile
10
Makefile
|
@ -79,8 +79,6 @@ $(info DEB_VERSION is $(DEB_VERSION))
|
||||||
$(info PUSHTYPE is $(PUSHTYPE))
|
$(info PUSHTYPE is $(PUSHTYPE))
|
||||||
endif
|
endif
|
||||||
|
|
||||||
include make/docker.mk
|
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# Build
|
# Build
|
||||||
#########################################
|
#########################################
|
||||||
|
@ -232,11 +230,3 @@ debian: changelog
|
||||||
distclean: clean
|
distclean: clean
|
||||||
|
|
||||||
.PHONY: changelog debian distclean
|
.PHONY: changelog debian distclean
|
||||||
|
|
||||||
#################################################
|
|
||||||
# Targets for creating step artifacts
|
|
||||||
#################################################
|
|
||||||
|
|
||||||
docker-artifacts: docker-$(PUSHTYPE)
|
|
||||||
|
|
||||||
.PHONY: docker-artifacts
|
|
||||||
|
|
|
@ -1,91 +0,0 @@
|
||||||
#########################################
|
|
||||||
# Building Docker Image
|
|
||||||
#
|
|
||||||
# This uses a multi-stage build file. The first stage is a builder (that might
|
|
||||||
# be large in size). After the build has succeeded, the statically linked
|
|
||||||
# binary is copied to a new image that is optimized for size.
|
|
||||||
#########################################
|
|
||||||
|
|
||||||
ifeq (, $(shell which docker))
|
|
||||||
DOCKER_CLIENT_OS := linux
|
|
||||||
else
|
|
||||||
DOCKER_CLIENT_OS := $(strip $(shell docker version -f '{{.Client.Os}}' 2>/dev/null))
|
|
||||||
endif
|
|
||||||
|
|
||||||
DOCKER_PLATFORMS = linux/amd64,linux/386,linux/arm,linux/arm64
|
|
||||||
DOCKER_IMAGE_NAME = smallstep/step-ca
|
|
||||||
|
|
||||||
docker-prepare:
|
|
||||||
# Ensure, we can build for ARM architecture
|
|
||||||
ifeq (linux,$(DOCKER_CLIENT_OS))
|
|
||||||
[ -f /proc/sys/fs/binfmt_misc/qemu-arm ] || docker run --rm --privileged linuxkit/binfmt:v0.8-amd64
|
|
||||||
endif
|
|
||||||
|
|
||||||
# Register buildx builder
|
|
||||||
mkdir -p $$HOME/.docker/cli-plugins
|
|
||||||
|
|
||||||
test -f $$HOME/.docker/cli-plugins/docker-buildx || \
|
|
||||||
(wget -q -O $$HOME/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.$(DOCKER_CLIENT_OS)-amd64 && \
|
|
||||||
chmod +x $$HOME/.docker/cli-plugins/docker-buildx)
|
|
||||||
|
|
||||||
docker buildx create --use --name mybuilder --platform="$(DOCKER_PLATFORMS)" || true
|
|
||||||
|
|
||||||
.PHONY: docker-prepare
|
|
||||||
|
|
||||||
#################################################
|
|
||||||
# Releasing Docker Images
|
|
||||||
#
|
|
||||||
# Using the docker build infrastructure, this section is responsible for
|
|
||||||
# logging into docker hub.
|
|
||||||
#################################################
|
|
||||||
|
|
||||||
# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
|
|
||||||
# equivalent environment
|
|
||||||
docker-login:
|
|
||||||
$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
|
|
||||||
|
|
||||||
.PHONY: docker-login
|
|
||||||
|
|
||||||
#################################################
|
|
||||||
# Targets for different type of builds
|
|
||||||
#################################################
|
|
||||||
|
|
||||||
define DOCKER_BUILDX
|
|
||||||
# $(1) -- Image Tag
|
|
||||||
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
|
||||||
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
|
||||||
cosign sign -r $(DOCKER_IMAGE_NAME):$(1)
|
|
||||||
|
|
||||||
endef
|
|
||||||
|
|
||||||
# For non-master builds don't build the docker containers.
|
|
||||||
docker-branch:
|
|
||||||
|
|
||||||
# For master builds don't build the docker containers.
|
|
||||||
docker-master:
|
|
||||||
|
|
||||||
# For all builds with a release candidate tag build and push the containers.
|
|
||||||
docker-release-candidate: docker-prepare docker-login
|
|
||||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
|
||||||
|
|
||||||
# For all builds with a release tag build and push the containers.
|
|
||||||
docker-release: docker-prepare docker-login
|
|
||||||
$(call DOCKER_BUILDX,latest,--push)
|
|
||||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
|
||||||
|
|
||||||
.PHONY: docker-branch docker-master docker-release-candidate docker-release
|
|
||||||
|
|
||||||
# XXX We put the output for the build in 'output' so we don't mess with how we
|
|
||||||
# do rule overriding from the base Makefile (if you name it 'build' it messes up
|
|
||||||
# the wildcarding).
|
|
||||||
DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
|
|
||||||
|
|
||||||
DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(BINNAME)
|
|
||||||
DOCKER_BUILD=$Q docker build -t $(DOCKER_IMAGE_NAME):latest -f docker/Dockerfile.step-ca --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(BINNAME) .
|
|
||||||
|
|
||||||
docker-dev: docker/Dockerfile.step-ca
|
|
||||||
mkdir -p $(DOCKER_OUTPUT)
|
|
||||||
$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
|
|
||||||
$(call DOCKER_BUILD)
|
|
||||||
|
|
||||||
.PHONY: docker-dev
|
|
Loading…
Reference in a new issue