test #1643
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image CI Build | ||
| # Any change in triggers needs to be reflected in the concurrency group. | ||
| on: | ||
| pull_request_target: | ||
| types: | ||
| - opened | ||
| - synchronize | ||
| - reopened | ||
| push: | ||
| branches: | ||
| - main | ||
| - ft/main/** | ||
| permissions: | ||
| # To be able to access the repository with `actions/checkout` | ||
| contents: read | ||
| # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | ||
| id-token: write | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} | ||
| cancel-in-progress: true | ||
| jobs: | ||
| build-and-push-prs: | ||
| timeout-minutes: 45 | ||
| name: Build and Push Images | ||
| runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER || ubuntu-latest }} | ||
|
Check failure on line 29 in .github/workflows/build-images-ci.yaml
|
||
| strategy: | ||
| matrix: | ||
| include: | ||
| - name: cilium | ||
| dockerfile: ./images/cilium/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| - name: cilium-cli | ||
| dockerfile: ./cilium-cli/Dockerfile | ||
| platforms: linux/amd64 | ||
| - name: operator-aws | ||
| dockerfile: ./images/operator/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| - name: operator-azure | ||
| dockerfile: ./images/operator/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| - name: operator-alibabacloud | ||
| dockerfile: ./images/operator/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| - name: operator-generic | ||
| dockerfile: ./images/operator/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| - name: hubble-relay | ||
| dockerfile: ./images/hubble-relay/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| - name: clustermesh-apiserver | ||
| dockerfile: ./images/clustermesh-apiserver/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| - name: docker-plugin | ||
| dockerfile: ./images/cilium-docker-plugin/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| steps: | ||
| - name: Checkout default branch (trusted) | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| with: | ||
| ref: ${{ github.event.repository.default_branch }} | ||
| persist-credentials: false | ||
| - name: Cleanup Disk space in runner | ||
| if: runner.name == 'ubuntu-latest' | ||
| uses: ./.github/actions/disk-cleanup | ||
| - name: Set Environment Variables | ||
| uses: ./.github/actions/set-env-variables | ||
| - name: Setup docker volumes into /mnt | ||
| # This allows us to make use of all available disk. | ||
| shell: bash | ||
| run: | | ||
| sudo systemctl stop docker | ||
| sudo mv /var/lib/docker/volumes /mnt/docker-volumes | ||
| sudo ln -s /mnt/docker-volumes /var/lib/docker/volumes | ||
| sudo systemctl start docker | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | ||
| # Disable GC entirely to avoid buildkit from GC caches. | ||
| with: | ||
| buildkitd-config-inline: | | ||
| [worker.oci] | ||
| gc=false | ||
| - name: Login to quay.io for CI | ||
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||
| with: | ||
| registry: quay.io | ||
| username: ${{ secrets.QUAY_USERNAME_CI }} | ||
| password: ${{ secrets.QUAY_PASSWORD_CI }} | ||
| - name: Getting image tag | ||
| id: tag | ||
| run: | | ||
| if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then | ||
| tag=${{ github.event.pull_request.head.sha }} | ||
| else | ||
| tag=${{ github.sha }} | ||
| fi | ||
| if [ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]; then | ||
| floating_tag=latest | ||
| echo floating_tag=${floating_tag} >> $GITHUB_OUTPUT | ||
| fi | ||
| echo tag=${tag} >> $GITHUB_OUTPUT | ||
| normal_tag="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${tag}" | ||
| race_tag="${normal_tag}-race" | ||
| unstripped_tag="${normal_tag}-unstripped" | ||
| if [ -n "${floating_tag}" ]; then | ||
| floating_normal_tag="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${floating_tag}" | ||
| floating_race_tag="${floating_normal_tag}-race" | ||
| floating_unstripped_tag="${floating_normal_tag}-unstripped" | ||
| normal_tag="${normal_tag},${floating_normal_tag}" | ||
| race_tag="${race_tag},${floating_race_tag}" | ||
| unstripped_tag="${unstripped_tag},${floating_unstripped_tag}" | ||
| fi | ||
| echo normal_tag=${normal_tag} >> $GITHUB_OUTPUT | ||
| echo race_tag=${race_tag} >> $GITHUB_OUTPUT | ||
| echo unstripped_tag=${unstripped_tag} >> $GITHUB_OUTPUT | ||
| # Warning: since this is a privileged workflow, subsequent workflow job | ||
| # steps must take care not to execute untrusted code. | ||
| - name: Checkout pull request branch (NOT TRUSTED) | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| with: | ||
| persist-credentials: false | ||
| ref: ${{ steps.tag.outputs.tag }} | ||
| - name: Check for disk usage | ||
| shell: bash | ||
| run: | | ||
| df -h | ||
| # Load Golang cache build from GitHub | ||
| - name: Restore Golang cache build from GitHub | ||
| uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | ||
| id: go-cache | ||
| with: | ||
| path: /tmp/.cache/go | ||
| key: ${{ runner.os }}-go-${{ matrix.name }}-cache-${{ hashFiles('**/go.sum') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-go-${{ matrix.name }}-cache- | ||
| - name: Check for disk usage | ||
| shell: bash | ||
| run: | | ||
| df -h | ||
| docker buildx du | ||
| # Import GitHub's cache build to docker cache | ||
| - name: Copy ${{ matrix.name }} Golang cache to docker cache | ||
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | ||
| with: | ||
| provenance: false | ||
| context: /tmp/.cache/go | ||
| file: ./images/cache/Dockerfile | ||
| push: false | ||
| platforms: linux/amd64 | ||
| target: import-cache | ||
| - name: Check for disk usage | ||
| shell: bash | ||
| run: | | ||
| df -h | ||
| docker buildx du | ||
| - name: Install Cosign | ||
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | ||
| - name: CI Build ${{ matrix.name }} | ||
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | ||
| id: docker_build_ci | ||
| with: | ||
| provenance: false | ||
| context: . | ||
| file: ${{ matrix.dockerfile }} | ||
| push: true | ||
| platforms: ${{ matrix.platforms }} | ||
| tags: ${{ steps.tag.outputs.normal_tag }} | ||
| target: release | ||
| build-args: | | ||
| OPERATOR_VARIANT=${{ matrix.name }} | ||
| - name: CI race detection Build ${{ matrix.name }} | ||
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | ||
| id: docker_build_ci_detect_race_condition | ||
| with: | ||
| provenance: false | ||
| context: . | ||
| file: ${{ matrix.dockerfile }} | ||
| push: true | ||
| platforms: linux/amd64 | ||
| tags: ${{ steps.tag.outputs.race_tag }} | ||
| target: release | ||
| build-args: | | ||
| BASE_IMAGE=quay.io/cilium/cilium-runtime:7663c4c7dfb8db93fc5b71eb8fbe91d3ef005306@sha256:46692f9369ab891831396eedd3481bc93e96267060e9c1ac4633e22017a4c8e7 | ||
| MODIFIERS="LOCKDEBUG=1 RACE=1" | ||
| OPERATOR_VARIANT=${{ matrix.name }} | ||
| - name: CI Unstripped Binaries Build ${{ matrix.name }} | ||
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | ||
| id: docker_build_ci_unstripped | ||
| with: | ||
| provenance: false | ||
| context: . | ||
| file: ${{ matrix.dockerfile }} | ||
| push: true | ||
| platforms: linux/amd64 | ||
| tags: ${{ steps.tag.outputs.unstripped_tag }} | ||
| target: release | ||
| build-args: | | ||
| MODIFIERS="NOSTRIP=1" | ||
| OPERATOR_VARIANT=${{ matrix.name }} | ||
| - name: Sign Container Images | ||
| run: | | ||
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }} | ||
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }} | ||
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }} | ||
| - name: Generate SBOM | ||
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | ||
| with: | ||
| artifact-name: sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | ||
| output-file: ./sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | ||
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | ||
| - name: Generate SBOM (race) | ||
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | ||
| with: | ||
| artifact-name: sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | ||
| output-file: ./sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | ||
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | ||
| - name: Generate SBOM (unstripped) | ||
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | ||
| with: | ||
| artifact-name: sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | ||
| output-file: ./sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | ||
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | ||
| - name: Attach SBOM attestation to container image | ||
| run: | | ||
| cosign attest -r -y --predicate sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }} | ||
| cosign attest -r -y --predicate sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }} | ||
| cosign attest -r -y --predicate sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }} | ||
| - name: CI Image Releases digests | ||
| shell: bash | ||
| run: | | ||
| mkdir -p image-digest/ | ||
| if [ ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} ]; then | ||
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | ||
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | ||
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | ||
| fi | ||
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | ||
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | ||
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | ||
| # Upload artifact digests | ||
| - name: Upload artifact digests | ||
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | ||
| with: | ||
| name: image-digest ${{ matrix.name }} | ||
| path: image-digest | ||
| retention-days: 1 | ||
| - name: Check for disk usage | ||
| if: ${{ always() }} | ||
| shell: bash | ||
| run: | | ||
| df -h | ||
| image-digests: | ||
| if: ${{ always() }} | ||
| name: Display Digests | ||
| runs-on: ubuntu-22.04 | ||
| needs: build-and-push-prs | ||
| steps: | ||
| - name: Downloading Image Digests | ||
| shell: bash | ||
| run: | | ||
| mkdir -p image-digest/ | ||
| - name: Download digests of all images built | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| path: image-digest/ | ||
| pattern: "*image-digest *" | ||
| - name: Image Digests Output | ||
| shell: bash | ||
| run: | | ||
| cd image-digest/ | ||
| find -type f | sort | xargs -d '\n' cat | ||
