Skip to content

Commit

Permalink
Changes to workflows - not complete
Browse files Browse the repository at this point in the history 
Signed-off-by: Patrick Stephens <[email protected]>
  • Loading branch information
@patrick-stephens
patrick-stephens committed Feb 9, 2022
1 parent ae413b9 commit f7427d8
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 198 deletions.
180 changes: 14 additions & 166 deletions .github/workflows/call-build-images.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,109 +35,15 @@ on:
description: If the Cosign key requires a password then specify here, otherwise not required.
required: false
jobs:
call-build-images-matrix:
name: ${{ matrix.arch }} container image stage to GHCR
runs-on: [ ubuntu-latest ]
environment: ${{ inputs.environment }}
strategy:
fail-fast: false
matrix:
arch: [ amd64, arm64, arm/v7 ]
include:
- arch: amd64
suffix: x86_64
- arch: arm/v7
suffix: arm32v7
- arch: arm64
suffix: arm64v8
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v1

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Log in to the Container registry
uses: docker/login-action@v1
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}

- name: Extract metadata from Github
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ matrix.suffix }}-${{ inputs.version }}
raw,${{ matrix.suffix }}-latest
- name: Build the ${{ matrix.suffix }} staging image
uses: docker/build-push-action@v2
with:
file: ./dockerfiles/Dockerfile.${{ matrix.suffix }}
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/${{ matrix.arch }}
push: true
load: false
build-args: |
FLB_TARBALL=https://github.com/fluent/fluent-bit/archive/v${{ inputs.version }}.tar.gz
call-build-images-debug:
name: Build the single-arch debug image
runs-on: [ ubuntu-latest ]
environment: ${{ inputs.environment }}
needs: call-build-images-matrix
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Log in to the Container registry
uses: docker/login-action@v1
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}

- name: Extract metadata from Github
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,x86_64-${{ inputs.version }}-debug
raw,${{ inputs.version }}-debug
raw,latest-debug
- name: Build the debug staging image
uses: docker/build-push-action@v2
with:
file: ./dockerfiles/Dockerfile.x86_64-debug
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
push: true
load: false
build-args: |
FLB_TARBALL=https://github.com/fluent/fluent-bit/archive/v${{ inputs.version }}.tar.gz
call-build-images-multiarch:
name: Multiarch container images stage to GHCR
call-build-images:
name: Build container images to GHCR
runs-on: [ ubuntu-latest ]
environment: ${{ inputs.environment }}
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
ref: ${{ inputs.version }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v1
Expand All @@ -156,15 +62,15 @@ jobs:
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ inputs.registry }}/${{ inputs.image }}/multiarch
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ inputs.version }}
raw,latest
- name: Build the multi-arch images
- name: Build the production images
uses: docker/build-push-action@v2
with:
file: ./dockerfiles/Dockerfile.multiarch
file: ./dockerfiles/Dockerfile
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Expand All @@ -178,12 +84,12 @@ jobs:
- id: debug-meta
uses: docker/metadata-action@v3
with:
images: ${{ inputs.registry }}/${{ inputs.image }}/multiarch
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ inputs.version }}-debug
raw,latest-debug
- name: Build the debug multi-arch images
- name: Build the debug images
uses: docker/build-push-action@v2
with:
file: ./dockerfiles/Dockerfile.multiarch
Expand All @@ -197,76 +103,22 @@ jobs:
build-args: |
FLB_TARBALL=https://github.com/fluent/fluent-bit/archive/v${{ inputs.version }}.tar.gz
- name: Multi-arch - run Trivy and Dockle scans
uses: azure/container-scan@v0
with:
image-name: ${{ inputs.registry }}/${{ inputs.image }}/multiarch:${{ inputs.version }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}

call-build-images-scan:
name: Trivy + Dockle image scan
runs-on: [ ubuntu-latest ]
environment: ${{ inputs.environment }}
needs: call-build-images-matrix
strategy:
fail-fast: false
matrix:
suffix: [ x86_64, arm32v7, arm64v8 ]
needs: call-build-images
steps:
- name: Checkout code for ignore list
uses: actions/checkout@v2

- name: Single arch - run Trivy and Dockle scans
- name: Trivy and Dockle scans
uses: azure/container-scan@v0
with:
image-name: ${{ inputs.registry }}/${{ inputs.image }}:${{ matrix.suffix }}-${{ inputs.version }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}

call-build-images-push-manifests:
name: Deploy multi-arch container image manifests
permissions:
contents: read
packages: write
runs-on: [ ubuntu-latest ]
environment: ${{ inputs.environment }}
needs: call-build-images-matrix
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Log in to the Container registry
uses: docker/login-action@v1
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}

- name: Pull all the images
# Use platform to trigger warnings on invalid image metadata
run: |
docker pull --platform=linux/amd64 ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }}
docker pull --platform=linux/arm64 ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }}
docker pull --platform=linux/arm/v7 ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
- name: Create manifests for images
run: |
docker manifest create ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
docker manifest create ${{ inputs.registry }}/${{ inputs.image }}:latest \
--amend ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
docker manifest push --purge ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}
docker manifest push --purge ${{ inputs.registry }}/${{ inputs.image }}:latest
env:
DOCKER_CLI_EXPERIMENTAL: enabled

call-build-images-sign:
name: Deploy and sign multi-arch container image manifests
permissions:
Expand All @@ -277,7 +129,7 @@ jobs:
id-token: write
runs-on: [ ubuntu-latest ]
environment: ${{ inputs.environment }}
needs: call-build-images-push-manifests
needs: call-build-images
steps:
- name: Install cosign
uses: sigstore/cosign-installer@main
Expand All @@ -295,9 +147,7 @@ jobs:
-a "ref=${{ github.sha }}" \
-a "release=${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:latest" \
"${{ inputs.registry }}/${{ inputs.image }}/multiarch:${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}/multiarch:latest"
"${{ inputs.registry }}/${{ inputs.image }}:latest"
shell: bash
# Ensure we move on to key-based signing as well
continue-on-error: true
Expand All @@ -316,9 +166,7 @@ jobs:
-a "ref=${{ github.sha }}" \
-a "release=${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:latest" \
"${{ inputs.registry }}/${{ inputs.image }}/multiarch:${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}/multiarch:latest"
"${{ inputs.registry }}/${{ inputs.image }}:latest"
rm -f /tmp/my_cosign.key
shell: bash
env:
Expand Down
34 changes: 2 additions & 32 deletions .github/workflows/pr-image-tests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,49 +51,19 @@ jobs:
secrets:
token: ${{ secrets.GITHUB_TOKEN }}

pr-image-tests-smoke-test-multiarch-images:
name: PR - multiarch smoke test images
needs: [pr-get-latest-tag, pr-image-tests-build-images]
uses: fluent/fluent-bit/.github/workflows/call-test-images.yaml@master
with:
registry: ghcr.io
username: ${{ github.actor }}
image: ${{ github.repository }}/pr-${{ github.event.number }}/multiarch
image-tag: ${{ needs.pr-get-latest-tag.outputs.latest_tag }}
environment: pr
secrets:
token: ${{ secrets.GITHUB_TOKEN }}

pr-image-tests-classic-docker-build:
name: PR - Classic docker build test
needs: pr-get-latest-tag
runs-on: ubuntu-latest
environment: pr
strategy:
# A failure on one is probably shared
fail-fast: true
matrix:
arch: [ amd64, arm64, arm/v7 ]
include:
- arch: amd64
suffix: x86_64
- arch: arm/v7
suffix: arm32v7
- arch: arm64
suffix: arm64v8
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Set up QEMU
uses: docker/setup-qemu-action@v1

- name: Build the ${{ matrix.suffix }} classic build test image
- name: Classic docker build
# We only want to confirm it builds with classic mode, nothing else
run: |
docker build --platform=linux/${{ matrix.arch }} --build-arg FLB_TARBALL="$FLB_TARBALL" -f ./dockerfiles/Dockerfile.${{ matrix.suffix }} ./dockerfiles/
docker build .
env:
# Ensure we disable buildkit
DOCKER_BUILDKIT: 0
FLB_TARBALL: https://github.com/fluent/fluent-bit/archive/v${{ needs.pr-get-latest-tag.outputs.latest_tag }}.tar.gz
shell: bash

0 comments on commit f7427d8

Please sign in to comment.