fluent · patrick-stephens · Jan 26, 2022 · Jan 26, 2022 · Jan 26, 2022 · Jan 27, 2022
@@ -148,7 +148,7 @@ jobs:
         with:
           go-version: '1.16' # The Go version to download (if necessary) and use.
 
-      - uses: azure/setup-helm@v1
+      - uses: azure/setup-helm@v2.0
         id: install
 
       - run: go mod download

@@ -148,7 +148,7 @@ jobs:
         with:
           go-version: '1.16' # The Go version to download (if necessary) and use.
 
-      - uses: azure/setup-helm@v1
+      - uses: azure/setup-helm@v2.0
         id: install
 
       - run: go mod download

@@ -17,6 +17,8 @@
 | Label name | Description |
 | :----------|-------------|
 | docs-required| default tag used to request documentation, has to be removed before merge |
+| ok-container-test | run all image tests |
+| ci/container-test-ok | image tests pass |
 | ok-to-test | run all integration tests |
 | ok-to-merge | run mergebot and merge (rebase) current PR |
 | ci/integration-docker-ok | integration test is able to build docker image |
@@ -31,6 +33,7 @@
 * AWS_S3_BUCKET_STAGING
 * AWS_S3_BUCKET_RELEASE
 * GPG_PRIVATE_KEY
+* GPG_PRIVATE_KEY_PASSPHRASE
 
 These are only required for Cosign of the container images, will be skipped if not present:
 * COSIGN_PUBLIC_KEY

@@ -114,7 +114,7 @@ jobs:
         with:
           go-version: '1.16' # The Go version to download (if necessary) and use.
 
-      - uses: azure/setup-helm@v1
+      - uses: azure/setup-helm@v2.0
         id: install
 
       - run: go mod download

@@ -35,109 +35,15 @@ on:
         description: If the Cosign key requires a password then specify here, otherwise not required.
         required: false
 jobs:
-  call-build-images-matrix:
-    name: ${{ matrix.arch }} container image stage to GHCR
-    runs-on: [ ubuntu-latest ]
-    environment: ${{ inputs.environment }}
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ amd64, arm64, arm/v7 ]
-        include:
-          - arch: amd64
-            suffix: x86_64
-          - arch: arm/v7
-            suffix: arm32v7
-          - arch: arm64
-            suffix: arm64v8
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v2
-
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
-
-    - name: Log in to the Container registry
-      uses: docker/login-action@v1
-      with:
-        registry: ${{ inputs.registry }}
-        username: ${{ inputs.username }}
-        password: ${{ secrets.token }}
-
-    - name: Extract metadata from Github
-      id: meta
-      uses: docker/metadata-action@v3
-      with:
-        images: ${{ inputs.registry }}/${{ inputs.image }}
-        tags: |
-          raw,${{ matrix.suffix }}-${{ inputs.version }}
-          raw,${{ matrix.suffix }}-latest
-
-    - name: Build the ${{ matrix.suffix }} staging image
-      uses: docker/build-push-action@v2
-      with:
-        file: ./dockerfiles/Dockerfile.${{ matrix.suffix }}
-        context: .
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        platforms: linux/${{ matrix.arch }}
-        push: true
-        load: false
-        build-args: |
-          FLB_TARBALL=https://github.com/fluent/fluent-bit/archive/v${{ inputs.version }}.tar.gz
-
-  call-build-images-debug:
-    name: Build the single-arch debug image
-    runs-on: [ ubuntu-latest ]
-    environment: ${{ inputs.environment }}
-    needs: call-build-images-matrix
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v2
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
-
-    - name: Log in to the Container registry
-      uses: docker/login-action@v1
-      with:
-        registry: ${{ inputs.registry }}
-        username: ${{ inputs.username }}
-        password: ${{ secrets.token }}
-
-    - name: Extract metadata from Github
-      id: meta
-      uses: docker/metadata-action@v3
-      with:
-        images: ${{ inputs.registry }}/${{ inputs.image }}
-        tags: |
-          raw,x86_64-${{ inputs.version }}-debug
-          raw,${{ inputs.version }}-debug
-          raw,latest-debug
-
-    - name: Build the debug staging image
-      uses: docker/build-push-action@v2
-      with:
-        file: ./dockerfiles/Dockerfile.x86_64-debug
-        context: .
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        platforms: linux/amd64
-        push: true
-        load: false
-        build-args: |
-          FLB_TARBALL=https://github.com/fluent/fluent-bit/archive/v${{ inputs.version }}.tar.gz
-
-  call-build-images-multiarch:
-    name: Multiarch container images stage to GHCR
+  call-build-images:
+    name: Build container images to GHCR
     runs-on: [ ubuntu-latest ]
     environment: ${{ inputs.environment }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
+        with:
+          ref: ${{ inputs.version }}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
@@ -156,15 +62,15 @@ jobs:
         id: meta
         uses: docker/metadata-action@v3
         with:
-          images: ${{ inputs.registry }}/${{ inputs.image }}/multiarch
+          images: ${{ inputs.registry }}/${{ inputs.image }}
           tags: |
             raw,${{ inputs.version }}
             raw,latest
 
-      - name: Build the multi-arch images
+      - name: Build the production images
         uses: docker/build-push-action@v2
         with:
-          file: ./dockerfiles/Dockerfile.multiarch
+          file: ./dockerfiles/Dockerfile
           context: .
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -178,12 +84,12 @@ jobs:
       - id: debug-meta
         uses: docker/metadata-action@v3
         with:
-          images: ${{ inputs.registry }}/${{ inputs.image }}/multiarch
+          images: ${{ inputs.registry }}/${{ inputs.image }}
           tags: |
             raw,${{ inputs.version }}-debug
             raw,latest-debug
 
-      - name: Build the debug multi-arch images
+      - name: Build the debug images
         uses: docker/build-push-action@v2
         with:
           file: ./dockerfiles/Dockerfile.multiarch
@@ -197,76 +103,22 @@ jobs:
           build-args: |
             FLB_TARBALL=https://github.com/fluent/fluent-bit/archive/v${{ inputs.version }}.tar.gz
 
-      - name: Multi-arch - run Trivy and Dockle scans
-        uses: azure/container-scan@v0
-        with:
-          image-name: ${{ inputs.registry }}/${{ inputs.image }}/multiarch:${{ inputs.version }}
-          username: ${{ inputs.username }}
-          password: ${{ secrets.token }}
-
   call-build-images-scan:
     name: Trivy + Dockle image scan
     runs-on: [ ubuntu-latest ]
     environment: ${{ inputs.environment }}
-    needs: call-build-images-matrix
-    strategy:
-      fail-fast: false
-      matrix:
-        suffix: [ x86_64, arm32v7, arm64v8 ]
+    needs: call-build-images
     steps:
       - name: Checkout code for ignore list
         uses: actions/checkout@v2
 
-      - name: Single arch - run Trivy and Dockle scans
+      - name: Trivy and Dockle scans
         uses: azure/container-scan@v0
-        with:
-          image-name: ${{ inputs.registry }}/${{ inputs.image }}:${{ matrix.suffix }}-${{ inputs.version }}
-          username: ${{ inputs.username }}
-          password: ${{ secrets.token }}
-
-  call-build-images-push-manifests:
-    name: Deploy multi-arch container image manifests
-    permissions:
-      contents: read
-      packages: write
-    runs-on: [ ubuntu-latest ]
-    environment: ${{ inputs.environment }}
-    needs: call-build-images-matrix
-    steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Log in to the Container registry
-        uses: docker/login-action@v1
         with:
           registry: ${{ inputs.registry }}
           username: ${{ inputs.username }}
           password: ${{ secrets.token }}
 
-      - name: Pull all the images
-        # Use platform to trigger warnings on invalid image metadata
-        run: |
-          docker pull --platform=linux/amd64 ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }}
-          docker pull --platform=linux/arm64 ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }}
-          docker pull --platform=linux/arm/v7  ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
-
-      - name: Create manifests for images
-        run: |
-          docker manifest create ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }} \
-            --amend ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }} \
-            --amend ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }} \
-            --amend ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
-
-          docker manifest create ${{ inputs.registry }}/${{ inputs.image }}:latest \
-            --amend ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }} \
-            --amend ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }} \
-            --amend ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
-
-          docker manifest push --purge ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}
-          docker manifest push --purge ${{ inputs.registry }}/${{ inputs.image }}:latest
-        env:
-          DOCKER_CLI_EXPERIMENTAL: enabled
-
   call-build-images-sign:
     name: Deploy and sign multi-arch container image manifests
     permissions:
@@ -277,7 +129,7 @@ jobs:
       id-token: write
     runs-on: [ ubuntu-latest ]
     environment: ${{ inputs.environment }}
-    needs: call-build-images-push-manifests
+    needs: call-build-images
     steps:
       - name: Install cosign
         uses: sigstore/cosign-installer@main
@@ -295,9 +147,7 @@ jobs:
             -a "ref=${{ github.sha }}" \
             -a "release=${{ inputs.version }}" \
             "${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}" \
-            "${{ inputs.registry }}/${{ inputs.image }}:latest" \
-            "${{ inputs.registry }}/${{ inputs.image }}/multiarch:${{ inputs.version }}" \
-            "${{ inputs.registry }}/${{ inputs.image }}/multiarch:latest"
+            "${{ inputs.registry }}/${{ inputs.image }}:latest"
         shell: bash
         # Ensure we move on to key-based signing as well
         continue-on-error: true
@@ -316,9 +166,7 @@ jobs:
             -a "ref=${{ github.sha }}" \
             -a "release=${{ inputs.version }}" \
             "${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}" \
-            "${{ inputs.registry }}/${{ inputs.image }}:latest" \
-            "${{ inputs.registry }}/${{ inputs.image }}/multiarch:${{ inputs.version }}" \
-            "${{ inputs.registry }}/${{ inputs.image }}/multiarch:latest"
+            "${{ inputs.registry }}/${{ inputs.image }}:latest"
           rm -f /tmp/my_cosign.key
         shell: bash
         env:

@@ -36,6 +36,9 @@ on:
       gpg_private_key:
         description: The GPG key to use for signing the packages.
         required: false
+      gpg_private_key_passphrase:
+        description: The GPG key passphrase to use for signing the packages.
+        required: false
 
 jobs:
   call-build-packages:
@@ -160,6 +163,7 @@ jobs:
         uses: crazy-max/ghaction-import-gpg@v4
         with:
           gpg_private_key: ${{ secrets.gpg_private_key }}
+          passphrase: ${{ secrets.gpg_private_key_passphrase }}
 
       - name: Create repositories on staging now
         # We sync down what we have for the release directories.

@@ -176,7 +176,7 @@ jobs:
         uses: helm/[email protected]
 
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v2.0
         with:
           version: v3.6.3