Skip to content

ci: add cosign update automation #57

ci: add cosign update automation

ci: add cosign update automation #57

Workflow file for this run

name: Build and Push Rootfs Docker Image
on:
push:
branches:
- main
paths:
- 'rootfs/Dockerfile'
- 'rootfs/cosign/go.mod'
pull_request:
branches:
- main
paths:
- 'rootfs/Dockerfile'
- 'rootfs/cosign/go.mod'
workflow_dispatch:
permissions:
contents: read
jobs:
build-rootfs-image:
runs-on: ubuntu-latest
strategy:
matrix:
# finch only supports amd64 for windows
arch: ['amd64']
platform: ['common']
outputs:
timestamp: ${{ steps.vars.outputs.timestamp }}
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
- name: Set build variables
id: vars
run: |
echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
cosign_tag=$(cd rootfs/cosign && go list -m github.com/sigstore/cosign/v2 | cut -d " " -f 2)
echo "cosign_version=${cosign_tag#v}" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- name: Build Image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: rootfs/
file: rootfs/Dockerfile
platforms: linux/${{ matrix.arch }}
push: false
tags: finch-rootfs-image-production:intermediate
build-args: |
COSIGN_VERSION=${{ steps.vars.outputs.cosign_version }}
outputs: type=oci,dest=finch-rootfs-image-${{ steps.vars.outputs.timestamp }}.tar
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: finch-rootfs-image-${{ steps.vars.outputs.timestamp }}
path: finch-rootfs-image-${{ steps.vars.outputs.timestamp }}.tar
if-no-files-found: error
push-rootfs-image:
if: github.repository == 'runfinch/finch-core' && github.event_name != 'pull_request'
runs-on: ubuntu-latest
needs: build-rootfs-image
permissions:
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
id-token: write
contents: write
pull-requests: write
strategy:
matrix:
# finch only supports amd64 for windows
arch: ['amd64']
platform: ['common']
env:
TIMESTAMP: ${{ needs.build-rootfs-image.outputs.timestamp }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ secrets.REGION }}
role-to-assume: ${{ secrets.ROLE }}
role-session-name: rootfs-ecr-image-upload-session
- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: finch-rootfs-image-"${TIMESTAMP}"
- name: Load Container Image
run: docker load -i finch-rootfs-image-"${TIMESTAMP}".tar
- name: Tag and Push Container Image to ECR
run: |
docker tag finch-rootfs-image-production:intermediate ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"${TIMESTAMP}"
docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"${TIMESTAMP}"
- name: Create, Compress, and Upload Rootfs
run: |
docker container create --platform linux/${{ matrix.arch }} --name ${{ matrix.arch }}-rootfs finch-rootfs-image-production:intermediate
docker container export -o finch-rootfs-production-${{ matrix.arch }}.tar ${{ matrix.arch }}-rootfs
compressed_archive=finch-rootfs-production-${{ matrix.arch }}-"${TIMESTAMP}".tar.gz
gzip -9 -c finch-rootfs-production-${{ matrix.arch }}.tar > $compressed_archive
sha512_digest=$(sha512sum $compressed_archive | cut -d " " -f 1)
echo $sha512_digest > $compressed_archive.sha512sum
ARCHPATH="x86-64"
ARTIFACT_KEY="X86_64"
if [ ${{ matrix.arch }} == "arm64" ]; then
ARCHPATH="aarch64"
ARTIFACT_KEY="ARM64"
fi
# Upload tarball and shasum to S3
aws s3 cp . s3://${{ secrets.DEPENDENCY_BUCKET_NAME }}/${{ matrix.platform }}/$ARCHPATH/ --recursive --exclude "*" --include "finch-rootfs-production-${{ matrix.arch }}-"${TIMESTAMP}".tar.gz*"
cat <<EOL > deps/rootfs.conf
ARTIFACT_BASE_URL=https://deps.runfinch.com
${ARTIFACT_KEY}_ARTIFACT_PATHING=common/$ARCHPATH
${ARTIFACT_KEY}_ARTIFACT=$compressed_archive
${ARTIFACT_KEY}_512_DIGEST=$sha512_digest
EOL
- name: Create PR
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
token: ${{ secrets.GITHUB_TOKEN }}
signoff: true
branch: create-rootfs-${{ matrix.arch }}-${{ needs.build-rootfs-image.outputs.timestamp }}
delete-branch: true
title: 'build(deps): Update windows rootfs'
add-paths: deps/rootfs.conf
body: |
Update the rootfs for the windows platform.