Skip to content

Build UBI Rust Builders (attempt #1) #434

Build UBI Rust Builders (attempt #1)

Build UBI Rust Builders (attempt #1) #434

---
name: Build UBI Rust Builders
run-name: |
Build UBI Rust Builders (attempt #${{ github.run_attempt }})
on:
push:
branches:
- main
schedule:
- cron: '30 4 * * *'
workflow_dispatch:
jobs:
build:
permissions:
id-token: write
strategy:
matrix:
runner: ["ubuntu-latest", "ubicloud-standard-8-arm"]
ubi-version: ["ubi8", "ubi9"]
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Login to Stackable Harbor
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: oci.stackable.tech
username: robot$sdp+github-action-build
password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
- name: Set up Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Determine Architecture
run: |
echo "TAG=$(git rev-parse --short HEAD)-$(arch)" >> "$GITHUB_ENV"
- name: Build and push
id: build-and-push
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: .
file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile
push: true
tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }}
- name: Sign the published builder image
shell: bash
run: |
# Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
# This generates a signature and publishes it to the registry, next to the image
# Uses the keyless signing flow with Github Actions as identity provider
cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@${{ steps.build-and-push.outputs.digest }}"
create_manifest:
permissions:
id-token: write
strategy:
matrix:
ubi-version: ["ubi8", "ubi9"]
runs-on: ubuntu-latest
needs: ["build"]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Login to Stackable Harbor
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: oci.stackable.tech
username: robot$sdp+github-action-build
password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
- name: Set up Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Build Manifest List
shell: bash
run: |
COMMIT_ID=$(git rev-parse --short HEAD)
MANIFEST_LIST_NAME=oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder
docker manifest create "$MANIFEST_LIST_NAME:latest" "$MANIFEST_LIST_NAME:$COMMIT_ID-x86_64" "$MANIFEST_LIST_NAME:$COMMIT_ID-aarch64"
# `docker manifest push` directly returns the digest of the manifest list
# As it is an experimental feature, this might change in the future
# Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/
DIGEST=$(docker manifest push "$MANIFEST_LIST_NAME:latest")
# Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
# This generates a signature and publishes it to the registry, next to the image
# Uses the keyless signing flow with Github Actions as identity provider
cosign sign -y "$MANIFEST_LIST_NAME@$DIGEST"
notify:
name: Failure Notification
needs: [build, create_manifest]
runs-on: ubuntu-latest
if: failure()
steps:
- uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
with:
channel-id: "C07UG6JH44F" # notifications-container-images
payload: |
{
"text": "*${{ github.workflow }}* failed (attempt ${{ github.run_attempt }})",
"attachments": [
{
"pretext": "See the details below for a summary of which job(s) failed.",
"color": "#aa0000",
"fields": [
{
"title": "Build",
"short": true,
"value": "${{ needs.build.result }}"
},
{
"title": "Create Manifest",
"short": true,
"value": "${{ needs.create_manifest.result }}"
}
],
"actions": [
{
"type": "button",
"text": "Go to workflow run",
"url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}"
}
]
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}