Consolidate PR and real release workflows (#1845)
* WIP: consolidate PR and real release workflows - push and sign an image tagged for every push to the repo (e.g., merged PRs) - push and sign for tag pushes, with release tags - build but don't push for opened PRs WIP because I need to test more with the tag flow, but pushes worked in my fork. * apply release tags, uncomment kms stuff * Tag images correctly during releases * review feedback
This commit is contained in:
Jason Hall
GitHub
parent
f694212385
commit
6e500ecad9
|
|
@ -0,0 +1,111 @@
|
|||
name: Build images
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: ['master']
|
||||
push:
|
||||
branches: ['master']
|
||||
tags: ['v[0-9]+.[0-9]+.[0-9]+*']
|
||||
|
||||
concurrency:
|
||||
group: release-images-${{ github.head_ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
build-images:
|
||||
permissions:
|
||||
contents: read # Read the repo contents.
|
||||
id-token: write # Produce identity token for keyless signing.
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
image:
|
||||
- executor
|
||||
- executor-debug
|
||||
- executor-slim
|
||||
- warmer
|
||||
|
||||
include:
|
||||
- image: executor
|
||||
dockerfile: ./deploy/Dockerfile
|
||||
platforms: linux/amd64,linux/arm64
|
||||
image-name: gcr.io/kaniko-project/executor
|
||||
tag: ${{ github.sha }}
|
||||
release-tag: latest
|
||||
|
||||
- image: executor-debug
|
||||
dockerfile: ./deploy/Dockerfile_debug
|
||||
platforms: linux/amd64,linux/arm64
|
||||
image-name: gcr.io/kaniko-project/executor
|
||||
tag: ${{ github.sha }}-debug
|
||||
release_tag: debug
|
||||
|
||||
- image: executor-slim
|
||||
dockerfile: ./deploy/Dockerfile_slim
|
||||
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
|
||||
image-name: gcr.io/kaniko-project/executor
|
||||
tag: ${{ github.sha }}-slim
|
||||
release-tag: slim
|
||||
|
||||
- image: warmer
|
||||
dockerfile: ./deploy/Dockerfile_warmer
|
||||
platforms: linux/amd64,linux/arm64
|
||||
image-name: gcr.io/kaniko-project/warmer
|
||||
tag: ${{ github.sha }}
|
||||
release-tag: latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# Setup auth if not a PR.
|
||||
- if: github.event_name != 'pull_request'
|
||||
uses: google-github-actions/setup-gcloud@master
|
||||
with:
|
||||
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
|
||||
project_id: kaniko-project
|
||||
export_default_credentials: true
|
||||
- if: github.event_name != 'pull_request'
|
||||
run: gcloud auth configure-docker
|
||||
|
||||
# Build and push with Docker.
|
||||
- uses: docker/setup-qemu-action@v1
|
||||
with:
|
||||
platforms: ${{ matrix.platforms }}
|
||||
- uses: docker/setup-buildx-action@v1
|
||||
- uses: docker/build-push-action@v2
|
||||
id: build-and-push
|
||||
with:
|
||||
context: .
|
||||
file: ${{ matrix.dockerfile }}
|
||||
platforms: ${{ matrix.platforms }}
|
||||
push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR.
|
||||
tags: ${{ matrix.image-name }}:${{ matrix.tag }}
|
||||
# https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
|
||||
# Sign images if not a PR.
|
||||
- if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@main
|
||||
with:
|
||||
cosign-release: 'v1.4.1'
|
||||
- if: github.event_name != 'pull_request'
|
||||
env:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
run: |
|
||||
cosign sign \
|
||||
--kms gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign \
|
||||
${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
|
||||
cosign sign ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
# If a tag push, use crane to add more tags.
|
||||
- if: startsWith(github.ref, 'refs/tags/v')
|
||||
uses: imjasonh/setup-crane@v0.1
|
||||
- if: startsWith(github.ref, 'refs/tags/v')
|
||||
name: Apply release tags
|
||||
run: |
|
||||
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
|
||||
${{ matrix.image-name }}:${GITHUB_REF/refs\/tags\//}
|
||||
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
|
||||
${{ matrix.image-name }}:${{ matrix.release-tag }}
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
name: Build images on pull requests
|
||||
|
||||
on: [pull_request]
|
||||
|
||||
concurrency:
|
||||
group: release-images-${{ github.head_ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
build-images:
|
||||
env:
|
||||
PLATFORMS: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le"
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
image:
|
||||
- executor
|
||||
- executor-debug
|
||||
- executor-slim
|
||||
- warmer
|
||||
|
||||
include:
|
||||
- image: executor
|
||||
dockerfile: ./deploy/Dockerfile
|
||||
platforms: linux/amd64,linux/arm64
|
||||
name: gcr.io/kaniko-project/executor:${{ github.sha }}
|
||||
|
||||
- image: executor-debug
|
||||
dockerfile: ./deploy/Dockerfile_debug
|
||||
platforms: linux/amd64,linux/arm64
|
||||
name: gcr.io/kaniko-project/executor:${{ github.sha }}-debug
|
||||
|
||||
- image: executor-slim
|
||||
dockerfile: ./deploy/Dockerfile_slim
|
||||
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
|
||||
name: gcr.io/kaniko-project/executor:${{ github.sha }}-slim
|
||||
|
||||
- image: warmer
|
||||
dockerfile: ./deploy/Dockerfile_warmer
|
||||
name: gcr.io/kaniko-project/warmer:${{ github.sha }}
|
||||
platforms: linux/amd64,linux/arm64
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- uses: docker/setup-qemu-action@v1
|
||||
with:
|
||||
platforms: ${{ matrix.platforms }}
|
||||
|
||||
- uses: docker/setup-buildx-action@v1
|
||||
|
||||
- uses: docker/build-push-action@v2
|
||||
with:
|
||||
context: .
|
||||
file: ${{ matrix.dockerfile }}
|
||||
platforms: ${{ matrix.platforms }}
|
||||
tags: ${{ matrix.name }}
|
||||
# https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
|
|
@ -1,319 +0,0 @@
|
|||
name: Build images on push to master
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- 'v[0-9]+.[0-9]+.[0-9]+*'
|
||||
|
||||
jobs:
|
||||
build-executor:
|
||||
permissions:
|
||||
# Read the repo contents
|
||||
contents: read
|
||||
# Produce identity token for keyless signing
|
||||
id-token: write
|
||||
|
||||
env:
|
||||
GITHUB_SHA: ${{ github.sha }}
|
||||
GITHUB_REF: ${{ github.ref }}
|
||||
PLATFORMS: "linux/amd64,linux/arm64"
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Clone source code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Get the tags
|
||||
id: vars
|
||||
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v1
|
||||
with:
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
|
||||
- name: Cache Docker layers
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /tmp/.buildx-cache
|
||||
key: ${{ runner.os }}-buildx-${{ github.sha }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-buildx-
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
with:
|
||||
version: latest
|
||||
|
||||
- name: Setup gcloud CLI
|
||||
uses: google-github-actions/setup-gcloud@master
|
||||
with:
|
||||
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
|
||||
project_id: kaniko-project
|
||||
export_default_credentials: true
|
||||
|
||||
# Configure docker to use the gcloud command-line tool as a credential helper
|
||||
- run: |
|
||||
# Set up docker to authenticate
|
||||
# via gcloud command-line tool.
|
||||
gcloud auth configure-docker
|
||||
|
||||
- uses: docker/build-push-action@v2
|
||||
id: build-and-push
|
||||
with:
|
||||
context: .
|
||||
file: ./deploy/Dockerfile
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
push: true
|
||||
tags: |
|
||||
gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
|
||||
gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
|
||||
gcr.io/kaniko-project/executor:latest
|
||||
|
||||
- name: Sign images
|
||||
uses: sigstore/cosign-installer@main
|
||||
with:
|
||||
cosign-release: 'v1.4.1'
|
||||
|
||||
# Use cosign to sign the images
|
||||
- env:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
run: |
|
||||
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
|
||||
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
|
||||
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
build-debug:
|
||||
permissions:
|
||||
# Read the repo contents
|
||||
contents: read
|
||||
# Produce identity token for keyless signing
|
||||
id-token: write
|
||||
|
||||
env:
|
||||
GITHUB_SHA: ${{ github.sha }}
|
||||
GITHUB_REF: ${{ github.ref }}
|
||||
PLATFORMS: "linux/amd64,linux/arm64"
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Clone source code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Get the tags
|
||||
id: vars
|
||||
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v1
|
||||
with:
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
|
||||
- name: Cache Docker layers
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /tmp/.buildx-cache
|
||||
key: ${{ runner.os }}-buildx-${{ github.sha }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-buildx-
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
with:
|
||||
version: latest
|
||||
|
||||
- name: Setup gcloud CLI
|
||||
uses: google-github-actions/setup-gcloud@master
|
||||
with:
|
||||
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
|
||||
project_id: kaniko-project
|
||||
export_default_credentials: true
|
||||
|
||||
# Configure docker to use the gcloud command-line tool as a credential helper
|
||||
- run: |
|
||||
# Set up docker to authenticate
|
||||
# via gcloud command-line tool.
|
||||
gcloud auth configure-docker
|
||||
|
||||
- uses: docker/build-push-action@v2
|
||||
id: build-and-push
|
||||
with:
|
||||
context: .
|
||||
file: ./deploy/Dockerfile_debug
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
push: true
|
||||
tags: |
|
||||
gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug
|
||||
gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
|
||||
gcr.io/kaniko-project/executor:debug
|
||||
|
||||
- name: Sign images
|
||||
uses: sigstore/cosign-installer@main
|
||||
with:
|
||||
cosign-release: 'v1.4.1'
|
||||
|
||||
# Use cosign to sign the images
|
||||
- env:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
run: |
|
||||
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
|
||||
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
|
||||
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
build-warmer:
|
||||
permissions:
|
||||
# Read the repo contents
|
||||
contents: read
|
||||
# Produce identity token for keyless signing
|
||||
id-token: write
|
||||
|
||||
env:
|
||||
GITHUB_SHA: ${{ github.sha }}
|
||||
GITHUB_REF: ${{ github.ref }}
|
||||
PLATFORMS: "linux/amd64,linux/arm64"
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Clone source code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Get the tags
|
||||
id: vars
|
||||
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v1
|
||||
with:
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
|
||||
- name: Cache Docker layers
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /tmp/.buildx-cache
|
||||
key: ${{ runner.os }}-buildx-${{ github.sha }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-buildx-
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
with:
|
||||
version: latest
|
||||
|
||||
- name: Setup gcloud CLI
|
||||
uses: google-github-actions/setup-gcloud@master
|
||||
with:
|
||||
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
|
||||
project_id: kaniko-project
|
||||
export_default_credentials: true
|
||||
|
||||
# Configure docker to use the gcloud command-line tool as a credential helper
|
||||
- run: |
|
||||
# Set up docker to authenticate
|
||||
# via gcloud command-line tool.
|
||||
gcloud auth configure-docker
|
||||
|
||||
- uses: docker/build-push-action@v2
|
||||
id: build-and-push
|
||||
with:
|
||||
context: .
|
||||
file: ./deploy/Dockerfile_warmer
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
push: true
|
||||
tags: |
|
||||
gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
|
||||
gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
|
||||
gcr.io/kaniko-project/warmer:latest
|
||||
|
||||
- name: Sign images
|
||||
uses: sigstore/cosign-installer@main
|
||||
with:
|
||||
cosign-release: 'v1.4.1'
|
||||
|
||||
# Use cosign to sign the images
|
||||
- env:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
run: |
|
||||
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
|
||||
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
|
||||
cosign sign gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
build-slim:
|
||||
permissions:
|
||||
# Read the repo contents
|
||||
contents: read
|
||||
# Produce identity token for keyless signing
|
||||
id-token: write
|
||||
|
||||
env:
|
||||
GITHUB_SHA: ${{ github.sha }}
|
||||
GITHUB_REF: ${{ github.ref }}
|
||||
PLATFORMS: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le"
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Clone source code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Get the tags
|
||||
id: vars
|
||||
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v1
|
||||
with:
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
|
||||
- name: Cache Docker layers
|
||||
uses: actions/cache@v2
|
||||
with:
|
||||
path: /tmp/.buildx-cache
|
||||
key: ${{ runner.os }}-buildx-${{ github.sha }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-buildx-
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
id: buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
with:
|
||||
version: latest
|
||||
|
||||
- name: Setup gcloud CLI
|
||||
uses: google-github-actions/setup-gcloud@master
|
||||
with:
|
||||
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
|
||||
project_id: kaniko-project
|
||||
export_default_credentials: true
|
||||
|
||||
# Configure docker to use the gcloud command-line tool as a credential helper
|
||||
- run: |
|
||||
# Set up docker to authenticate
|
||||
# via gcloud command-line tool.
|
||||
gcloud auth configure-docker
|
||||
|
||||
- uses: docker/build-push-action@v2
|
||||
id: build-and-push
|
||||
with:
|
||||
context: .
|
||||
file: ./deploy/Dockerfile_slim
|
||||
platforms: ${{ env.PLATFORMS }}
|
||||
push: true
|
||||
tags: |
|
||||
gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim
|
||||
gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim
|
||||
gcr.io/kaniko-project/executor:slim
|
||||
|
||||
- name: Sign images
|
||||
uses: sigstore/cosign-installer@main
|
||||
with:
|
||||
cosign-release: 'v1.4.1'
|
||||
|
||||
# Use cosign to sign the images
|
||||
- env:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
run: |
|
||||
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
|
||||
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
|
||||
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
|
||||
Loading…
Reference in New Issue