public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

Consolidate PR and real release workflows (#1845) 

* WIP: consolidate PR and real release workflows

- push and sign an image tagged for every push to the repo (e.g., merged PRs)
- push and sign for tag pushes, with release tags
- build but don't push for opened PRs

WIP because I need to test more with the tag flow, but pushes worked in
my fork.

* apply release tags, uncomment kms stuff

* Tag images correctly during releases

* review feedback
This commit is contained in:
Jason Hall 2021-12-20 22:02:12 -05:00 committed by GitHub
parent f694212385
commit 6e500ecad9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 111 additions and 380 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
.github/workflows/images.yaml vendored Normal file
View File

@ -0,0 +1,111 @@
name: Build images
on:
pull_request:
branches: ['master']
push:
branches: ['master']
tags: ['v[0-9]+.[0-9]+.[0-9]+*']
concurrency:
group: release-images-${{ github.head_ref }}
cancel-in-progress: true
jobs:
build-images:
permissions:
contents: read # Read the repo contents.
id-token: write # Produce identity token for keyless signing.
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- executor
- executor-debug
- executor-slim
- warmer
include:
- image: executor
dockerfile: ./deploy/Dockerfile
platforms: linux/amd64,linux/arm64
image-name: gcr.io/kaniko-project/executor
tag: ${{ github.sha }}
release-tag: latest
- image: executor-debug
dockerfile: ./deploy/Dockerfile_debug
platforms: linux/amd64,linux/arm64
image-name: gcr.io/kaniko-project/executor
tag: ${{ github.sha }}-debug
release_tag: debug
- image: executor-slim
dockerfile: ./deploy/Dockerfile_slim
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
image-name: gcr.io/kaniko-project/executor
tag: ${{ github.sha }}-slim
release-tag: slim
- image: warmer
dockerfile: ./deploy/Dockerfile_warmer
platforms: linux/amd64,linux/arm64
image-name: gcr.io/kaniko-project/warmer
tag: ${{ github.sha }}
release-tag: latest
steps:
- uses: actions/checkout@v2
# Setup auth if not a PR.
- if: github.event_name != 'pull_request'
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
project_id: kaniko-project
export_default_credentials: true
- if: github.event_name != 'pull_request'
run: gcloud auth configure-docker
# Build and push with Docker.
- uses: docker/setup-qemu-action@v1
with:
platforms: ${{ matrix.platforms }}
- uses: docker/setup-buildx-action@v1
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ${{ matrix.dockerfile }}
platforms: ${{ matrix.platforms }}
push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR.
tags: ${{ matrix.image-name }}:${{ matrix.tag }}
# https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
cache-from: type=gha
cache-to: type=gha,mode=max
# Sign images if not a PR.
- if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.1'
- if: github.event_name != 'pull_request'
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign \
--kms gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign \
${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
cosign sign ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
# If a tag push, use crane to add more tags.
- if: startsWith(github.ref, 'refs/tags/v')
uses: imjasonh/setup-crane@v0.1
- if: startsWith(github.ref, 'refs/tags/v')
name: Apply release tags
run: |
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
${{ matrix.image-name }}:${GITHUB_REF/refs\/tags\//}
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
${{ matrix.image-name }}:${{ matrix.release-tag }}

61
.github/workflows/pr_release.yaml vendored
View File

@ -1,61 +0,0 @@
name: Build images on pull requests
on: [pull_request]
concurrency:
group: release-images-${{ github.head_ref }}
cancel-in-progress: true
jobs:
build-images:
env:
PLATFORMS: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- executor
- executor-debug
- executor-slim
- warmer
include:
- image: executor
dockerfile: ./deploy/Dockerfile
platforms: linux/amd64,linux/arm64
name: gcr.io/kaniko-project/executor:${{ github.sha }}
- image: executor-debug
dockerfile: ./deploy/Dockerfile_debug
platforms: linux/amd64,linux/arm64
name: gcr.io/kaniko-project/executor:${{ github.sha }}-debug
- image: executor-slim
dockerfile: ./deploy/Dockerfile_slim
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
name: gcr.io/kaniko-project/executor:${{ github.sha }}-slim
- image: warmer
dockerfile: ./deploy/Dockerfile_warmer
name: gcr.io/kaniko-project/warmer:${{ github.sha }}
platforms: linux/amd64,linux/arm64
steps:
- uses: actions/checkout@v2
- uses: docker/setup-qemu-action@v1
with:
platforms: ${{ matrix.platforms }}
- uses: docker/setup-buildx-action@v1
- uses: docker/build-push-action@v2
with:
context: .
file: ${{ matrix.dockerfile }}
platforms: ${{ matrix.platforms }}
tags: ${{ matrix.name }}
# https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
cache-from: type=gha
cache-to: type=gha,mode=max

319
.github/workflows/release.yaml vendored
View File

@ -1,319 +0,0 @@
name: Build images on push to master
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+*'
jobs:
build-executor:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
PLATFORMS: "linux/amd64,linux/arm64"
runs-on: ubuntu-latest
steps:
- name: Clone source code
uses: actions/checkout@v2
- name: Get the tags
id: vars
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
with:
platforms: ${{ env.PLATFORMS }}
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
with:
version: latest
- name: Setup gcloud CLI
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
project_id: kaniko-project
export_default_credentials: true
# Configure docker to use the gcloud command-line tool as a credential helper
- run: |
# Set up docker to authenticate
# via gcloud command-line tool.
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
gcr.io/kaniko-project/executor:latest
- name: Sign images
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-debug:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
PLATFORMS: "linux/amd64,linux/arm64"
runs-on: ubuntu-latest
steps:
- name: Clone source code
uses: actions/checkout@v2
- name: Get the tags
id: vars
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
with:
platforms: ${{ env.PLATFORMS }}
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
with:
version: latest
- name: Setup gcloud CLI
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
project_id: kaniko-project
export_default_credentials: true
# Configure docker to use the gcloud command-line tool as a credential helper
- run: |
# Set up docker to authenticate
# via gcloud command-line tool.
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_debug
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug
gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
gcr.io/kaniko-project/executor:debug
- name: Sign images
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
build-warmer:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
PLATFORMS: "linux/amd64,linux/arm64"
runs-on: ubuntu-latest
steps:
- name: Clone source code
uses: actions/checkout@v2
- name: Get the tags
id: vars
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
with:
platforms: ${{ env.PLATFORMS }}
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
with:
version: latest
- name: Setup gcloud CLI
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
project_id: kaniko-project
export_default_credentials: true
# Configure docker to use the gcloud command-line tool as a credential helper
- run: |
# Set up docker to authenticate
# via gcloud command-line tool.
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_warmer
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
gcr.io/kaniko-project/warmer:latest
- name: Sign images
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }}
build-slim:
permissions:
# Read the repo contents
contents: read
# Produce identity token for keyless signing
id-token: write
env:
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
PLATFORMS: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le"
runs-on: ubuntu-latest
steps:
- name: Clone source code
uses: actions/checkout@v2
- name: Get the tags
id: vars
run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
with:
platforms: ${{ env.PLATFORMS }}
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
with:
version: latest
- name: Setup gcloud CLI
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
project_id: kaniko-project
export_default_credentials: true
# Configure docker to use the gcloud command-line tool as a credential helper
- run: |
# Set up docker to authenticate
# via gcloud command-line tool.
gcloud auth configure-docker
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ./deploy/Dockerfile_slim
platforms: ${{ env.PLATFORMS }}
push: true
tags: |
gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim
gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim
gcr.io/kaniko-project/executor:slim
- name: Sign images
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.1'
# Use cosign to sign the images
- env:
COSIGN_EXPERIMENTAL: "true"
run: |
export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}
cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}