From 7a0278712b29bf922023a66b136f3349f600258b Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Sat, 18 Dec 2021 01:03:51 -0500 Subject: [PATCH] WIP: consolidate PR and real release workflows - push and sign an image tagged for every push to the repo (e.g., merged PRs) - push and sign for tag pushes, with release tags - build but don't push for opened PRs WIP because I need to test more with the tag flow, but pushes worked in my fork. --- .github/workflows/images.yaml | 100 ++++++++++ .github/workflows/pr_release.yaml | 61 ------ .github/workflows/release.yaml | 319 ------------------------------ 3 files changed, 100 insertions(+), 380 deletions(-) create mode 100644 .github/workflows/images.yaml delete mode 100644 .github/workflows/pr_release.yaml delete mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml new file mode 100644 index 0000000000..0dc193c864 --- /dev/null +++ b/.github/workflows/images.yaml @@ -0,0 +1,100 @@ +name: Build images + +on: + pull_request: + branches: ['master'] + push: + branches: ['master'] + tags: ['v[0-9]+.[0-9]+.[0-9]+*'] + +concurrency: + group: release-images-${{ github.head_ref }} + cancel-in-progress: true + +jobs: + build-images: + permissions: + contents: read # Read the repo contents. + id-token: write # Produce identity token for keyless signing. + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + image: + - executor + - executor-debug + - executor-slim + - warmer + + include: + - image: executor + dockerfile: ./deploy/Dockerfile + platforms: linux/amd64,linux/arm64 + name: gcr.io/kaniko-project/executor:${{ github.sha }} + + - image: executor-debug + dockerfile: ./deploy/Dockerfile_debug + platforms: linux/amd64,linux/arm64 + name: gcr.io/kaniko-project/executor:${{ github.sha }}-debug + + - image: executor-slim + dockerfile: ./deploy/Dockerfile_slim + platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le + name: gcr.io/kaniko-project/executor:${{ github.sha }}-slim + + - image: warmer + dockerfile: ./deploy/Dockerfile_warmer + name: gcr.io/kaniko-project/warmer:${{ github.sha }} + platforms: linux/amd64,linux/arm64 + + steps: + - uses: actions/checkout@v2 + + # Setup auth if not a PR. + - if: github.event_name != 'pull_request' + uses: google-github-actions/setup-gcloud@master + with: + service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }} + project_id: kaniko-project + export_default_credentials: true + - if: github.event_name != 'pull_request' + run: gcloud auth configure-docker + + # Build and push with Docker. + - uses: docker/setup-qemu-action@v1 + with: + platforms: ${{ matrix.platforms }} + - uses: docker/setup-buildx-action@v1 + - uses: docker/build-push-action@v2 + id: build-and-push + with: + context: . + file: ${{ matrix.dockerfile }} + platforms: ${{ matrix.platforms }} + push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR. + tags: ${{ matrix.name }} + # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign images if not a PR. + - if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.4.1' + - if: github.event_name != 'pull_request' + env: + COSIGN_EXPERIMENTAL: "true" + run: | + #export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign + #cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} + cosign sign ${{ matrix.name }}@${{ steps.build-and-push.outputs.digest }} + + # If a tag push, use crane to add the image tag. + - if: startsWith(github.ref, 'refs/tags/v') + uses: imjasonh/setup-crane@v0.1 + - if: startsWith(github.ref, 'refs/tags/v') + name: Apply release tag + run: | + crane cp ${{ matrix.name }}@${{ steps.build-and-push.outputs.digest }} \ + ${{ matrix.name }}:${GITHUB_REF/refs\/tags\//} diff --git a/.github/workflows/pr_release.yaml b/.github/workflows/pr_release.yaml deleted file mode 100644 index e71e4a25b9..0000000000 --- a/.github/workflows/pr_release.yaml +++ /dev/null @@ -1,61 +0,0 @@ -name: Build images on pull requests - -on: [pull_request] - -concurrency: - group: release-images-${{ github.head_ref }} - cancel-in-progress: true - -jobs: - build-images: - env: - PLATFORMS: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - image: - - executor - - executor-debug - - executor-slim - - warmer - - include: - - image: executor - dockerfile: ./deploy/Dockerfile - platforms: linux/amd64,linux/arm64 - name: gcr.io/kaniko-project/executor:${{ github.sha }} - - - image: executor-debug - dockerfile: ./deploy/Dockerfile_debug - platforms: linux/amd64,linux/arm64 - name: gcr.io/kaniko-project/executor:${{ github.sha }}-debug - - - image: executor-slim - dockerfile: ./deploy/Dockerfile_slim - platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le - name: gcr.io/kaniko-project/executor:${{ github.sha }}-slim - - - image: warmer - dockerfile: ./deploy/Dockerfile_warmer - name: gcr.io/kaniko-project/warmer:${{ github.sha }} - platforms: linux/amd64,linux/arm64 - - steps: - - uses: actions/checkout@v2 - - - uses: docker/setup-qemu-action@v1 - with: - platforms: ${{ matrix.platforms }} - - - uses: docker/setup-buildx-action@v1 - - - uses: docker/build-push-action@v2 - with: - context: . - file: ${{ matrix.dockerfile }} - platforms: ${{ matrix.platforms }} - tags: ${{ matrix.name }} - # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache - cache-from: type=gha - cache-to: type=gha,mode=max diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index b2d2cc8b45..0000000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,319 +0,0 @@ -name: Build images on push to master - -on: - push: - tags: - - 'v[0-9]+.[0-9]+.[0-9]+*' - -jobs: - build-executor: - permissions: - # Read the repo contents - contents: read - # Produce identity token for keyless signing - id-token: write - - env: - GITHUB_SHA: ${{ github.sha }} - GITHUB_REF: ${{ github.ref }} - PLATFORMS: "linux/amd64,linux/arm64" - - runs-on: ubuntu-latest - steps: - - name: Clone source code - uses: actions/checkout@v2 - - - name: Get the tags - id: vars - run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - with: - platforms: ${{ env.PLATFORMS }} - - - name: Cache Docker layers - uses: actions/cache@v2 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@master - with: - service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }} - project_id: kaniko-project - export_default_credentials: true - - # Configure docker to use the gcloud command-line tool as a credential helper - - run: | - # Set up docker to authenticate - # via gcloud command-line tool. - gcloud auth configure-docker - - - uses: docker/build-push-action@v2 - id: build-and-push - with: - context: . - file: ./deploy/Dockerfile - platforms: ${{ env.PLATFORMS }} - push: true - tags: | - gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }} - gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }} - gcr.io/kaniko-project/executor:latest - - - name: Sign images - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.4.1' - - # Use cosign to sign the images - - env: - COSIGN_EXPERIMENTAL: "true" - run: | - export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign - cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} - cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} - - build-debug: - permissions: - # Read the repo contents - contents: read - # Produce identity token for keyless signing - id-token: write - - env: - GITHUB_SHA: ${{ github.sha }} - GITHUB_REF: ${{ github.ref }} - PLATFORMS: "linux/amd64,linux/arm64" - - runs-on: ubuntu-latest - steps: - - name: Clone source code - uses: actions/checkout@v2 - - - name: Get the tags - id: vars - run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - with: - platforms: ${{ env.PLATFORMS }} - - - name: Cache Docker layers - uses: actions/cache@v2 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@master - with: - service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }} - project_id: kaniko-project - export_default_credentials: true - - # Configure docker to use the gcloud command-line tool as a credential helper - - run: | - # Set up docker to authenticate - # via gcloud command-line tool. - gcloud auth configure-docker - - - uses: docker/build-push-action@v2 - id: build-and-push - with: - context: . - file: ./deploy/Dockerfile_debug - platforms: ${{ env.PLATFORMS }} - push: true - tags: | - gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug - gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug - gcr.io/kaniko-project/executor:debug - - - name: Sign images - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.4.1' - - # Use cosign to sign the images - - env: - COSIGN_EXPERIMENTAL: "true" - run: | - export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign - cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} - cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} - - build-warmer: - permissions: - # Read the repo contents - contents: read - # Produce identity token for keyless signing - id-token: write - - env: - GITHUB_SHA: ${{ github.sha }} - GITHUB_REF: ${{ github.ref }} - PLATFORMS: "linux/amd64,linux/arm64" - - runs-on: ubuntu-latest - steps: - - name: Clone source code - uses: actions/checkout@v2 - - - name: Get the tags - id: vars - run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - with: - platforms: ${{ env.PLATFORMS }} - - - name: Cache Docker layers - uses: actions/cache@v2 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@master - with: - service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }} - project_id: kaniko-project - export_default_credentials: true - - # Configure docker to use the gcloud command-line tool as a credential helper - - run: | - # Set up docker to authenticate - # via gcloud command-line tool. - gcloud auth configure-docker - - - uses: docker/build-push-action@v2 - id: build-and-push - with: - context: . - file: ./deploy/Dockerfile_warmer - platforms: ${{ env.PLATFORMS }} - push: true - tags: | - gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }} - gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }} - gcr.io/kaniko-project/warmer:latest - - - name: Sign images - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.4.1' - - # Use cosign to sign the images - - env: - COSIGN_EXPERIMENTAL: "true" - run: | - export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign - cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }} - cosign sign gcr.io/kaniko-project/warmer@${{ steps.build-and-push.outputs.digest }} - - build-slim: - permissions: - # Read the repo contents - contents: read - # Produce identity token for keyless signing - id-token: write - - env: - GITHUB_SHA: ${{ github.sha }} - GITHUB_REF: ${{ github.ref }} - PLATFORMS: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" - - runs-on: ubuntu-latest - steps: - - name: Clone source code - uses: actions/checkout@v2 - - - name: Get the tags - id: vars - run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - with: - platforms: ${{ env.PLATFORMS }} - - - name: Cache Docker layers - uses: actions/cache@v2 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@master - with: - service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }} - project_id: kaniko-project - export_default_credentials: true - - # Configure docker to use the gcloud command-line tool as a credential helper - - run: | - # Set up docker to authenticate - # via gcloud command-line tool. - gcloud auth configure-docker - - - uses: docker/build-push-action@v2 - id: build-and-push - with: - context: . - file: ./deploy/Dockerfile_slim - platforms: ${{ env.PLATFORMS }} - push: true - tags: | - gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim - gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim - gcr.io/kaniko-project/executor:slim - - - name: Sign images - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.4.1' - - # Use cosign to sign the images - - env: - COSIGN_EXPERIMENTAL: "true" - run: | - export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign - cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }} - cosign sign gcr.io/kaniko-project/executor@${{ steps.build-and-push.outputs.digest }}