diff --git a/.github/workflows/builder-release.yaml b/.github/workflows/builder-release.yaml index 0b42fb36..7a36352b 100644 --- a/.github/workflows/builder-release.yaml +++ b/.github/workflows/builder-release.yaml @@ -7,6 +7,12 @@ on: jobs: goreleaser: runs-on: ubuntu-latest + + permissions: + id-token: write + packages: write + contents: write + steps: - name: Checkout Releases Repo uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 @@ -27,10 +33,32 @@ jobs: repository: "open-telemetry/opentelemetry-collector" ref: ${{ github.ref_name }} path: ".core" + - name: Copy Dockerfile to Core Repo directory + run: cp cmd/builder/Dockerfile .core/cmd/builder/Dockerfile + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 + - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + with: + platforms: amd64, arm64,ppc64le + - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Setup Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ~1.23 + - name: Log into Docker.io + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to GitHub Package Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - shell: bash + run: | + echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Run GoReleaser uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: @@ -39,4 +67,6 @@ jobs: args: release --clean -f cmd/builder/.goreleaser.yml env: GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_PAT }} + COSIGN_YES: true + SKIP_SIGNS: false diff --git a/.github/workflows/builder-testbuild.yaml b/.github/workflows/builder-testbuild.yaml index f9a1a79b..49d72031 100644 --- a/.github/workflows/builder-testbuild.yaml +++ b/.github/workflows/builder-testbuild.yaml @@ -36,6 +36,14 @@ jobs: fetch-depth: 0 repository: "open-telemetry/opentelemetry-collector" path: ".core" + - name: Copy Dockerfile to Core Repo directory + run: cp cmd/builder/Dockerfile .core/cmd/builder/Dockerfile + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 + - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + with: + platforms: amd64, arm64,ppc64le + - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Setup Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: @@ -57,4 +65,6 @@ jobs: args: --snapshot --clean -f cmd/builder/.goreleaser.yml env: GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_PAT}} + COSIGN_YES: false + SKIP_SIGNS: true diff --git a/Makefile b/Makefile index c7632a50..89b5ca67 100644 --- a/Makefile +++ b/Makefile @@ -73,3 +73,24 @@ push-tags: @git tag -a ${TAG} -s -m "Version ${TAG}" @echo "Pushing tag ${TAG}" @git push ${REMOTE} ${TAG} + +# Used for debug only +REMOTE?=git@github.com:open-telemetry/opentelemetry-collector-releases.git +.PHONY: delete-tags +delete-tags: + @[ "${TAG}" ] || ( echo ">> env var TAG is not set"; exit 1 ) + @echo "Deleting local tag ${TAG}" + @if [ -n "$$(git tag -l ${TAG})" ]; then \ + git tag -d ${TAG}; \ + fi + @if [ -n "$$(git tag -l cmd/builder/${TAG})" ]; then \ + git tag -d cmd/builder/${TAG}; \ + fi + @echo "Deleting remote tag ${TAG}" + @git push ${REMOTE} :refs/tags/${TAG} + @git push ${REMOTE} :refs/tags/cmd/builder/${TAG} + +# Used for debug only +REMOTE?=git@github.com:open-telemetry/opentelemetry-collector-releases.git +.PHONY: repeat-tags +repeat-tags: delete-tags push-tags \ No newline at end of file diff --git a/cmd/builder/.goreleaser.yml b/cmd/builder/.goreleaser.yml index d666306c..a92d178d 100644 --- a/cmd/builder/.goreleaser.yml +++ b/cmd/builder/.goreleaser.yml @@ -4,6 +4,7 @@ before: monorepo: tag_prefix: cmd/builder/ dir: .core/cmd/builder +version: 2 builds: - flags: - -trimpath @@ -23,6 +24,80 @@ builds: - goos: windows goarch: arm64 binary: ocb +dockers: + - goos: linux + goarch: amd64 + dockerfile: Dockerfile + image_templates: + - otel/opentelemetry-collector-builder:{{ .Version }}-amd64 + - otel/opentelemetry-collector-builder:latest-amd64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-amd64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-amd64 + build_flag_templates: + - --pull + - --platform=linux/amd64 + - --label=org.opencontainers.image.created={{.Date}} + - --label=org.opencontainers.image.name={{.ProjectName}} + - --label=org.opencontainers.image.revision={{.FullCommit}} + - --label=org.opencontainers.image.version={{.Version}} + - --label=org.opencontainers.image.source={{.GitURL}} + - --label=org.opencontainers.image.licenses=Apache-2.0 + - goos: linux + goarch: arm64 + dockerfile: Dockerfile + image_templates: + - otel/opentelemetry-collector-builder:{{ .Version }}-arm64 + - otel/opentelemetry-collector-builder:latest-arm64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-arm64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-arm64 + build_flag_templates: + - --pull + - --platform=linux/arm64 + - --label=org.opencontainers.image.created={{.Date}} + - --label=org.opencontainers.image.name={{.ProjectName}} + - --label=org.opencontainers.image.revision={{.FullCommit}} + - --label=org.opencontainers.image.version={{.Version}} + - --label=org.opencontainers.image.source={{.GitURL}} + - --label=org.opencontainers.image.licenses=Apache-2.0 + - goos: linux + goarch: ppc64le + dockerfile: Dockerfile + image_templates: + - otel/opentelemetry-collector-builder:{{ .Version }}-ppc64le + - otel/opentelemetry-collector-builder:latest-ppc64le + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-ppc64le + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-ppc64le + build_flag_templates: + - --pull + - --platform=linux/ppc64le + - --label=org.opencontainers.image.created={{.Date}} + - --label=org.opencontainers.image.name={{.ProjectName}} + - --label=org.opencontainers.image.revision={{.FullCommit}} + - --label=org.opencontainers.image.version={{.Version}} + - --label=org.opencontainers.image.source={{.GitURL}} + - --label=org.opencontainers.image.licenses=Apache-2.0 + use: buildx +docker_manifests: + - name_template: otel/opentelemetry-collector-builder:{{ .Version }} + image_templates: + - otel/opentelemetry-collector-builder:{{ .Version }}-amd64 + - otel/opentelemetry-collector-builder:{{ .Version }}-arm64 + - otel/opentelemetry-collector-builder:{{ .Version }}-ppc64le + - name_template: otel/opentelemetry-collector-builder:latest + image_templates: + - otel/opentelemetry-collector-builder:latest-amd64 + - otel/opentelemetry-collector-builder:latest-arm64 + - otel/opentelemetry-collector-builder:latest-ppc64le + - name_template: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }} + image_templates: + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-amd64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-arm64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-ppc64le + - name_template: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest + image_templates: + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-amd64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-arm64 + - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-ppc64le release: github: owner: open-telemetry @@ -37,3 +112,28 @@ snapshot: version_template: "{{ .Tag }}-next" changelog: disable: true +signs: + - if: $SKIP_SIGNS != "true" + cmd: cosign + args: + - sign-blob + - --output-signature + - ${artifact}.sig + - --output-certificate + - ${artifact}.pem + - ${artifact} + signature: ${artifact}.sig + artifacts: all + certificate: ${artifact}.pem +docker_signs: + - if: $SKIP_SIGNS != "true" + args: + - sign + - ${artifact} + artifacts: all +sboms: + - id: archive + artifacts: archive + - id: package + artifacts: package + \ No newline at end of file diff --git a/cmd/builder/Dockerfile b/cmd/builder/Dockerfile new file mode 100644 index 00000000..de6e1891 --- /dev/null +++ b/cmd/builder/Dockerfile @@ -0,0 +1,14 @@ +FROM golang:1.23-alpine3.20 +RUN apk --update add ca-certificates + +ARG SERVICE_NAME=ocb + +RUN addgroup --gid 10001 --system ${SERVICE_NAME} && \ + adduser --ingroup ${SERVICE_NAME} --shell /bin/false \ + --disabled-password --uid 10001 ${SERVICE_NAME} + +USER ${SERVICE_NAME} +WORKDIR /home/${SERVICE_NAME} + +COPY --chmod=755 ocb /usr/local/bin/ocb +ENTRYPOINT [ "ocb" ] \ No newline at end of file