Skip to content

.github/workflows/release.yaml #1453

.github/workflows/release.yaml

.github/workflows/release.yaml #1453

Workflow file for this run

on:
push:
branches:
- main
paths-ignore:
- README.md
- withdrawn-images.txt
- withdrawn-repos.txt
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
inputs:
only:
description: 'Specific image name to build'
type: string
required: false
default: ''
concurrency: release
jobs:
generate-matrix:
runs-on: ubuntu-latest
outputs:
shard-0: ${{ steps.generate-matrix-0.outputs.matrix }}
unique-images-shard-0: ${{ steps.generate-matrix-0.outputs.matrix-unique-images }}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
# On push to main branch, only build images necessary
- id: files
if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }}
uses: tj-actions/changed-files@e1754a427f478b8778d349341b8f1d80f1f47f44 # v36.4.0
with:
separator: ','
- id: build-filter
run: |
set -xe
TMP=$(mktemp)
# For manual builds, build only the image requested
[[ "${{ github.event_name }}" != "workflow_dispatch" || "${{ inputs.only }}" == "" ]] || echo -n 'images/${{ inputs.only }}/image.yaml' > "${TMP}"
# On push to main branch, only build images necessary
[[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]] || echo -n '${{ steps.files.outputs.all_changed_files }}' > "${TMP}"
echo "filter=$(cat "${TMP}")" >> $GITHUB_OUTPUT
- id: generate-matrix-0
uses: ./.github/actions/generate-matrix
with:
shard: 0
sharding-factor: 1
modified-files: ${{ steps.build-filter.outputs.filter }}
build-0:
runs-on: ubuntu-latest
needs: [generate-matrix]
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.generate-matrix.outputs.shard-0) }}
permissions:
id-token: write
packages: write
contents: read
actions: read
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- id: determine-appends
run: |
# Do not append out repo/keyring/package to Alpine images.
set -x
if ! grep 'alpinelinux\.org' "${{ matrix.apkoConfig }}" &>/dev/null; then
echo "repository-append=https://packages.wolfi.dev/os" >> $GITHUB_OUTPUT
echo "keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub" >> $GITHUB_OUTPUT
fi
- id: release-image-inputs
name: Add additional inputs for release-image action
uses: chainguard-dev/actions/matrix-extra-inputs@main
with:
matrix-json: ${{ toJSON(matrix) }}
env:
EXTRA_INPUT_SLACK_WEBHOOK_URL: ${{ secrets.DISTROLESS_SLACK_WEBHOOK }}
EXTRA_INPUT_GCS_AUTH_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCS_AUTH_WORKLOAD_IDENTITY_PROVIDER }}
EXTRA_INPUT_GCS_AUTH_SERVICE_ACCOUNT: ${{ secrets.GCS_AUTH_SERVICE_ACCOUNT }}
EXTRA_INPUT_GCS_AUTH_PROJECT_ID: ${{ secrets.GCS_AUTH_PROJECT_ID }}
EXTRA_INPUT_GCS_BUCKET_NAME: chainguard-images-build-outputs
# This allows chainguard-images/images to publish images to cgr.dev/chainguard
# We maintain this identity here:
# https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/images-pusher.tf
EXTRA_INPUT_CHAINGUARD_IDENTITY: 720909c9f5279097d847ad02a2f24ba8f59de36a/b6461e99e132298f
EXTRA_INPUT_APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:94c1512d9c359148059a13cb8df972d15f196e5901f0132238d0376e0bfb597c
EXTRA_INPUT_APKO_REPOSITORY_APPEND: ${{ steps.determine-appends.outputs.repository-append }}
EXTRA_INPUT_APKO_KEYRING_APPEND: ${{ steps.determine-appends.outputs.keyring-append }}
- uses: chainguard-dev/actions/setup-kind@main
with:
k8s-version: v1.24.x
registry-authority: registry.local:5000
# Disable creating new version tags.
- run: |
# temporarily generate tags for these modules
if [[ "${{ matrix.imageName }}" != "busybox" ]] && [[ "${{ matrix.imageName }}" != "jre" ]] && [[ "${{ matrix.imageName }}" != "node" ]]; then
echo "TF_APKO_DISABLE_VERSION_TAGS=true" >> $GITHUB_ENV
fi
- uses: ./.github/actions/release-image-terraform
with: ${{ fromJSON(steps.release-image-inputs.outputs.matrix-json) }}
- uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
if: ${{ failure() && github.event_name == 'schedule' }}
with:
payload: '{"text": "[images] release failed ${{ matrix.imageName }}: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}'
env:
SLACK_WEBHOOK_URL: ${{ secrets.DISTROLESS_SLACK_WEBHOOK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK