Switch to use version streamed gatekeeper-3.13 package (#1270) #1470
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - README.md | |
| - withdrawn-images.txt | |
| - withdrawn-repos.txt | |
| schedule: | |
| - cron: '0 0 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| only: | |
| description: 'Specific image name to build' | |
| type: string | |
| required: false | |
| default: '' | |
| concurrency: release | |
| jobs: | |
| generate-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| shard-0: ${{ steps.generate-matrix-0.outputs.matrix }} | |
| unique-images-shard-0: ${{ steps.generate-matrix-0.outputs.matrix-unique-images }} | |
| steps: | |
| - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| # On push to main branch, only build images necessary | |
| - id: files | |
| if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }} | |
| uses: tj-actions/changed-files@e1754a427f478b8778d349341b8f1d80f1f47f44 # v36.4.0 | |
| with: | |
| separator: ',' | |
| - id: build-filter | |
| run: | | |
| set -xe | |
| TMP=$(mktemp) | |
| # For manual builds, build only the image requested | |
| [[ "${{ github.event_name }}" != "workflow_dispatch" || "${{ inputs.only }}" == "" ]] || echo -n 'images/${{ inputs.only }}/image.yaml' > "${TMP}" | |
| # On push to main branch, only build images necessary | |
| [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]] || echo -n '${{ steps.files.outputs.all_changed_files }}' > "${TMP}" | |
| echo "filter=$(cat "${TMP}")" >> $GITHUB_OUTPUT | |
| - id: generate-matrix-0 | |
| uses: ./.github/actions/generate-matrix | |
| with: | |
| shard: 0 | |
| sharding-factor: 1 | |
| modified-files: ${{ steps.build-filter.outputs.filter }} | |
| build-0: | |
| runs-on: ubuntu-latest | |
| needs: [generate-matrix] | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.generate-matrix.outputs.shard-0) }} | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| - id: determine-appends | |
| run: | | |
| # Do not append out repo/keyring/package to Alpine images. | |
| set -x | |
| if ! grep 'alpinelinux\.org' "${{ matrix.apkoConfig }}" &>/dev/null; then | |
| echo "repository-append=https://packages.wolfi.dev/os" >> $GITHUB_OUTPUT | |
| echo "keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub" >> $GITHUB_OUTPUT | |
| fi | |
| - id: release-image-inputs | |
| name: Add additional inputs for release-image action | |
| uses: chainguard-dev/actions/matrix-extra-inputs@main | |
| with: | |
| matrix-json: ${{ toJSON(matrix) }} | |
| env: | |
| EXTRA_INPUT_SLACK_WEBHOOK_URL: ${{ secrets.DISTROLESS_SLACK_WEBHOOK }} | |
| EXTRA_INPUT_GCS_AUTH_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCS_AUTH_WORKLOAD_IDENTITY_PROVIDER }} | |
| EXTRA_INPUT_GCS_AUTH_SERVICE_ACCOUNT: ${{ secrets.GCS_AUTH_SERVICE_ACCOUNT }} | |
| EXTRA_INPUT_GCS_AUTH_PROJECT_ID: ${{ secrets.GCS_AUTH_PROJECT_ID }} | |
| EXTRA_INPUT_GCS_BUCKET_NAME: chainguard-images-build-outputs | |
| # This allows chainguard-images/images to publish images to cgr.dev/chainguard | |
| # We maintain this identity here: | |
| # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/images-pusher.tf | |
| EXTRA_INPUT_CHAINGUARD_IDENTITY: 720909c9f5279097d847ad02a2f24ba8f59de36a/b6461e99e132298f | |
| EXTRA_INPUT_APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:94c1512d9c359148059a13cb8df972d15f196e5901f0132238d0376e0bfb597c | |
| EXTRA_INPUT_APKO_REPOSITORY_APPEND: ${{ steps.determine-appends.outputs.repository-append }} | |
| EXTRA_INPUT_APKO_KEYRING_APPEND: ${{ steps.determine-appends.outputs.keyring-append }} | |
| - uses: chainguard-dev/actions/setup-kind@main | |
| with: | |
| k8s-version: v1.24.x | |
| registry-authority: registry.local:5000 | |
| # Disable creating new version tags. | |
| - run: | | |
| # temporarily generate tags for these modules | |
| if [[ "${{ matrix.imageName }}" != "busybox" ]] && [[ "${{ matrix.imageName }}" != "jre" ]] && [[ "${{ matrix.imageName }}" != "node" ]]; then | |
| echo "TF_APKO_DISABLE_VERSION_TAGS=true" >> $GITHUB_ENV | |
| fi | |
| - uses: ./.github/actions/release-image-terraform | |
| with: ${{ fromJSON(steps.release-image-inputs.outputs.matrix-json) }} | |
| - uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
| if: ${{ failure() && github.event_name == 'schedule' }} | |
| with: | |
| payload: '{"text": "[images] release failed ${{ matrix.imageName }}: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.DISTROLESS_SLACK_WEBHOOK }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |