fix: expose OAuth metadata for non-public servers #8425
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # =============================================================== | |
| # Multiplatform Docker Build Workflow | |
| # =============================================================== | |
| # | |
| # This workflow builds container images for multiple architectures: | |
| # - linux/amd64 (native on ubuntu-24.04) - PR (build only), merge queue (build only), push | |
| # - linux/arm64 (native on ubuntu-24.04-arm) - merge queue (build only), push | |
| # - linux/s390x (native on ubuntu-24.04-s390x) - merge queue (build only), push | |
| # - linux/ppc64le (native on ubuntu-24.04-ppc64le) - merge queue (build only), push | |
| # | |
| # Pipeline: | |
| # 1. Build platform images in parallel (amd64 on PR; all arches on merge queue + push) | |
| # 2. Create multiplatform manifest (push and tags only) | |
| # 3. Sign and attest with Cosign (keyless OIDC, push and tags only) | |
| # | |
| # Linting and security scanning are handled by docker-scan.yml | |
| # | |
| # =============================================================== | |
| name: Multiplatform Docker Build | |
| on: | |
| push: | |
| branches: ["main"] | |
| tags: ["v*"] | |
| paths: | |
| - 'Containerfile.lite' | |
| - 'mcpgateway/**' | |
| - 'plugins/**' | |
| - 'pyproject.toml' | |
| - '.github/workflows/docker-multiplatform.yml' | |
| pull_request: | |
| types: [opened, synchronize, ready_for_review] | |
| branches: ["main"] | |
| paths: | |
| - 'Containerfile.lite' | |
| - 'mcpgateway/**' | |
| - 'plugins/**' | |
| - 'pyproject.toml' | |
| - '.github/workflows/docker-multiplatform.yml' | |
| merge_group: | |
| branches: ["main"] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| # --------------------------------------------------------------- | |
| # Build each platform in parallel | |
| # --------------------------------------------------------------- | |
| build: | |
| if: github.event_name != 'pull_request' || !github.event.pull_request.draft | |
| name: Build ${{ matrix.suffix }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: linux/amd64 | |
| runner: ubuntu-24.04 | |
| suffix: amd64 | |
| cache_mode: max | |
| qemu: false | |
| build_on_pr: true # amd64 builds on PR, merge queue, and push | |
| - platform: linux/arm64 | |
| runner: ubuntu-24.04-arm | |
| suffix: arm64 | |
| cache_mode: max | |
| qemu: false | |
| build_on_pr: false # merge queue and push only | |
| - platform: linux/s390x | |
| runner: ubuntu-24.04-s390x | |
| suffix: s390x | |
| cache_mode: max | |
| qemu: false | |
| build_on_pr: false # merge queue and push only | |
| - platform: linux/ppc64le | |
| runner: ubuntu-24.04-ppc64le | |
| suffix: ppc64le | |
| cache_mode: max | |
| qemu: false | |
| build_on_pr: false # merge queue and push only | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 60 | |
| permissions: | |
| contents: read | |
| packages: write | |
| # amd64: builds (no push) on PR and merge queue; full build+push on push | |
| # arm64/s390x/ppc64le: builds (no push) on merge queue; full build+push on push | |
| # Condition for build steps: always except PRs skip non-amd64 (build_on_pr) | |
| # Condition for push-only steps (login, digest): push/workflow_dispatch only | |
| steps: | |
| - name: Checkout code | |
| if: github.event_name != 'pull_request' || matrix.build_on_pr | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Set image name lowercase | |
| if: github.event_name != 'pull_request' || matrix.build_on_pr | |
| run: | | |
| IMAGE_NAME_LC=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]') | |
| echo "IMAGE_NAME_LC=${IMAGE_NAME_LC}" >> "${GITHUB_ENV}" | |
| # QEMU is not currently triggered (native runners are used for all platforms) | |
| # but is retained so it can be re-enabled via matrix.qemu if needed. | |
| - name: Set up QEMU | |
| if: matrix.qemu && (github.event_name != 'pull_request' || matrix.build_on_pr) | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| with: | |
| platforms: ${{ matrix.platform }} | |
| - name: Set up Docker Buildx | |
| if: github.event_name != 'pull_request' || matrix.build_on_pr | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Log in to GHCR | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| if: github.event_name != 'pull_request' || matrix.build_on_pr | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LC }} | |
| tags: | | |
| type=raw,value=${{ matrix.suffix }}-${{ github.sha }} | |
| - name: Build and push | |
| if: github.event_name != 'pull_request' || matrix.build_on_pr | |
| id: build | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: . | |
| file: Containerfile.lite | |
| platforms: ${{ matrix.platform }} | |
| push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} | |
| load: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha,scope=containerfile-lite-${{ matrix.suffix }} | |
| cache-to: type=gha,mode=${{ matrix.cache_mode }},scope=containerfile-lite-${{ matrix.suffix }} | |
| provenance: false | |
| - name: Export digest | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| echo "Digest for ${{ matrix.suffix }}: $digest" | |
| - name: Upload digest | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: digest-${{ matrix.suffix }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| # --------------------------------------------------------------- | |
| # Create multiplatform manifest | |
| # --------------------------------------------------------------- | |
| manifest: | |
| name: Create Manifest | |
| needs: build | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 60 | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Set image name lowercase | |
| run: | | |
| IMAGE_NAME_LC=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]') | |
| echo "IMAGE_NAME_LC=${IMAGE_NAME_LC}" >> "${GITHUB_ENV}" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push manifest | |
| run: | | |
| SHA=${{ github.sha }} | |
| REF_NAME=${{ github.ref_name }} | |
| IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LC }} | |
| echo "Creating multiplatform manifest..." | |
| # All four architectures are built on every non-PR push | |
| IMAGES=( | |
| "${IMAGE}:amd64-${SHA}" | |
| "${IMAGE}:arm64-${SHA}" | |
| "${IMAGE}:s390x-${SHA}" | |
| "${IMAGE}:ppc64le-${SHA}" | |
| ) | |
| if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then | |
| docker buildx imagetools create \ | |
| --tag "${IMAGE}:${SHA}" \ | |
| --tag "${IMAGE}:${REF_NAME}" \ | |
| --tag "${IMAGE}:latest" \ | |
| "${IMAGES[@]}" | |
| else | |
| docker buildx imagetools create \ | |
| --tag "${IMAGE}:${SHA}" \ | |
| "${IMAGES[@]}" | |
| fi | |
| echo "Manifest created successfully" | |
| - name: Inspect manifest | |
| run: | | |
| REF_NAME=${{ github.ref_name }} | |
| IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LC }} | |
| echo "Inspecting multiplatform manifest..." | |
| if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then | |
| docker buildx imagetools inspect "${IMAGE}:${REF_NAME}" | |
| else | |
| docker buildx imagetools inspect "${IMAGE}:${{ github.sha }}" | |
| fi | |
| # --------------------------------------------------------------- | |
| # Sign images with Cosign (keyless OIDC) | |
| # --------------------------------------------------------------- | |
| sign: | |
| name: Sign Images | |
| needs: manifest | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 60 | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Set image name lowercase | |
| run: | | |
| IMAGE_NAME_LC=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]') | |
| echo "IMAGE_NAME_LC=${IMAGE_NAME_LC}" >> "${GITHUB_ENV}" | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@f713795cb21599bc4e5c4b58cbad1da852d7eeb9 # v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull image for SBOM generation | |
| run: | | |
| if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then | |
| docker pull --platform linux/amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LC }}:${{ github.ref_name }} | |
| else | |
| docker pull --platform linux/amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LC }}:${{ github.sha }} | |
| fi | |
| - name: Generate SBOM (Syft) | |
| uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0 | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LC }}:${{ github.ref_type == 'tag' && github.ref_name || github.sha }} | |
| output-file: sbom.spdx.json | |
| - name: Sign and attest multiplatform image | |
| env: | |
| COSIGN_EXPERIMENTAL: "1" | |
| run: | | |
| IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME_LC }} | |
| SHA=${{ github.sha }} | |
| REFS=("${IMAGE}:${SHA}") | |
| if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then | |
| REFS+=("${IMAGE}:${GITHUB_REF_NAME}" "${IMAGE}:latest") | |
| fi | |
| for REF in "${REFS[@]}"; do | |
| echo "Signing ${REF}" | |
| cosign sign --recursive --yes "${REF}" | |
| echo "Attesting SBOM for ${REF}" | |
| cosign attest --yes \ | |
| --predicate sbom.spdx.json \ | |
| --type spdxjson \ | |
| "${REF}" | |
| done | |
| echo "Images signed and attested successfully" | |
| # --------------------------------------------------------------- | |
| # Fan-in gate: single required status check for merge queue/PRs | |
| # --------------------------------------------------------------- | |
| build-complete: | |
| name: Docker Build Complete | |
| needs: build | |
| runs-on: ubuntu-24.04 | |
| if: always() | |
| steps: | |
| - name: Check all platform builds passed | |
| run: | | |
| result="${{ needs.build.result }}" | |
| if [[ "$result" == "success" || "$result" == "skipped" ]]; then | |
| echo "Docker builds passed (result: $result)" | |
| else | |
| echo "Docker builds failed (result: $result)" | |
| exit 1 | |
| fi |