trustee/.github/actions/build-single-image/action.yml at a7f28a9302785bc660e521d2a25998820479f3f6 · confidential-containers/trustee · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Build staged image (single arch)
description: Build (and optionally push) a single-arch staged image to GHCR.

inputs:
  ghcr_token:
    description: Token to login to ghcr.io
    required: false
  docker_file:
    description: Path to Dockerfile
    required: true
  tag:
    description: Image tag under ghcr.io/confidential-containers/staged-images
    required: true
  arch:
    description: Architecture suffix for tags (e.g. x86_64, aarch64, s390x)
    required: true
  platform:
    description: Optional build target platform (e.g. linux/amd64)
    required: false
    default: ""
  context:
    description: Build context directory
    required: false
    default: "."
  build_args:
    description: Extra build args string (e.g. --build-arg FOO=bar)
    required: false
    default: ""
  build_option:
    description: Extra docker build options (e.g. --push)
    required: false
    default: ""

runs:
  using: composite
  steps:
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

    - name: Login to GHCR Container Registry
      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
      if: contains(inputs.build_option, '--push')
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ inputs.ghcr_token }}

    - name: Build image
      shell: bash
      run: |
        set -euo pipefail
        commit_sha="${GITHUB_SHA}"
        platform_args=()
        if [ -n "${{ inputs.platform }}" ]; then
          platform_args+=(--platform "${{ inputs.platform }}")
        fi

        # Parse build options and args into arrays to avoid shell injection.
        build_option_args=()
        if [ -n "${{ inputs.build_option }}" ]; then
          read -r -a build_option_args <<< "${{ inputs.build_option }}"
        fi
        build_args_array=()
        if [ -n "${{ inputs.build_args }}" ]; then
          read -r -a build_args_array <<< "${{ inputs.build_args }}"
        fi
        docker buildx build --provenance false \
          "${platform_args[@]}" \
          -f "${{ inputs.docker_file }}" \
          "${build_option_args[@]}" \
          "${build_args_array[@]}" \
          -t "ghcr.io/confidential-containers/staged-images/${{ inputs.tag }}:${commit_sha}-${{ inputs.arch }}" \
          -t "ghcr.io/confidential-containers/staged-images/${{ inputs.tag }}:latest-${{ inputs.arch }}" \
          "${{ inputs.context }}"