builder/actions/publish-multi-arch-manifest/action.yml at master · home-assistant/builder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Publish multi-arch manifest
description: Create a multi-arch manifest from per-architecture images and optionally sign it

inputs:
  architectures:
    description: Architectures (JSON array, e.g., '["amd64", "aarch64"]')
    required: true
  container-registry:
    description: Container registry (e.g., "ghcr.io")
    required: false
    default: "ghcr.io"
  container-registry-password:
    description: Password for container registry (use secrets.GITHUB_TOKEN for GHCR)
    required: true
  container-registry-username:
    description: Username for container registry (defaults to repository owner)
    required: false
    default: ${{ github.repository_owner }}
  cosign:
    description: Whether to sign the manifest with Cosign
    required: false
    default: "true"
  image-name:
    description: Image name without a tag (e.g., "base-python")
    required: true
  image-tags:
    description: Image tags, one per line (first tag is the primary tag used for per-arch image lookup)
    required: true
  registry-prefix:
    description: Registry and namespace prefix (e.g., "ghcr.io/owner")
    required: false
    default: ghcr.io/${{ github.repository_owner }}

runs:
  using: composite
  steps:
    - name: Login to container registry
      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
      with:
        registry: ${{ inputs.container-registry }}
        username: ${{ inputs.container-registry-username }}
        password: ${{ inputs.container-registry-password }}

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      with:
        # TODO: remove pinning once >=v0.32.1 is available in https://github.com/actions/runner
        version: v0.32.1

    - name: Install Cosign
      if: inputs.cosign == 'true'
      uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

    - name: Create multi-arch manifest and sign it
      shell: bash
      env:
        ARCHITECTURES: ${{ inputs.architectures }}
        REGISTRY_PREFIX: ${{ inputs.registry-prefix }}
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_TAGS: ${{ inputs.image-tags }}
        COSIGN: ${{ inputs.cosign }}
      run: |
        image_tags=()
        while IFS= read -r tag; do
          [[ -n "$tag" ]] && image_tags+=("${tag}")
        done <<< "${IMAGE_TAGS}"

        source_images=()
        for arch in $(jq -r '.[]' <<< "${ARCHITECTURES}"); do
          source_images+=("${REGISTRY_PREFIX}/${arch}-${IMAGE_NAME}:${image_tags[0]}")
        done

        tags=()
        for tag in "${image_tags[@]}"; do
          tags+=("${REGISTRY_PREFIX}/${IMAGE_NAME}:${tag}")
        done

        tag_args=()
        for tag in "${tags[@]}"; do
          tag_args+=("--tag" "${tag}")
        done

        metadata_file="$(mktemp)"

        docker buildx imagetools create \
          --metadata-file "${metadata_file}" \
          "${tag_args[@]}" \
          "${source_images[@]}"

        if [[ "${COSIGN}" == "true" ]]; then
          digest="$(jq -r '.["containerimage.descriptor"].digest' "${metadata_file}")"
          cosign sign --yes "${REGISTRY_PREFIX}/${IMAGE_NAME}@${digest}"
        fi