forked from microsoft/agent-governance-toolkit
-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (117 loc) · 4.22 KB
/
publish-containers.yml
File metadata and controls
130 lines (117 loc) · 4.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Publish Container Images
on:
release:
types: [published]
workflow_dispatch:
inputs:
component:
description: "Component to build and publish"
required: true
type: choice
options:
- trust-engine
- policy-server
- audit-collector
- api-gateway
- governance-sidecar
- all
tag:
description: "Image tag (default: latest)"
required: false
default: "latest"
permissions:
contents: read
packages: write
id-token: write
attestations: write
env:
REGISTRY: ghcr.io
IMAGE_PREFIX: ghcr.io/microsoft/agentmesh
jobs:
build-push:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- component: trust-engine
dockerfile: packages/agent-mesh/docker/Dockerfile
context: .
port: 8443
- component: policy-server
dockerfile: packages/agent-mesh/docker/Dockerfile
context: .
port: 8444
- component: audit-collector
dockerfile: packages/agent-mesh/docker/Dockerfile
context: .
port: 8445
- component: api-gateway
dockerfile: packages/agent-mesh/docker/Dockerfile
context: .
port: 8446
- component: governance-sidecar
dockerfile: packages/agent-os/Dockerfile.sidecar
context: packages/agent-os
port: 8081
# Filter: build all on release, or only the selected component on dispatch
if: >-
github.event_name == 'release' ||
github.event.inputs.component == 'all' ||
github.event.inputs.component == matrix.component
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set image tag
id: tag
run: |
if [ "${{ github.event_name }}" = "release" ]; then
# Strip 'v' prefix from release tag (v3.2.0 → 3.2.0)
TAG="${{ github.event.release.tag_name }}"
TAG="${TAG#v}"
else
TAG="${{ github.event.inputs.tag || 'latest' }}"
fi
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
echo "Image tag: $TAG"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Log in to GHCR
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
with:
images: ${{ env.IMAGE_PREFIX }}/${{ matrix.component }}
tags: |
type=raw,value=${{ steps.tag.outputs.tag }}
type=raw,value=latest,enable=${{ github.event_name == 'release' }}
type=sha,prefix=
- name: Build and push
uses: docker/build-push-action@263435318d21b8e681c14492fe198e19c816612b # v6.18.0
with:
context: ${{ matrix.context }}
file: ${{ matrix.dockerfile }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
COMPONENT=${{ matrix.component }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ${{ env.IMAGE_PREFIX }}/${{ matrix.component }}
subject-digest: ${{ steps.meta.outputs.digest || '' }}
push-to-registry: true
continue-on-error: true
- name: Verify image
run: |
echo "=== Verifying ${{ env.IMAGE_PREFIX }}/${{ matrix.component }}:${{ steps.tag.outputs.tag }} ==="
docker pull ${{ env.IMAGE_PREFIX }}/${{ matrix.component }}:${{ steps.tag.outputs.tag }}
docker run --rm ${{ env.IMAGE_PREFIX }}/${{ matrix.component }}:${{ steps.tag.outputs.tag }} python -c "print('Image OK')"