Skip to content
CSI container image build and tag

Add additional temp feature flag to hide HF access token field from c… #1059

Sign in to view logs

Add additional temp feature flag to hide HF access token field from c…

Add additional temp feature flag to hide HF access token field from c… #1059

Workflow file for this run

.github/workflows/build-and-push-csi-image.yml at 944e1ee
name: CSI container image build and tag
on:
push:
branches:
- 'main'
tags:
- 'v*'
paths-ignore:
- 'LICENSE*'
- '**.gitignore'
- '**.md'
- '**.txt'
- '.github/ISSUE_TEMPLATE/**'
- '.github/dependabot.yml'
- 'docs/**'
permissions: # set contents: read at top-level, per OpenSSF ScoreCard rule TokenPermissionsID\
contents: read
env:
IMG_REGISTRY: ghcr.io
IMG_ORG: kubeflow
IMG_REPO: model-registry/storage-initializer
PUSH_IMAGE: true
DOCKER_USER: ${{ github.actor }}
DOCKER_PWD: ${{ secrets.GITHUB_TOKEN }}
jobs:
build-csi-image:
runs-on: ubuntu-latest
permissions:
actions: read # anchore/sbom-action for syft
contents: write # anchore/sbom-action for syft
packages: write
steps:
# Assign context variable for various action contexts (tag, main, CI)
- name: Assigning tag context
if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
- name: Assigning main context
if: github.head_ref == '' && github.ref == 'refs/heads/main'
run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
# checkout branch
- uses: actions/[email protected]
# set image version
- name: Set main-branch environment
if: env.BUILD_CONTEXT == 'main'
run: |
commit_sha=${{ github.event.after }}
tag=main-${commit_sha:0:7}
echo "VERSION=${tag}" >> $GITHUB_ENV
- name: Set tag environment
if: env.BUILD_CONTEXT == 'tag'
run: |
echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
# docker login
- name: Docker login
shell: bash
run: make docker/login
# build & push
- name: Build CSI Image
shell: bash
env:
IMG_ORG: ${{ env.IMG_ORG }}
IMG_REPO: ${{ env.IMG_REPO }}
IMG_VERSION: ${{ env.VERSION }}
run: |
make image/build
- name: Push CSI Image
if: env.PUSH_IMAGE == 'true'
shell: bash
env:
IMG: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}"
run: IMG=${{ env.IMG }} IMG_VERSION=${{ env.VERSION }} make image/push
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}:${{ env.VERSION }}"
format: spdx-json # default, but making sure of the format
artifact-name: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json"
output-file: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json" # pin the file to use it later below
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Attach SBOM to Image
run: |
cosign attach sbom --sbom model-registry-server-${{ env.VERSION }}-sbom.spdx.json "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}:${{ env.VERSION }}"
# Tag latest and main
- name: Tag Latest
if: env.BUILD_CONTEXT == 'main' && env.PUSH_IMAGE == 'true'
shell: bash
env:
IMG: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}"
run: |
docker tag ${{ env.IMG }}:$VERSION ${{ env.IMG }}:latest
IMG=${{ env.IMG }} IMG_VERSION=latest make image/push
- name: Tag Main
if: env.BUILD_CONTEXT == 'main' && env.PUSH_IMAGE == 'true'
shell: bash
env:
IMG: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}"
run: |
docker tag ${{ env.IMG }}:$VERSION ${{ env.IMG }}:main
IMG=${{ env.IMG }} IMG_VERSION=main make image/push