Publish Container Images #2492
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Container Images | |
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| on: | |
| schedule: | |
| - cron: "43 9 * * *" | |
| push: | |
| branches: [main] | |
| # Publish semver tags as releases. | |
| tags: ["v*.*.*"] | |
| # Restrictive top-level default; individual jobs escalate as needed. | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: ghcr.io | |
| GHCR_IMAGE: ghcr.io/${{ github.repository }} | |
| GCP_IMAGE: us-docker.pkg.dev/mondoohq/release/mondoo-operator | |
| RELEASE: ${{ github.ref_name }} | |
| jobs: | |
| debug-event: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Print workflow actor | |
| run: echo "${{ toJSON(github.actor) }}" | |
| - name: Print workflow event | |
| run: jq '.' $GITHUB_EVENT_PATH | |
| build-operator: | |
| name: Build operator binaries | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| # This is used to complete the identity challenge | |
| # with sigstore/fulcio when running outside of PRs. | |
| id-token: write | |
| strategy: | |
| matrix: | |
| os: [linux] | |
| arch: [amd64, arm64, arm] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Import environment variables from file | |
| run: cat ".github/env" >> $GITHUB_ENV | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: true | |
| # Install the cosign tool except on PR | |
| # https://github.com/sigstore/cosign-installer | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| # Login against a Docker registry except on PR | |
| # https://github.com/docker/login-action | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Authenticate with Google Cloud | |
| uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # v3.0.0 | |
| with: | |
| credentials_json: "${{ secrets.GCP_ARTIFACT_REGISTRY_SA }}" | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db" # v3.0.1 | |
| - name: Docker Login (GCR) | |
| run: | | |
| gcloud auth configure-docker us-docker.pkg.dev | |
| # Extract metadata (tags, labels) for Docker | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| images: | | |
| ${{ env.GHCR_IMAGE }} | |
| ${{ env.GCP_IMAGE }} | |
| tags: | | |
| type=schedule,pattern=main | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=ref,event=pr | |
| flavor: | | |
| suffix=-${{ matrix.arch }},onlatest=true | |
| # Only apply 'latest' for non-prerelease version tags (no hyphen after version) | |
| latest=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }} | |
| # Extract metadata (tags, labels) for Docker | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata (without suffixes) | |
| id: meta_clean | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| images: | | |
| ${{ env.GHCR_IMAGE }} | |
| ${{ env.GCP_IMAGE }} | |
| tags: | | |
| type=schedule,pattern=main | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=ref,event=pr | |
| - name: Build binaries | |
| run: VERSION=${{ steps.meta_clean.outputs.version }} TARGET_OS=${{ matrix.os }} TARGET_ARCH=${{ matrix.arch }} make build | |
| # Set up QEMU for cross-platform builds | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| # Set up Docker Buildx for multi-platform builds | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| # Build and push Docker image with Buildx | |
| # https://github.com/docker/build-push-action | |
| - name: Build and push operator image | |
| id: build-and-push-operator | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.os }}/${{ matrix.arch }} | |
| push: true | |
| labels: ${{ steps.meta.outputs.labels }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| # Disable provenance attestations to produce single-platform images | |
| # instead of manifest lists. Required for docker manifest create to work. | |
| provenance: false | |
| - name: Scan Image | |
| if: matrix.arch == 'amd64' | |
| uses: mondoohq/actions/docker-image@20caefcb2d1258d051149913cde321a698b1fdb9 # v13.1.0 | |
| env: | |
| MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_CLIENT }} | |
| with: | |
| image: ${{ env.GHCR_IMAGE }}@${{ steps.build-and-push-operator.outputs.digest }} | |
| # Sign the resulting Docker image digest except on PRs. | |
| # This will only write to the public Rekor transparency log when the Docker | |
| # repository is public to avoid leaking data. If you would like to publish | |
| # transparency data even for private images, pass --force to cosign below. | |
| # https://github.com/sigstore/cosign | |
| - name: Sign the published Docker image | |
| # This step uses the identity token to provision an ephemeral certificate | |
| # against the sigstore community Fulcio instance. | |
| run: cosign sign -y ${{ env.GHCR_IMAGE }}@${{ steps.build-and-push-operator.outputs.digest }} | |
| push-virtual-tag: | |
| name: Push multi-platform virtual tag | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-operator | |
| permissions: | |
| contents: read | |
| packages: write | |
| # This is used to complete the identity challenge | |
| # with sigstore/fulcio when running outside of PRs. | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # Install the cosign tool except on PR | |
| # https://github.com/sigstore/cosign-installer | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| # Login against a Docker registry except on PR | |
| # https://github.com/docker/login-action | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Authenticate with Google Cloud | |
| uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # v3.0.0 | |
| with: | |
| credentials_json: "${{ secrets.GCP_ARTIFACT_REGISTRY_SA }}" | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db" # v3.0.1 | |
| - name: Docker Login (GCR) | |
| run: | | |
| gcloud auth configure-docker us-docker.pkg.dev | |
| # Extract metadata (tags, labels) for Docker | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| images: | | |
| ${{ env.GHCR_IMAGE }} | |
| ${{ env.GCP_IMAGE }} | |
| tags: | | |
| type=schedule,pattern=main | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=ref,event=pr | |
| flavor: | | |
| # Only apply 'latest' for non-prerelease version tags (no hyphen after version) | |
| latest=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }} | |
| - name: Push multi-platform virtual tag and sign | |
| run: bash scripts/push-virtual-tag.sh | |
| env: | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| CPU_ARCHS: amd64 arm64 arm | |
| # publish kubectl manifests | |
| run-release-manifests: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| uses: ./.github/workflows/release-manifests.yaml | |
| permissions: | |
| contents: write | |
| needs: | |
| - push-virtual-tag | |
| # this should ensure the manifest is tagged latest, which is required for the install automation | |
| - release-helm | |
| # Run helm integration tests using the published container images | |
| run-helm-tests: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: | |
| - push-virtual-tag | |
| uses: ./.github/workflows/helm-tests.yaml | |
| with: | |
| build-operator: false | |
| permissions: | |
| contents: read | |
| actions: read | |
| checks: write | |
| statuses: write | |
| pull-requests: write | |
| secrets: | |
| MONDOO_TEST_ORG_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }} | |
| release-helm: | |
| name: Release helm chart | |
| needs: | |
| - push-virtual-tag | |
| - run-helm-tests | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write # Required for GHCR OCI push | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
| - name: Install Helm | |
| uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 | |
| with: | |
| version: v3.17.0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| id: install | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run chart-releaser | |
| uses: helm/chart-releaser-action@a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0 | |
| with: | |
| charts_dir: charts | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Push Helm chart to OCI registry | |
| run: | | |
| helm package charts/mondoo-operator | |
| helm push mondoo-operator-*.tgz oci://ghcr.io/${{ github.repository }}/charts |