mz529: clean after push (#532) #2001
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build images | |
| on: | |
| pull_request: | |
| branches: | |
| - 'main' | |
| push: | |
| branches: | |
| - 'main' | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+*" | |
| workflow_dispatch: | |
| env: | |
| DOCKER_REPO: ${{ vars.DOCKERHUB_ORG }}/${{ vars.REPOSITORY_NAME || 'kaniko' }} | |
| permissions: {} | |
| jobs: | |
| build-images: | |
| concurrency: | |
| # If a previous run is ongoing with the same head_ref (it's a run on the | |
| # same PR) then cancel it to save time. If it isn't a PR, only cancel the | |
| # previous run if it's on the same commit SHA and workflow ref. This prevents | |
| # a run for a commit push or release tag from cancelling a previous commit | |
| # push's build, since we want an image built and tagged for each commit. | |
| group: build-images-${{ matrix.image }}-${{ github.ref }}-${{ github.head_ref || github.sha }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read # Read the repo contents. | |
| id-token: write # Produce identity token for keyless signing. | |
| packages: write # push to ghcr registry | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - executor | |
| - executor-debug | |
| - executor-slim | |
| - warmer | |
| - bootstrap | |
| include: | |
| - image: executor | |
| target: kaniko-executor | |
| platforms: linux/amd64,linux/arm64,linux/s390x,linux/riscv64,linux/ppc64le | |
| tag: ${{ github.sha }} | |
| release-tag: latest | |
| - image: executor-debug | |
| target: kaniko-debug | |
| platforms: linux/amd64,linux/arm64,linux/s390x,linux/riscv64,linux/ppc64le | |
| tag: ${{ github.sha }}-debug | |
| release-tag: debug | |
| - image: executor-slim | |
| target: kaniko-slim | |
| platforms: linux/amd64,linux/arm64,linux/s390x,linux/riscv64,linux/ppc64le | |
| tag: ${{ github.sha }}-slim | |
| release-tag: slim | |
| - image: warmer | |
| target: kaniko-warmer | |
| platforms: linux/amd64,linux/arm64,linux/s390x,linux/riscv64,linux/ppc64le | |
| tag: ${{ github.sha }}-warmer | |
| release-tag: warmer | |
| - image: bootstrap | |
| target: kaniko-debug-2 | |
| platforms: linux/amd64,linux/arm64,linux/s390x,linux/riscv64,linux/ppc64le | |
| tag: ${{ github.sha }}-bootstrap | |
| release-tag: bootstrap | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Define build context | |
| id: context | |
| run: | | |
| SHOULD_PUSH=${{ github.event_name != 'pull_request' }} | |
| case "${{ github.ref }}" in | |
| refs/tags/v*) | |
| IMAGE_NAME=ghcr.io/${{ github.repository }} | |
| IS_RELEASE=true | |
| ;; | |
| *) | |
| IMAGE_NAME=ghcr.io/${{ github.repository }}-dev | |
| IS_RELEASE=false | |
| ;; | |
| esac | |
| echo "image_name=$IMAGE_NAME" >> $GITHUB_OUTPUT | |
| echo "is_release=$IS_RELEASE" >> $GITHUB_OUTPUT | |
| echo "should_push=$SHOULD_PUSH" >> $GITHUB_OUTPUT | |
| - id: platforms | |
| run: | | |
| if [[ "${{ steps.context.outputs.should_push }}" != "true" ]]; then | |
| echo "platforms=linux/amd64" >> $GITHUB_OUTPUT | |
| else | |
| echo "platforms=${{ matrix.platforms }}" >> $GITHUB_OUTPUT | |
| fi | |
| - if: steps.context.outputs.should_push == 'true' | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| with: | |
| platforms: ${{ matrix.platforms }} | |
| - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - name: Set build timestamp | |
| id: build-time | |
| run: echo "now=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | |
| - if: steps.context.outputs.should_push == 'true' | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 | |
| id: build-and-push | |
| with: | |
| context: . | |
| file: ./deploy/Dockerfile | |
| platforms: ${{ steps.platforms.outputs.platforms }} | |
| push: ${{ steps.context.outputs.should_push == 'true' }} | |
| tags: ${{ steps.context.outputs.image_name }}:${{ matrix.tag }} | |
| no-cache-filters: certs | |
| # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| target: ${{ matrix.target }} | |
| annotations: | | |
| org.opencontainers.image.created=${{ steps.build-time.outputs.now }} | |
| org.opencontainers.image.authors=${{ github.actor }} | |
| org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}/#readme | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.vendor=${{ github.repository_owner }} | |
| org.opencontainers.image.licenses=Apache-2.0 | |
| org.opencontainers.image.title=${{ steps.context.outputs.image_name }}:${{ matrix.release-tag }} | |
| org.opencontainers.image.version=${{ steps.context.outputs.is_release == 'true' && github.ref_name || github.sha }} | |
| # Sign images if not a PR. | |
| - if: steps.context.outputs.should_push == 'true' | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - if: steps.context.outputs.should_push == 'true' | |
| run: | | |
| cosign sign --yes \ | |
| ${{ steps.context.outputs.image_name }}@${{ steps.build-and-push.outputs.digest }} | |
| # If a tag push, use crane to add more tags. | |
| - if: steps.context.outputs.is_release == 'true' | |
| uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # v0.5 | |
| - if: steps.context.outputs.is_release == 'true' | |
| name: Apply release tags | |
| run: | | |
| tag=${GITHUB_REF/refs\/tags\//} | |
| # Tag :latest, :debug, :slim | |
| crane cp ${{ steps.context.outputs.image_name }}@${{ steps.build-and-push.outputs.digest }} \ | |
| ${{ steps.context.outputs.image_name }}:${{ matrix.release-tag }} | |
| if [[ "${{ matrix.release-tag }}" == "latest" ]]; then | |
| # Tag :latest images as :v1.X.Y | |
| crane cp ${{ steps.context.outputs.image_name }}@${{ steps.build-and-push.outputs.digest }} \ | |
| ${{ steps.context.outputs.image_name }}:${tag} | |
| else | |
| # Or tag :v1.X.Y-debug and :v1.X.Y-slim | |
| crane cp ${{ steps.context.outputs.image_name }}@${{ steps.build-and-push.outputs.digest }} \ | |
| ${{ steps.context.outputs.image_name }}:${tag}-${{ matrix.release-tag }} | |
| fi | |
| # If a tag push, distribute to other registries too | |
| - if: steps.context.outputs.is_release == 'true' | |
| uses: docker/login-action@v4 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - if: steps.context.outputs.is_release == 'true' | |
| name: Distribute to Docker hub | |
| run: | | |
| tag=${GITHUB_REF/refs\/tags\//} | |
| # Tag :latest, :debug, :slim | |
| crane cp ghcr.io/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }} \ | |
| ${{ env.DOCKER_REPO }}:${{ matrix.release-tag }} | |
| if [[ "${{ matrix.release-tag }}" == "latest" ]]; then | |
| crane cp ghcr.io/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }} \ | |
| ${{ env.DOCKER_REPO }}:${tag} | |
| else | |
| crane cp ghcr.io/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }} \ | |
| ${{ env.DOCKER_REPO }}:${tag}-${{ matrix.release-tag }} | |
| fi | |
| - if: steps.context.outputs.is_release == 'true' | |
| name: Sign Docker Hub images | |
| run: | | |
| cosign sign --yes \ | |
| --sign-container-identity ghcr.io/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }} \ | |
| ${{ env.DOCKER_REPO }}@${{ steps.build-and-push.outputs.digest }} |