push image to staging registry (#159)

* push image to staging registry

* add Makefile

Author: raulcabello

.github/workflows/publish-docker-image.yml

@@ -10,29 +10,29 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
+      id-token: write 
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Retrieve tag name (tag)
-        run: |
-          echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name : "Read vault secrets"
+        uses : rancher-eio/read-vault-secrets@main
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGING_PRIME_REGISTRY ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGING_PRIME_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGING_PRIME_REGISTRY_PASSWORD ;
+
+        # This encapsulates: login, qemu, build/push
+      - name: Build and push image
+        uses: rancher/ecm-distro-tools/actions/publish-image@master
         with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          file: package/Dockerfile
-          tags: ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }}
+          image: rancher-ai-agent
+          tag: ${{ github.ref_name }}
+          push-to-prime: true
+          push-to-public: false
+          prime-registry: ${{ env.STAGING_PRIME_REGISTRY }}
+          prime-repo: rancher
+          prime-username: ${{ env.STAGING_PRIME_REGISTRY_USERNAME }}
+          prime-password: ${{ env.STAGING_PRIME_REGISTRY_PASSWORD }}

Makefile

@@ -0,0 +1,30 @@
+# Define target platforms, image builder and the fully qualified image name.
+TARGET_PLATFORMS ?= linux/amd64,linux/arm64
+
+REPO ?= rancher
+DIRTY := $(shell if [ -n "$$(git status --porcelain --untracked-files=no)" ]; then echo "-dirty"; fi)
+COMMIT ?= $(shell git rev-parse --short HEAD)
+GIT_TAG ?= $(shell git tag -l --contains HEAD | head -n 1)
+
+ifeq ($(DIRTY),)
+ifneq ($(GIT_TAG),)
+VERSION ?= $(GIT_TAG)
+endif
+endif
+VERSION ?= 0.0.0-$(COMMIT)$(DIRTY)
+
+TAG ?= $(VERSION)
+IMAGE = $(REPO)/rancher-ai-agent:$(TAG)
+
+push-image:
+	docker buildx build \
+		${IID_FILE_FLAG} \
+		--build-arg VERSION=$(VERSION) \
+		--build-arg COMMIT=$(COMMIT) \
+		--file package/Dockerfile \
+		--platform=${TARGET_PLATFORMS} \
+		--sbom=true \
+		--attest type=provenance,mode=max \
+		-t ${IMAGE} \
+		--push \
+		.