Merge pull request #1799 from furkatgofurov7/cleanup-values-cc #12
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Turtles release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read # to checkout code | |
| id-token: write # to read vault secrets | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - platform: linux/amd64 | |
| tag-suffix: "linux-amd64" | |
| - platform: linux/arm64 | |
| tag-suffix: "linux-arm64" | |
| env: | |
| TAG: ${{ github.ref_name }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| with: | |
| image: tonistiigi/binfmt:qemu-v8.1.5 | |
| cache-image: false | |
| - name: Read Vault secrets | |
| uses: rancher-eio/read-vault-secrets@main | |
| with: | |
| secrets: | | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGE_REGISTRY ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ; | |
| - name: Log into Docker Hub registry | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_PASSWORD }} | |
| - name: Log into Staging registry | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 | |
| with: | |
| username: ${{ env.STAGE_REGISTRY_USERNAME }} | |
| password: ${{ env.STAGE_REGISTRY_PASSWORD }} | |
| registry: ${{ env.STAGE_REGISTRY }} | |
| - name: Build and push community image | |
| shell: bash | |
| env: | |
| REGISTRY: docker.io | |
| ORG: rancher | |
| run: | | |
| IID_FILE=$(mktemp) | |
| make docker-build-and-push-community TAG=${{ env.TAG }}-${{ matrix.tag-suffix }} REGISTRY=${{ env.REGISTRY }} ORG=${{ env.ORG }} IID_FILE=${IID_FILE} TARGET_PLATFORMS=${{ matrix.platform }} | |
| - name: Build and push prime image | |
| shell: bash | |
| env: | |
| REGISTRY: ${{ env.STAGE_REGISTRY }} | |
| ORG: rancher | |
| run: | | |
| IID_FILE=$(mktemp) | |
| make docker-build-and-push-prime TAG=${{ env.TAG }}-${{ matrix.tag-suffix }} REGISTRY=${{ env.REGISTRY }} ORG=${{ env.ORG }} IID_FILE=${IID_FILE} TARGET_PLATFORMS=${{ matrix.platform }} | |
| merge: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - image-type: community | |
| - image-type: prime | |
| env: | |
| TAG: ${{ github.ref_name }} | |
| needs: | |
| - release | |
| steps: | |
| - name: Read Vault secrets | |
| uses: rancher-eio/read-vault-secrets@main | |
| with: | |
| secrets: | | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials registry | STAGE_REGISTRY ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials username | STAGE_REGISTRY_USERNAME ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-stg-registry/credentials password | STAGE_REGISTRY_PASSWORD ; | |
| secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; | |
| - name: Log into Docker Hub registry | |
| if: ${{ matrix.image-type == 'community' }} | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_PASSWORD }} | |
| - name: Log into Staging registry | |
| if: ${{ matrix.image-type == 'prime' }} | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 | |
| with: | |
| username: ${{ env.STAGE_REGISTRY_USERNAME }} | |
| password: ${{ env.STAGE_REGISTRY_PASSWORD }} | |
| registry: ${{ env.STAGE_REGISTRY }} | |
| - name: Install Cosign | |
| if: ${{ matrix.image-type == 'prime' }} | |
| uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 | |
| - name: Install slsactl | |
| if: ${{ matrix.image-type == 'prime' }} | |
| uses: rancherlabs/slsactl/actions/install-slsactl@b01dab9e871b6d039a1befb15a63175eccd90cbc # v0.0.15 | |
| - name: Create multi-platform image and push | |
| shell: bash | |
| run: | | |
| IMAGE="turtles" | |
| if [ "${{ matrix.image-type }}" = "community" ]; then | |
| URL="docker.io/rancher/${IMAGE}:${{ env.TAG }}" | |
| docker buildx imagetools create -t "${URL}" \ | |
| "${URL}-linux-amd64" \ | |
| "${URL}-linux-arm64" | |
| echo "Pushed multi-platform image: ${URL}" | |
| elif [ "${{ matrix.image-type }}" = "prime" ]; then | |
| URL="${{ env.STAGE_REGISTRY }}/rancher/${IMAGE}:${{ env.TAG }}" | |
| docker buildx imagetools create -t "${URL}" \ | |
| "${URL}-linux-amd64" \ | |
| "${URL}-linux-arm64" | |
| echo "Pushed multi-platform image: ${URL}" | |
| # Extract the multi-platform image digest for signing | |
| docker pull ${URL} | |
| IMAGE_DIGEST=$( docker inspect --format='{{index .RepoDigests 0}}' ${URL} | sed 's/.*@//' ) | |
| # Set as environment variable for next steps | |
| MULTI_PLATFORM_IMAGE="${{ env.STAGE_REGISTRY }}/rancher/${IMAGE}@${IMAGE_DIGEST}" | |
| echo "MULTI_PLATFORM_IMAGE"=${MULTI_PLATFORM_IMAGE} >> "$GITHUB_ENV" | |
| fi | |
| - name: Sign multi-platform image | |
| shell: bash | |
| if: ${{ matrix.image-type == 'prime' }} | |
| run: | | |
| cosign sign \ | |
| --oidc-provider=github-actions \ | |
| --yes \ | |
| --sign-container-identity="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}" \ | |
| "${MULTI_PLATFORM_IMAGE}" | |
| - name: Attest provenance | |
| shell: bash | |
| if: ${{ matrix.image-type == 'prime' }} | |
| run: | | |
| max_retries=3 | |
| retry_delay=5 | |
| i=0 | |
| while [ "${i}" -lt "${max_retries}" ]; do | |
| if slsactl download provenance --format=slsav1 "${MULTI_PLATFORM_IMAGE}" > provenance-slsav1.json; then | |
| break | |
| fi | |
| if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then | |
| echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry." | |
| exit 1 | |
| fi | |
| i=$(( i + 1 )) | |
| sleep "${retry_delay}" | |
| done | |
| cat provenance-slsav1.json | |
| cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${MULTI_PLATFORM_IMAGE}" |