chore(deps): update quay.io/fedora/fedora:43 docker digest to 7897958… #1334
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build all | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/README.md' | |
| # schedule: | |
| # # Every Saturday at 2AM UTC | |
| # - cron: "0 2 * * 6" | |
| pull_request: | |
| branches: | |
| - 'main' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| DNF_CACHE_PATH: /var/cache/libdnf5 # F41+ and newer F40 with libdnf5 | |
| HOST_DNF_CACHE_PATH: /tmp/libdnf5 # Any path is okay | |
| DNF_CACHE_PURGE_THRESHOLD_MB: 400 | |
| jobs: | |
| build-and-push: | |
| strategy: | |
| matrix: | |
| job: | |
| - { name: amd64, os: ubuntu-latest, pretty-name: Build and push amd64 image } | |
| - { name: arm64, os: ubuntu-24.04-arm, pretty-name: Build and push arm64 image } | |
| runs-on: ${{ matrix.job.os }} | |
| name: ${{ matrix.job.pretty-name }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| attestations: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - name: Check out the repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Mkdir for DNF Cache | |
| run: mkdir -p ${{ env.HOST_DNF_CACHE_PATH }} | |
| - name: Restore DNF Cache | |
| uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ${{ env.HOST_DNF_CACHE_PATH }} | |
| key: dnf-cache-${{ matrix.job.name }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Extract metadata for Docker (main) | |
| id: meta-main | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=raw,value={{date 'YYYYMMDD'}}-${{ matrix.job.name }},enable={{is_default_branch}} | |
| type=raw,value=latest-${{ matrix.job.name }},enable={{is_default_branch}} | |
| type=ref,event=pr,suffix=-${{ matrix.job.name }} | |
| - name: Login ghcr.io | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Buildah Action (main) | |
| id: build-image-main | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 | |
| with: | |
| context: . | |
| containerfiles: Dockerfile | |
| tags: ${{ steps.meta-main.outputs.tags }} | |
| oci: true | |
| extra-args: | | |
| --squash | |
| -v ${{ env.HOST_DNF_CACHE_PATH }}:${{ env.DNF_CACHE_PATH }} | |
| - name: Purge dnf5 cache if too big | |
| run: | | |
| # Folder size (KB) | |
| folder_size=$(du -sk ${{ env.HOST_DNF_CACHE_PATH }} | cut -f1) | |
| echo "Folder size: ${folder_size} KB; $(($folder_size /1024)) MB" | |
| # 100MB = 100 * 1024 KB | |
| threshold=$((${{ env.DNF_CACHE_PURGE_THRESHOLD_MB }} * 1024)) | |
| echo "Threshold size: ${threshold} KB; ${{ env.DNF_CACHE_PURGE_THRESHOLD_MB }} MB" | |
| if [ "$folder_size" -gt "$threshold" ]; then | |
| echo "Threshold size exceed, purging." | |
| rm -rf ${{ env.HOST_DNF_CACHE_PATH }}/* | |
| echo '### DNF Cache purging: true' >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "Threshold size is not exceed." | |
| echo '### DNF Cache purging: false' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| - name: Save DNF Cache | |
| uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ${{ env.HOST_DNF_CACHE_PATH }} | |
| key: dnf-cache-${{ matrix.job.name }}-${{ github.run_id }} | |
| - name: Push (main) | |
| id: push-main | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 | |
| with: | |
| image: ${{ steps.build-image-main.outputs.image }} | |
| tags: ${{ steps.build-image-main.outputs.tags }} | |
| extra-args: | | |
| --compression-format=zstd | |
| - name: Write digest to file | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| digest="${{ steps.push-main.outputs.digest }}" | |
| test -n "$digest" | |
| mkdir -p /tmp/digests | |
| echo "$digest" > "/tmp/digests/${{ matrix.job.name }}.digest" | |
| echo "${{ github.sha }}" > "/tmp/digests/${{ matrix.job.name }}.sha" | |
| - name: Upload digest artifact | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: digests-${{ github.sha }}-${{ matrix.job.name }} | |
| path: /tmp/digests | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - name: Attest (main) | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.push-main.outputs.digest }} | |
| push-to-registry: true | |
| link-container-tags: | |
| runs-on: ubuntu-24.04-arm | |
| name: Link Container tags | |
| needs: build-and-push | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| attestations: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - name: Download digest artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: digests-${{ github.sha }}-* | |
| path: /tmp/digests_downloaded | |
| merge-multiple: true | |
| - name: Read digests | |
| id: read | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| AMD64_DIGEST="$(cat /tmp/digests_downloaded/amd64.digest)" | |
| ARM64_DIGEST="$(cat /tmp/digests_downloaded/arm64.digest)" | |
| test -n "$AMD64_DIGEST" | |
| test -n "$ARM64_DIGEST" | |
| test "$(cat /tmp/digests_downloaded/amd64.sha)" = "${GITHUB_SHA}" | |
| test "$(cat /tmp/digests_downloaded/arm64.sha)" = "${GITHUB_SHA}" | |
| echo "amd64_digest=$AMD64_DIGEST" >> "$GITHUB_OUTPUT" | |
| echo "arm64_digest=$ARM64_DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Login ghcr.io | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get Date | |
| id: get-date | |
| shell: bash | |
| run: | | |
| echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | |
| - name: Create and push manifest (latest) via imagetools | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository }} | |
| AMD64: ${{ steps.read.outputs.amd64_digest }} | |
| ARM64: ${{ steps.read.outputs.arm64_digest }} | |
| run: | | |
| set -euo pipefail | |
| docker buildx imagetools create \ | |
| -t "${IMAGE}:latest" \ | |
| "${IMAGE}@${AMD64}" \ | |
| "${IMAGE}@${ARM64}" | |
| - name: Create and push manifest (time) via imagetools | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository }} | |
| AMD64: ${{ steps.read.outputs.amd64_digest }} | |
| ARM64: ${{ steps.read.outputs.arm64_digest }} | |
| DATE: ${{ steps.get-date.outputs.date }} | |
| run: | | |
| set -euo pipefail | |
| docker buildx imagetools create \ | |
| -t "${IMAGE}:${DATE}" \ | |
| "${IMAGE}@${AMD64}" \ | |
| "${IMAGE}@${ARM64}" | |
| # Hope to get rid of this in the future | |
| # Otherwise, the digest can't being guaranteed | |
| # https://github.com/docker/buildx/issues/2407 | |
| - name: Get manifest digest (latest) | |
| id: digest-latest | |
| run: | | |
| set -euo pipefail | |
| IMAGE="ghcr.io/${{ github.repository }}" | |
| DIGEST="$(docker buildx imagetools inspect "${IMAGE}:latest" --format '{{json .Manifest}}' | jq -r '.digest // empty')" | |
| test -n "$DIGEST" | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Get manifest digest (time) | |
| id: digest-time | |
| env: | |
| DATE: ${{ steps.get-date.outputs.date }} | |
| run: | | |
| set -euo pipefail | |
| IMAGE="ghcr.io/${{ github.repository }}" | |
| DIGEST="$(docker buildx imagetools inspect "${IMAGE}:${DATE}" --format '{{json .Manifest}}' | jq -r '.digest // empty')" | |
| test -n "$DIGEST" | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Attest (Tag resign) (latest) | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.digest-latest.outputs.digest }} | |
| push-to-registry: true | |
| - name: Attest (Tag resign) (time) | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.digest-time.outputs.digest }} | |
| push-to-registry: true | |
| # This will cover all the related tags | |
| - name: Sign the images with GitHub OIDC Token (recursive) | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository }}@${{ steps.digest-time.outputs.digest }} | |
| run: | | |
| cosign sign --yes --recursive ${IMAGE} | |
| - name: Output summary | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository }} | |
| DATE: ${{ steps.get-date.outputs.date }} | |
| run: | | |
| echo '## Container tag inspect for `latest` tag' >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| docker buildx imagetools inspect "${IMAGE}:latest" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| echo "## Container tag inspect for \`${DATE}\` (date) tag" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| docker buildx imagetools inspect "${IMAGE}:${DATE}" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| # For PR Test Only | |
| # https://stackoverflow.com/questions/59077079/how-to-get-pull-request-number-within-github-actions-workflow | |
| link-container-tags-test: | |
| runs-on: ubuntu-24.04-arm | |
| name: Link Container tags (PR Test) | |
| needs: build-and-push | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - name: Download digest artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: digests-${{ github.sha }}-* | |
| path: /tmp/digests_downloaded | |
| merge-multiple: true | |
| - name: Read digests | |
| id: read | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| AMD64_DIGEST="$(cat /tmp/digests_downloaded/amd64.digest)" | |
| ARM64_DIGEST="$(cat /tmp/digests_downloaded/arm64.digest)" | |
| test -n "$AMD64_DIGEST" | |
| test -n "$ARM64_DIGEST" | |
| test "$(cat /tmp/digests_downloaded/amd64.sha)" = "${GITHUB_SHA}" | |
| test "$(cat /tmp/digests_downloaded/arm64.sha)" = "${GITHUB_SHA}" | |
| echo "amd64_digest=$AMD64_DIGEST" >> "$GITHUB_OUTPUT" | |
| echo "arm64_digest=$ARM64_DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Get PR number | |
| id: pr | |
| run: echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
| - name: Login ghcr.io | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push manifest (PR) via imagetools | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository }} | |
| AMD64: ${{ steps.read.outputs.amd64_digest }} | |
| ARM64: ${{ steps.read.outputs.arm64_digest }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| set -euo pipefail | |
| docker buildx imagetools create \ | |
| -t "${IMAGE}:pr-${PR_NUMBER}" \ | |
| "${IMAGE}@${AMD64}" \ | |
| "${IMAGE}@${ARM64}" | |
| - name: Output summary | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| echo "## Container tag inspect for PR-${PR_NUMBER}" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| docker buildx imagetools inspect "${IMAGE}:pr-${PR_NUMBER}" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" |