mirror of
https://github.com/prometheus-operator/prometheus-operator.git
synced 2025-04-21 03:38:43 +00:00
Merge pull request #5356 from simonpasquier/cosign-images
build: sign tagged container images with cosign
This commit is contained in:
Simon Pasquier
GitHub
commit
567d65d4e1
2 changed files with 49 additions and 24 deletions
14
.github/workflows/publish.yaml
vendored
14
.github/workflows/publish.yaml
vendored
|
|
@ -23,17 +23,27 @@ jobs:
|
|||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '${{ env.golang-version }}'
|
||||
- name: login to quay.io
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@main
|
||||
- name: Check the cosign version
|
||||
run: cosign version
|
||||
- name: Install crane
|
||||
uses: imjasonh/setup-crane@v0.3
|
||||
- name: Login to quay.io
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ secrets.quay_username }}
|
||||
password: ${{ secrets.quay_password }}
|
||||
- name: login to ghcr.io
|
||||
- name: Login to ghcr.io
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Cosign login
|
||||
run: |
|
||||
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login -u ${{ github.repository_owner }} --password-stdin ghcr.io
|
||||
echo "${{ secrets.quay_password }}" | cosign login -u ${{ github.quay_username }} --password-stdin quay.io
|
||||
- name: Build images and push
|
||||
run: ./scripts/push-docker-image.sh
|
||||
|
|
|
|||
|
|
@ -16,27 +16,35 @@ set -e
|
|||
# only exit with zero if all commands of the pipeline exit successfully
|
||||
set -o pipefail
|
||||
|
||||
CPU_ARCHS="amd64 arm64 arm ppc64le s390x"
|
||||
CPU_ARCHS="${CPU_ARCHS:-"amd64 arm64 arm ppc64le s390x"}"
|
||||
REGISTRIES="${REGISTRIES:-"quay.io ghcr.io"}"
|
||||
|
||||
# IMAGE_OPERATOR, IMAGER_RELOADER and IMAGE_WEBHOOK need to be exported to be used by `make`
|
||||
export IMAGE_OPERATOR="${IMAGE_OPERATOR:-"prometheus-operator/prometheus-operator"}"
|
||||
export IMAGE_RELOADER="${IMAGE_RELOADER:-"prometheus-operator/prometheus-config-reloader"}"
|
||||
export IMAGE_WEBHOOK="${IMAGE_WEBHOOK:="prometheus-operator/admission-webhook"}"
|
||||
# Figure out if current commit is tagged
|
||||
export TAG="${GITHUB_REF##*/}"
|
||||
|
||||
# Push `-dev` images unless commit is tagged
|
||||
# GITHUB_REF and GITHUB_SHA are automatically populated in GitHub actions.
|
||||
# Otherwise compute them.
|
||||
COMMIT_SHA="$(echo "${GITHUB_SHA:-$(git rev-parse HEAD)}" | cut -c1-8)"
|
||||
GITHUB_REF="${GITHUB_REF:-$(git symbolic-ref HEAD)}"
|
||||
TAG="${GITHUB_REF##*/}"
|
||||
|
||||
IMAGE_SUFFIX="-dev"
|
||||
MAIN_BRANCH=""
|
||||
|
||||
# Use the main image repository if TAG is a semver tag or it is a main or master branch.
|
||||
# Otherwise assemble the image tag from VERSION file + short commit SHA and
|
||||
# push them to the dev image repository.
|
||||
if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+ ]] || [ "${TAG}" == "master" ] || [ "${TAG}" == "main" ]; then
|
||||
# Use the "official" image repository if TAG is a semver tag or it is the main
|
||||
# branch.
|
||||
# Otherwise (e.g. release branches), assemble the image tag from VERSION file +
|
||||
# short commit SHA and push them to the -dev image repository.
|
||||
if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+ ]] || [ "${TAG}" == "main" ]; then
|
||||
# Reset suffixes as images are not development ones
|
||||
IMAGE_SUFFIX=""
|
||||
if [[ "${TAG}" == "main" ]]; then
|
||||
MAIN_BRANCH="yes"
|
||||
fi
|
||||
else
|
||||
TAG="v$(cat "$(git rev-parse --show-toplevel)/VERSION")-$(git rev-parse --short HEAD)"
|
||||
TAG="v$(cat "$(git rev-parse --show-toplevel)/VERSION")-${COMMIT_SHA}"
|
||||
fi
|
||||
|
||||
# Compose full image names for retagging and publishing to remote container registries
|
||||
|
|
@ -70,25 +78,32 @@ for arch in ${CPU_ARCHS}; do
|
|||
done
|
||||
done
|
||||
|
||||
# Compose multi-arch images and push them to remote repositories
|
||||
# Compose the multi-arch images and push them to remote repositories.
|
||||
export DOCKER_CLI_EXPERIMENTAL=enabled
|
||||
export COSIGN_EXPERIMENTAL=true
|
||||
for r in ${OPERATORS} ${RELOADERS} ${WEBHOOKS}; do
|
||||
# Images need to be on remote registry before creating manifests
|
||||
# Images need to be pushed to the remote registry before creating the manifest.
|
||||
MANIFEST="${r}:${TAG}"
|
||||
IMAGES=()
|
||||
for arch in $CPU_ARCHS; do
|
||||
docker push "${r}:${TAG}-$arch"
|
||||
docker push "${r}:${TAG}-${arch}"
|
||||
IMAGES=("${IMAGES[@]} ${r}:${TAG}-${arch}")
|
||||
done
|
||||
|
||||
# Create manifest to join all images under one virtual tag
|
||||
docker manifest create -a "${r}:${TAG}" \
|
||||
"${r}:${TAG}-amd64" \
|
||||
"${r}:${TAG}-arm64" \
|
||||
"${r}:${TAG}-arm" \
|
||||
"${r}:${TAG}-ppc64le" \
|
||||
"${r}:${TAG}-s390x"
|
||||
# Create the manifest to join all images under one virtual tag.
|
||||
docker manifest create "${MANIFEST}" "${IMAGES[@]}"
|
||||
|
||||
# Annotate to set which image is build for which CPU architecture
|
||||
# Annotate to set which image is build for which CPU architecture.
|
||||
for arch in $CPU_ARCHS; do
|
||||
docker manifest annotate --arch "$arch" "${r}:${TAG}" "${r}:${TAG}-$arch"
|
||||
docker manifest annotate --arch "$arch" "${MANIFEST}" "${r}:${TAG}-$arch"
|
||||
done
|
||||
docker manifest push "${r}:${TAG}"
|
||||
|
||||
# Push the manifest to the remote registry.
|
||||
docker manifest push "${MANIFEST}"
|
||||
|
||||
# Sign the manifest for official tags.
|
||||
if [[ -n "${MAIN_BRANCH}" ]]; then
|
||||
DIGEST="$(crane digest "${MANIFEST}")"
|
||||
cosign sign --force -a GIT_HASH="${COMMIT_SHA}" -a GIT_VERSION="${TAG}" "${MANIFEST}@${DIGEST}"
|
||||
fi
|
||||
done
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue