fetch upstream #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image CI Build | |
| # Any change in triggers needs to be reflected in the concurrency group. | |
| on: | |
| pull_request_target: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| push: | |
| branches: | |
| - main | |
| - ft/main/** | |
| # If the cache was cleaned we should re-build the cache with the latest commit | |
| workflow_run: | |
| workflows: | |
| - "Image CI Cache Cleaner" | |
| branches: | |
| - main | |
| - ft/main/** | |
| types: | |
| - completed | |
| permissions: | |
| # To be able to access the repository with `actions/checkout` | |
| contents: read | |
| # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | |
| id-token: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-and-push-prs: | |
| timeout-minutes: 45 | |
| name: Build and Push Images | |
| runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} | |
| strategy: | |
| matrix: | |
| include: | |
| - name: cilium | |
| dockerfile: ./images/cilium/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: cilium-cli | |
| dockerfile: ./cilium-cli/Dockerfile | |
| platforms: linux/amd64 | |
| - name: operator-aws | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: operator-azure | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: operator-alibabacloud | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: operator-generic | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: hubble-relay | |
| dockerfile: ./images/hubble-relay/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: clustermesh-apiserver | |
| dockerfile: ./images/clustermesh-apiserver/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: docker-plugin | |
| dockerfile: ./images/cilium-docker-plugin/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| steps: | |
| - name: Checkout default branch (trusted) | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| ref: ${{ github.event.repository.default_branch }} | |
| persist-credentials: false | |
| - name: Cleanup Disk space in runner | |
| uses: ./.github/actions/disk-cleanup | |
| - name: Set Environment Variables | |
| uses: ./.github/actions/set-env-variables | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
| - name: Login to quay.io for CI | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME_CI }} | |
| password: ${{ secrets.QUAY_PASSWORD_CI }} | |
| - name: Getting image tag | |
| id: tag | |
| run: | | |
| if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then | |
| echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT | |
| else | |
| echo tag=${{ github.sha }} >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]; then | |
| echo floating_tag=latest >> $GITHUB_OUTPUT | |
| else | |
| echo floating_tag=${{ github.ref_name }} >> $GITHUB_OUTPUT | |
| fi | |
| # Warning: since this is a privileged workflow, subsequent workflow job | |
| # steps must take care not to execute untrusted code. | |
| - name: Checkout pull request branch (NOT TRUSTED) | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ steps.tag.outputs.tag }} | |
| # Load Golang cache build from GitHub | |
| - name: Load ${{ matrix.name }} Golang cache build from GitHub | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| id: cache | |
| with: | |
| path: /tmp/.cache/${{ matrix.name }} | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}- | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}- | |
| ${{ runner.os }}-go- | |
| - name: Create ${{ matrix.name }} cache directory | |
| if: ${{ steps.cache.outputs.cache-hit != 'true' }} | |
| shell: bash | |
| run: | | |
| mkdir -p /tmp/.cache/${{ matrix.name }} | |
| # Import GitHub's cache build to docker cache | |
| - name: Copy ${{ matrix.name }} Golang cache to docker cache | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| with: | |
| provenance: false | |
| context: /tmp/.cache/${{ matrix.name }} | |
| file: ./images/cache/Dockerfile | |
| push: false | |
| platforms: linux/amd64 | |
| target: import-cache | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
| # main branch pushes | |
| - name: CI Build ${{ matrix.name }} | |
| if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| id: docker_build_ci | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| # Only push when the event name was a GitHub push, this is to avoid | |
| # re-pushing the image tags when we only want to re-create the Golang | |
| # docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
| push: ${{ github.event_name == 'push' }} | |
| platforms: ${{ matrix.platforms }} | |
| tags: | | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }} | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
| target: release | |
| build-args: | | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI race detection Build ${{ matrix.name }} | |
| if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| id: docker_build_ci_detect_race_condition | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| # Only push when the event name was a GitHub push, this is to avoid | |
| # re-pushing the image tags when we only want to re-create the Golang | |
| # docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
| push: ${{ github.event_name == 'push' }} | |
| platforms: linux/amd64 | |
| tags: | | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
| target: release | |
| build-args: | | |
| BASE_IMAGE=quay.io/cilium/cilium-runtime:42048308026985cc4ecc924a4d3b4a1d2d8a2b04@sha256:59a2f85d18756341f4037fa68742a9bf5548c60cdbc7d56b5bd6a7cf412ecf14 | |
| MODIFIERS="LOCKDEBUG=1 RACE=1" | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI Unstripped Binaries Build ${{ matrix.name }} | |
| if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| id: docker_build_ci_unstripped | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| # Only push when the event name was a GitHub push, this is to avoid | |
| # re-pushing the image tags when we only want to re-create the Golang | |
| # docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
| push: ${{ github.event_name == 'push' }} | |
| platforms: linux/amd64 | |
| tags: | | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
| target: release | |
| build-args: | | |
| MODIFIERS="NOSTRIP=1" | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: Sign Container Images | |
| # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). | |
| # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. | |
| # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case | |
| # neither push nor load are set in the docker/build-push-action action. | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} | |
| run: | | |
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }} | |
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }} | |
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }} | |
| - name: Generate SBOM | |
| # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). | |
| # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. | |
| # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case | |
| # neither push nor load are set in the docker/build-push-action action. | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} | |
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| with: | |
| artifact-name: sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| output-file: ./sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
| - name: Generate SBOM (race) | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} | |
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| with: | |
| artifact-name: sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| output-file: ./sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
| - name: Generate SBOM (unstripped) | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} | |
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| with: | |
| artifact-name: sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| output-file: ./sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
| - name: Attach SBOM attestation to container image | |
| # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). | |
| # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. | |
| # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case | |
| # neither push nor load are set in the docker/build-push-action action. | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} | |
| run: | | |
| cosign attest -r -y --predicate sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }} | |
| cosign attest -r -y --predicate sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }} | |
| cosign attest -r -y --predicate sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }} | |
| - name: CI Image Releases digests | |
| # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). | |
| # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. | |
| # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case | |
| # neither push nor load are set in the docker/build-push-action action. | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| # PR or feature branch updates | |
| - name: CI Build ${{ matrix.name }} | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| id: docker_build_ci_pr | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: ${{ matrix.platforms }} | |
| tags: | | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
| target: release | |
| build-args: | | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI race detection Build ${{ matrix.name }} | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| id: docker_build_ci_pr_detect_race_condition | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64 | |
| tags: | | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
| target: release | |
| build-args: | | |
| BASE_IMAGE=quay.io/cilium/cilium-runtime:42048308026985cc4ecc924a4d3b4a1d2d8a2b04@sha256:59a2f85d18756341f4037fa68742a9bf5548c60cdbc7d56b5bd6a7cf412ecf14 | |
| MODIFIERS="LOCKDEBUG=1 RACE=1" | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI Unstripped Binaries Build ${{ matrix.name }} | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| id: docker_build_ci_pr_unstripped | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64 | |
| tags: | | |
| quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
| target: release | |
| build-args: | | |
| MODIFIERS="NOSTRIP=1" | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: Sign Container Images | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| run: | | |
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | |
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} | |
| cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} | |
| - name: Generate SBOM | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| with: | |
| artifact-name: sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| output-file: ./sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
| - name: Generate SBOM (race) | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| with: | |
| artifact-name: sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| output-file: ./sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
| - name: Generate SBOM (unstripped) | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| with: | |
| artifact-name: sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| output-file: ./sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json | |
| image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
| - name: Attach SBOM attestation to container image | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| run: | | |
| cosign attest -r -y --predicate sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | |
| cosign attest -r -y --predicate sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} | |
| cosign attest -r -y --predicate sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} | |
| - name: CI Image Releases digests | |
| if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| # Upload artifact digests | |
| - name: Upload artifact digests | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: image-digest ${{ matrix.name }} | |
| path: image-digest | |
| retention-days: 1 | |
| # Store docker's golang's cache build locally only on the main branch | |
| - name: Store ${{ matrix.name }} Golang cache build locally | |
| if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }} | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| with: | |
| provenance: false | |
| context: . | |
| file: ./images/cache/Dockerfile | |
| push: false | |
| outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }} | |
| platforms: linux/amd64 | |
| target: export-cache | |
| # Store docker's golang's cache build locally only on the main branch | |
| - name: Store ${{ matrix.name }} Golang cache in GitHub cache path | |
| if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }} | |
| shell: bash | |
| run: | | |
| mkdir -p /tmp/.cache/${{ matrix.name }}/ | |
| if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then | |
| cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ | |
| fi | |
| if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then | |
| cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ | |
| fi | |
| image-digests: | |
| if: ${{ always() }} | |
| name: Display Digests | |
| runs-on: ubuntu-22.04 | |
| needs: build-and-push-prs | |
| steps: | |
| - name: Downloading Image Digests | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| - name: Download digests of all images built | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| path: image-digest/ | |
| pattern: "*image-digest *" | |
| - name: Image Digests Output | |
| shell: bash | |
| run: | | |
| cd image-digest/ | |
| find -type f | sort | xargs -d '\n' cat |