diff --git a/.github/workflows/build-images-operator-ci.yaml b/.github/workflows/build-images-operator-ci.yaml new file mode 100644 index 00000000000..e1dfe9255ae --- /dev/null +++ b/.github/workflows/build-images-operator-ci.yaml @@ -0,0 +1,217 @@ +name: Image CI Operator Build + +on: + pull_request: + push: + branches: + - main + paths-ignore: + - 'docs/**' + +permissions: + # To be able to access the repository with `actions/checkout` + contents: read + # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication + id-token: write + +jobs: + build-and-push-prs: + runs-on: ubuntu-20.04 + strategy: + matrix: + include: + - name: tetragon-operator + dockerfile: ./tetragonpod/Dockerfile + + steps: + # https://github.com/docker/setup-qemu-action + - name: Set up QEMU + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + with: + platforms: arm64 + + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + + - name: Login to quay.io for CI + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME_CI }} + password: ${{ secrets.QUAY_PASSWORD_CI }} + + - name: Getting image tag + id: tag + run: | + if [ ${{ github.event.pull_request.head.sha }} != "" ]; then + echo "tag=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + else + echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT + fi + + - name: Checkout Source Code + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + persist-credentials: false + ref: ${{ steps.tag.outputs.tag }} + fetch-depth: 0 + + - name: Get version + run: | + echo "TETRAGON_VERSION=$(make version)" >> $GITHUB_ENV + + - name: Install Cosign + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v3.0.5 + + - name: Install Bom + shell: bash + run: | + curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom + sudo mv ./bom /usr/local/bin/bom + sudo chmod +x /usr/local/bin/bom + + # main branch pushes + - name: CI Build (main) + if: github.event_name == 'push' + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 + id: docker_build_ci_main + with: + provenance: false + context: . + file: ${{ matrix.dockerfile }} + push: true + platforms: linux/amd64,linux/arm64 + build-args: | + TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} + tags: | + quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} + quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest + + - name: Sign Container Image + if: github.event_name == 'push' + env: + COSIGN_EXPERIMENTAL: 'true' + run: | + cosign sign quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} + + - name: Generate SBOM + if: github.event_name == 'push' + shell: bash + # To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479 + run: | + bom generate -o sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ + --dirs=. \ + --image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} + + - name: Attach SBOM to container images + if: github.event_name == 'push' + run: | + cosign attach sbom --sbom sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} + + - name: Sign SBOM Image + if: github.event_name == 'push' + env: + COSIGN_EXPERIMENTAL: 'true' + run: | + docker_build_ci_main_digest="${{ steps.docker_build_ci_main.outputs.digest }}" + image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_main_digest/:/-}.sbom" + docker_build_ci_main_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" + cosign sign "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_main_sbom_digest}" + + - name: CI Image Releases digests (main) + if: github.event_name == 'push' + shell: bash + run: | + mkdir -p image-digest/ + echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt + + # This is to check if the matrix build is + - name: Check if building tetragonpod controller image + id: suffix + run: | + echo "value=-podinfo" >> $GITHUB_OUTPUT + + # PR updates + - name: CI Build (PR) + if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 + id: docker_build_ci_pr + with: + provenance: false + context: . + file: ${{ matrix.dockerfile }} + push: true + platforms: linux/amd64,linux/arm64 + build-args: | + TETRAGON_VERSION=${{ env.TETRAGON_VERSION }} + tags: | + quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}} + + - name: Sign Container Image + if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' + env: + COSIGN_EXPERIMENTAL: 'true' + run: | + cosign sign quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} + + - name: Generate SBOM + if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' + shell: bash + # To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479 + run: | + bom generate --format json -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}}.spdx \ + --dirs=. \ + --image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}} + + - name: Attach SBOM to container images + if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' + run: | + cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} + + - name: Sign SBOM Image + if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' + env: + COSIGN_EXPERIMENTAL: 'true' + run: | + docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}" + image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom" + docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" + cosign sign "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}" + + - name: CI Image Releases digests (PR) + if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request' + shell: bash + run: | + mkdir -p image-digest/ + echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}${{steps.suffix.outputs.value}}@${{ steps.docker_build_ci_pr.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt + + # Upload artifact digests + - name: Upload artifact digests + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: image-digest ${{ matrix.name }} + path: image-digest + retention-days: 1 + + image-digests: + if: ${{ always() }} + name: Display Digests + runs-on: ubuntu-20.04 + needs: [build-and-push-prs] + steps: + - name: Downloading Image Digests + shell: bash + run: | + mkdir -p image-digest/ + + - name: Download digests of all images built + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + path: image-digest/ + + - name: Image Digests Output + shell: bash + run: | + cd image-digest/ + find -type f | sort | xargs -d '\n' cat