github-starred/newt
2
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-09 07:12:28 -05:00
Code Issues 21 Packages Projects Releases 25 Wiki Activity

fix(ci): Refactor CI/CD workflow for AWS and image management

Browse Source 
Updated CI/CD workflow to improve AWS role handling and image tagging.
This commit is contained in:
Marc Schäfer
2026-03-06 19:12:36 +01:00
committed by Owen Schwartz
parent 91a035f4ab
commit 068145c539
1 changed files with 367 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

457
.github/workflows/cicd.yml vendored
View File

@@ -57,11 +57,20 @@ jobs:
name: Start AWS EC2 runners
runs-on: ubuntu-latest
permissions: write-all
outputs:
image_created: ${{ steps.created.outputs.image_created }}
steps:
- name: Capture created timestamp (shared)
id: created
shell: bash
run: |
set -euo pipefail
echo "image_created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-duration-seconds: 3600
aws-region: ${{ secrets.AWS_REGION }}
@@ -81,7 +90,7 @@ jobs:
if: github.event_name == 'workflow_dispatch'
name: Prepare release (create tag)
needs: [pre-run]
runs-on: [self-hosted, linux, x64, us-east-1]
runs-on: [self-hosted, linux, x64]
permissions:
contents: write
steps:
@@ -128,11 +137,14 @@ jobs:
name: Build image (linux/amd64)
needs: [pre-run, prepare]
if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && needs.prepare.result == 'success')) }}
runs-on: [self-hosted, linux, x64, us-east-1]
runs-on: [self-hosted, linux, x64]
timeout-minutes: 120
env:
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
outputs:
tag: ${{ steps.tag.outputs.tag }}
is_rc: ${{ steps.tag.outputs.is_rc }}
@@ -195,9 +207,29 @@ jobs:
echo "MAJOR_TAG=$MAJOR" >> $GITHUB_ENV
echo "MINOR_TAG=$MINOR" >> $GITHUB_ENV
- name: Capture created timestamp
run: echo "IMAGE_CREATED=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
- name: Wait for tag to be visible (dispatch only)
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
for i in {1..90}; do
if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then
echo "Tag ${TAG} is visible on origin"; exit 0
fi
echo "Tag not yet visible, retrying... ($i/90)"
sleep 2
done
echo "Tag ${TAG} not visible after waiting" >&2
exit 1
- name: Ensure repository is at the tagged commit (dispatch only)
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
git fetch --tags --force
git checkout "refs/tags/${TAG}"
echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
#- name: Set up QEMU
# uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
@@ -240,6 +272,18 @@ jobs:
tags: |
${{ env.GHCR_IMAGE }}:amd64-${{ env.TAG }}
${{ env.DOCKERHUB_IMAGE }}:amd64-${{ env.TAG }}
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.version=${{ env.TAG }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.documentation=${{ github.event.repository.html_url }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }}
org.opencontainers.image.created=${{ env.IMAGE_CREATED }}
org.opencontainers.image.ref.name=${{ env.TAG }}
org.opencontainers.image.authors=${{ github.repository_owner }}
cache-from: type=gha,scope=${{ github.repository }}-amd64
cache-to: type=gha,mode=max,scope=${{ github.repository }}-amd64
@@ -250,11 +294,13 @@ jobs:
name: Build image (linux/arm64)
needs: [pre-run, prepare]
if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && needs.prepare.result == 'success')) }}
runs-on: [self-hosted, linux, arm64, us-east-1] # NOTE: ensure label exists on runner
runs-on: [self-hosted, linux, arm64] # NOTE: ensure label exists on runner
timeout-minutes: 120
env:
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -291,8 +337,31 @@ jobs:
echo "TAG=$TAG" >> $GITHUB_ENV
- name: Wait for tag to be visible (dispatch only)
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
for i in {1..90}; do
if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then
echo "Tag ${TAG} is visible on origin"; exit 0
fi
echo "Tag not yet visible, retrying... ($i/90)"
sleep 2
done
echo "Tag ${TAG} not visible after waiting" >&2
exit 1
- name: Ensure repository is at the tagged commit (dispatch only)
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
git fetch --tags --force
git checkout "refs/tags/${TAG}"
echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
- name: Log in to Docker Hub
if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: docker.io
@@ -327,31 +396,86 @@ jobs:
tags: |
${{ env.GHCR_IMAGE }}:arm64-${{ env.TAG }}
${{ env.DOCKERHUB_IMAGE }}:arm64-${{ env.TAG }}
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.version=${{ env.TAG }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.documentation=${{ github.event.repository.html_url }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }}
org.opencontainers.image.created=${{ env.IMAGE_CREATED }}
org.opencontainers.image.ref.name=${{ env.TAG }}
org.opencontainers.image.authors=${{ github.repository_owner }}
cache-from: type=gha,scope=${{ github.repository }}-arm64
cache-to: type=gha,mode=max,scope=${{ github.repository }}-arm64
# ---------------------------------------------------------------------------
# 5) Create and push multi-arch manifests (TAG, plus optional latest/major/minor)
# 4b) Build ARMv7 image (linux/arm/v7) on arm runner via QEMU
# ---------------------------------------------------------------------------
create-manifest:
name: Create multi-arch manifests
needs: [build-amd, build-arm]
if: ${{ needs.build-amd.result == 'success' && needs.build-arm.result == 'success' }}
runs-on: [self-hosted, linux, x64, us-east-1] # NOTE: ensure label exists on runner
timeout-minutes: 30
build-armv7:
name: Build image (linux/arm/v7)
needs: [pre-run, prepare]
if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && needs.prepare.result == 'success')) }}
runs-on: [self-hosted, linux, arm64]
timeout-minutes: 120
env:
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
TAG: ${{ needs.build-amd.outputs.tag }}
IS_RC: ${{ needs.build-amd.outputs.is_rc }}
MAJOR_TAG: ${{ needs.build-amd.outputs.major }}
MINOR_TAG: ${{ needs.build-amd.outputs.minor }}
# workflow_dispatch controls are respected only here (tagging policy)
PUBLISH_LATEST: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_latest || vars.PUBLISH_LATEST }}
PUBLISH_MINOR: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_minor || vars.PUBLISH_MINOR }}
IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Determine tag + validate format
shell: bash
env:
EVENT_NAME: ${{ github.event_name }}
INPUT_VERSION: ${{ inputs.version }}
run: |
set -euo pipefail
if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
TAG="$INPUT_VERSION"
else
TAG="${{ github.ref_name }}"
fi
if ! [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then
echo "Invalid tag: $TAG" >&2
exit 1
fi
echo "TAG=$TAG" >> $GITHUB_ENV
- name: Wait for tag to be visible (dispatch only)
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
for i in {1..90}; do
if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then
echo "Tag ${TAG} is visible on origin"; exit 0
fi
echo "Tag not yet visible, retrying... ($i/90)"
sleep 2
done
echo "Tag ${TAG} not visible after waiting" >&2
exit 1
- name: Ensure repository is at the tagged commit (dispatch only)
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
git fetch --tags --force
git checkout "refs/tags/${TAG}"
echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
- name: Log in to Docker Hub
if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: docker.io
@@ -372,55 +496,124 @@ jobs:
echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
- name: Create manifest for GHCR (:TAG)
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Build and push (arm/v7 -> *:armv7-TAG)
id: build_armv7
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: true
platforms: linux/arm/v7
tags: |
${{ env.GHCR_IMAGE }}:armv7-${{ env.TAG }}
${{ env.DOCKERHUB_IMAGE }}:armv7-${{ env.TAG }}
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.version=${{ env.TAG }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.documentation=${{ github.event.repository.html_url }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }}
org.opencontainers.image.created=${{ env.IMAGE_CREATED }}
org.opencontainers.image.ref.name=${{ env.TAG }}
org.opencontainers.image.authors=${{ github.repository_owner }}
cache-from: type=gha,scope=${{ github.repository }}-armv7
cache-to: type=gha,mode=max,scope=${{ github.repository }}-armv7
# ---------------------------------------------------------------------------
# 5) Create and push multi-arch manifests (TAG, plus optional latest/major/minor)
# ---------------------------------------------------------------------------
create-manifest:
name: Create multi-arch manifests
needs: [build-amd, build-arm, build-armv7]
if: ${{ needs.build-amd.result == 'success' && needs.build-arm.result == 'success' && needs.build-armv7.result == 'success' }}
runs-on: [self-hosted, linux, x64] # NOTE: ensure label exists on runner
timeout-minutes: 30
env:
DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
TAG: ${{ needs.build-amd.outputs.tag }}
IS_RC: ${{ needs.build-amd.outputs.is_rc }}
MAJOR_TAG: ${{ needs.build-amd.outputs.major }}
MINOR_TAG: ${{ needs.build-amd.outputs.minor }}
# workflow_dispatch controls are respected only here (tagging policy)
#PUBLISH_LATEST: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_latest || vars.PUBLISH_LATEST }}
#PUBLISH_MINOR: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_minor || vars.PUBLISH_MINOR }}
steps:
- name: Log in to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: docker.io
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Log in to GHCR
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Normalize image names to lowercase
shell: bash
run: |
set -euo pipefail
docker manifest create "${GHCR_IMAGE}:${TAG}" \
--amend "${GHCR_IMAGE}:amd64-${TAG}" \
--amend "${GHCR_IMAGE}:arm64-${TAG}"
docker manifest push "${GHCR_IMAGE}:${TAG}"
echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
- name: Create manifest for Docker Hub (:TAG)
if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }}
- name: Set up Docker Buildx (needed for imagetools)
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Create & push multi-arch index (GHCR :TAG) via imagetools
shell: bash
run: |
set -euo pipefail
docker manifest create "${DOCKERHUB_IMAGE}:${TAG}" \
--amend "${DOCKERHUB_IMAGE}:amd64-${TAG}" \
--amend "${DOCKERHUB_IMAGE}:arm64-${TAG}"
docker manifest push "${DOCKERHUB_IMAGE}:${TAG}"
docker buildx imagetools create \
-t "${GHCR_IMAGE}:${TAG}" \
"${GHCR_IMAGE}:amd64-${TAG}" \
"${GHCR_IMAGE}:arm64-${TAG}" \
"${GHCR_IMAGE}:armv7-${TAG}"
# Optional tags for non-RC releases: latest, major, minor
- name: Publish additional tags (non-RC only)
- name: Create & push multi-arch index (Docker Hub :TAG) via imagetools
shell: bash
run: |
set -euo pipefail
docker buildx imagetools create \
-t "${DOCKERHUB_IMAGE}:${TAG}" \
"${DOCKERHUB_IMAGE}:amd64-${TAG}" \
"${DOCKERHUB_IMAGE}:arm64-${TAG}" \
"${DOCKERHUB_IMAGE}:armv7-${TAG}"
# Additional tags for non-RC releases: latest, major, minor (always)
- name: Publish additional tags (non-RC only) via imagetools
if: ${{ env.IS_RC != 'true' }}
shell: bash
run: |
set -euo pipefail
tags_to_publish=()
tags_to_publish+=("${MAJOR_TAG}")
if [ "${PUBLISH_MINOR}" = "true" ]; then
tags_to_publish+=("${MINOR_TAG}")
fi
if [ "${PUBLISH_LATEST}" = "true" ]; then
tags_to_publish+=("latest")
fi
tags_to_publish=("${MAJOR_TAG}" "${MINOR_TAG}" "latest")
for t in "${tags_to_publish[@]}"; do
echo "Publishing GHCR tag ${t} -> ${TAG}"
docker manifest create "${GHCR_IMAGE}:${t}" \
--amend "${GHCR_IMAGE}:amd64-${TAG}" \
--amend "${GHCR_IMAGE}:arm64-${TAG}"
docker manifest push "${GHCR_IMAGE}:${t}"
docker buildx imagetools create \
-t "${GHCR_IMAGE}:${t}" \
"${GHCR_IMAGE}:amd64-${TAG}" \
"${GHCR_IMAGE}:arm64-${TAG}" \
"${GHCR_IMAGE}:armv7-${TAG}"
if [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ]; then
echo "Publishing Docker Hub tag ${t} -> ${TAG}"
docker manifest create "${DOCKERHUB_IMAGE}:${t}" \
--amend "${DOCKERHUB_IMAGE}:amd64-${TAG}" \
--amend "${DOCKERHUB_IMAGE}:arm64-${TAG}"
docker manifest push "${DOCKERHUB_IMAGE}:${t}"
fi
docker buildx imagetools create \
-t "${DOCKERHUB_IMAGE}:${t}" \
"${DOCKERHUB_IMAGE}:amd64-${TAG}" \
"${DOCKERHUB_IMAGE}:arm64-${TAG}" \
"${DOCKERHUB_IMAGE}:armv7-${TAG}"
done
# ---------------------------------------------------------------------------
@@ -430,22 +623,29 @@ jobs:
name: Sign, attest, and release
needs: [create-manifest, build-amd]
if: ${{ needs.create-manifest.result == 'success' && needs.build-amd.result == 'success' }}
runs-on: [self-hosted, linux, x64, us-east-1] # NOTE: ensure label exists on runner
runs-on: [self-hosted, linux, x64] # NOTE: ensure label exists on runner
timeout-minutes: 120
env:
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
TAG: ${{ needs.build-amd.outputs.tag }}
IS_RC: ${{ needs.build-amd.outputs.is_rc }}
IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}
IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }}
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Capture created timestamp
run: echo "IMAGE_CREATED=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
- name: Ensure repository is at the tagged commit (dispatch only)
if: ${{ github.event_name == 'workflow_dispatch' }}
shell: bash
run: |
set -euo pipefail
git fetch --tags --force
git checkout "refs/tags/${TAG}"
echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}"
- name: Install Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
@@ -453,7 +653,6 @@ jobs:
go-version-file: go.mod
- name: Log in to Docker Hub
if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: docker.io
@@ -474,26 +673,54 @@ jobs:
echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
- name: Ensure jq is installed
shell: bash
run: |
set -euo pipefail
if command -v jq >/dev/null 2>&1; then
exit 0
fi
sudo apt-get update -y
sudo apt-get install -y jq
- name: Set up Docker Buildx (needed for imagetools)
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Resolve multi-arch digest refs (by TAG)
shell: bash
run: |
set -euo pipefail
GHCR_DIGEST="$(docker buildx imagetools inspect "${GHCR_IMAGE}:${TAG}" --format '{{.Manifest.Digest}}')"
echo "GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}" >> $GITHUB_ENV
echo "Resolved GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}"
if [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ]; then
DH_DIGEST="$(docker buildx imagetools inspect "${DOCKERHUB_IMAGE}:${TAG}" --format '{{.Manifest.Digest}}')"
echo "DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}" >> $GITHUB_ENV
echo "Resolved DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}"
get_digest() {
local ref="$1"
local d=""
# Primary: buildx format output
d="$(docker buildx imagetools inspect "$ref" --format '{{.Manifest.Digest}}' 2>/dev/null || true)"
# Fallback: parse from plain text if format fails
if ! [[ "$d" =~ ^sha256:[0-9a-f]{64}$ ]]; then
d="$(docker buildx imagetools inspect "$ref" 2>/dev/null | awk '/^Digest:/ {print $2; exit}' || true)"
fi
- name: Extract digests for attestation
shell: bash
run: |
set -euo pipefail
echo "GHCR_DIGEST=${GHCR_REF#*@}" >> $GITHUB_ENV
if [ -n "${DH_REF:-}" ]; then
echo "DH_DIGEST=${DH_REF#*@}" >> $GITHUB_ENV
if ! [[ "$d" =~ ^sha256:[0-9a-f]{64}$ ]]; then
echo "ERROR: Could not extract digest for $ref" >&2
docker buildx imagetools inspect "$ref" || true
exit 1
fi
echo "$d"
}
GHCR_DIGEST="$(get_digest "${GHCR_IMAGE}:${TAG}")"
echo "GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}" >> "$GITHUB_ENV"
echo "GHCR_DIGEST=${GHCR_DIGEST}" >> "$GITHUB_ENV"
echo "Resolved GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}"
if [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ]; then
DH_DIGEST="$(get_digest "${DOCKERHUB_IMAGE}:${TAG}")"
echo "DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}" >> "$GITHUB_ENV"
echo "DH_DIGEST=${DH_DIGEST}" >> "$GITHUB_ENV"
echo "Resolved DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}"
fi
- name: Attest build provenance (GHCR) (digest)
@@ -509,7 +736,7 @@ jobs:
if: ${{ env.DH_DIGEST != '' }}
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
with:
subject-name: index.docker.io/fosrl/${{ github.event.repository.name }}
subject-name: index.docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
subject-digest: ${{ env.DH_DIGEST }}
push-to-registry: true
show-summary: true
@@ -529,11 +756,12 @@ jobs:
cosign public-key --key env://COSIGN_PRIVATE_KEY >/dev/null
- name: Generate SBOM (SPDX JSON) from GHCR digest
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
with:
image-ref: ${{ env.GHCR_REF }}
format: spdx-json
output: sbom.spdx.json
version: v0.69.3
- name: Validate + minify SBOM JSON
shell: bash
@@ -567,6 +795,22 @@ jobs:
--predicate sbom.spdx.json \
"${GHCR_REF}"
- name: Create SBOM attestation (Docker Hub, key)
continue-on-error: true
env:
COSIGN_YES: "true"
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_DOCKER_MEDIA_TYPES: "1"
shell: bash
run: |
set -euo pipefail
cosign attest \
--key env://COSIGN_PRIVATE_KEY \
--type spdxjson \
--predicate sbom.spdx.json \
"${DH_REF}"
- name: Keyless sign & verify GHCR digest (OIDC)
env:
COSIGN_YES: "true"
@@ -596,6 +840,46 @@ jobs:
run: cosign verify-attestation --key env://COSIGN_PUBLIC_KEY --type spdxjson "${GHCR_REF}" -o text
shell: bash
- name: Sign Docker Hub digest (key, recursive)
continue-on-error: true
env:
COSIGN_YES: "true"
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_DOCKER_MEDIA_TYPES: "1"
shell: bash
run: |
set -euo pipefail
cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${DH_REF}"
- name: Keyless sign & verify Docker Hub digest (OIDC)
continue-on-error: true
if: ${{ env.DH_REF != '' }}
env:
COSIGN_YES: "true"
ISSUER: https://token.actions.githubusercontent.com
COSIGN_DOCKER_MEDIA_TYPES: "1"
shell: bash
run: |
set -euo pipefail
cosign sign --rekor-url https://rekor.sigstore.dev --recursive "${DH_REF}"
cosign verify \
--certificate-oidc-issuer "${ISSUER}" \
--certificate-identity "https://github.com/${{ github.workflow_ref }}" \
"${DH_REF}" -o text
- name: Verify signature (public key) Docker Hub digest + tag
continue-on-error: true
if: ${{ env.DH_REF != '' }}
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
COSIGN_DOCKER_MEDIA_TYPES: "1"
shell: bash
run: |
set -euo pipefail
cosign verify --key env://COSIGN_PUBLIC_KEY "${DH_REF}" -o text
cosign verify --key env://COSIGN_PUBLIC_KEY "${DOCKERHUB_IMAGE}:${TAG}" -o text
- name: Build binaries
env:
CGO_ENABLED: "0"
@@ -624,29 +908,18 @@ jobs:
# ---------------------------------------------------------------------------
# 7) Stop AWS EC2 runner instances
# ---------------------------------------------------------------------------
post-run:
name: Stop AWS EC2 runners
needs: [pre-run, prepare, build-amd, build-arm, create-manifest, sign-and-release]
if: >-
${{
always() &&
(needs.pre-run.result == 'success' &&
(needs.build-amd.result == 'success' || needs.build-amd.result == 'failure' || needs.build-amd.result == 'cancelled') ||
needs.build-amd.result != 'skipped') &&
(needs.build-arm.result == 'success' || needs.build-arm.result == 'failure' || needs.build-arm.result == 'cancelled') ||
needs.build-arm.result != 'skipped') &&
(needs.create-manifest.result == 'success' || needs.create-manifest.result == 'failure' || needs.create-manifest.result == 'cancelled') ||
needs.create-manifest.result != 'skipped') &&
(needs.sign-and-release.result == 'success' || needs.sign-and-release.result == 'failure' || needs.sign-and-release.result == 'cancelled') ||
needs.sign-and-release.result != 'skipped')
}}
needs: [pre-run, prepare, build-amd, build-arm, build-armv7, create-manifest, sign-and-release]
if: ${{ always() && needs.pre-run.result == 'success' }}
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-duration-seconds: 3600
aws-region: ${{ secrets.AWS_REGION }}