cache: sign only if oidc token available #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | ||
|
Check failure on line 1 in .github/workflows/build.yml
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| runner: | ||
| type: string | ||
| description: "Ubuntu GitHub Hosted Runner to build on (one of auto, amd64, arm64). The auto runner selects the best-matching runner based on target platforms. You can set it to amd64 if your build doesn't require emulation (e.g. cross-compilation)" | ||
| required: false | ||
| default: 'auto' | ||
| setup-qemu: | ||
| type: boolean | ||
| description: "Runs the setup-qemu-action step to install QEMU static binaries" | ||
| required: false | ||
| default: false | ||
| artifact-name: | ||
| type: string | ||
| description: "Name of the uploaded GitHub artifact (for local output)" | ||
| required: false | ||
| default: 'docker-github-builder-assets' | ||
| artifact-upload: | ||
| type: boolean | ||
| description: "Upload build output GitHub artifact (for local output)" | ||
| required: false | ||
| default: false | ||
| annotations: | ||
| type: string | ||
| description: "List of annotations to set to the image (for image output)" | ||
| required: false | ||
| build-args: | ||
| type: string | ||
| description: "List of build-time variables" | ||
| required: false | ||
| cache: | ||
| type: boolean | ||
| description: "Enable cache to GitHub Actions cache backend" | ||
| required: false | ||
| default: false | ||
| cache-scope: | ||
| type: string | ||
| description: "Which scope cache object belongs to if cache enabled (defaults to target name if set)" | ||
| required: false | ||
| cache-mode: | ||
| type: string | ||
| description: "Cache layers to export if cache enabled (min or max)" | ||
| required: false | ||
| default: 'min' | ||
| context: | ||
| type: string | ||
| description: "Context to build from in the Git working tree" | ||
| required: false | ||
| default: . | ||
| file: | ||
| type: string | ||
| description: "Path to the Dockerfile" | ||
| required: false | ||
| labels: | ||
| type: string | ||
| description: "List of labels for an image (for image output)" | ||
| required: false | ||
| output: | ||
| type: string | ||
| description: "Build output destination (one of image or local). Unlike the build-push-action, it only accepts image or local. The reusable workflow takes care of setting the outputs attribute" | ||
| required: true | ||
| platforms: | ||
| type: string | ||
| description: "List of target platforms to build" | ||
| required: false | ||
| push: | ||
| type: boolean | ||
| description: "Push image to the registry (for image output)" | ||
| required: false | ||
| default: false | ||
| sbom: | ||
| type: boolean | ||
| description: "Generate SBOM attestation for the build" | ||
| required: false | ||
| default: false | ||
| shm-size: | ||
| type: string | ||
| description: "Size of /dev/shm (e.g., 2g)" | ||
| required: false | ||
| sign: | ||
| type: string | ||
| description: "Sign attestation manifest for image output or artifacts for local output, can be one of auto, true or false. The auto mode will enable signing if push is enabled for pushing the image or if artifact-upload is enabled for uploading the local build output as GitHub Artifact" | ||
| required: false | ||
| default: auto | ||
| target: | ||
| type: string | ||
| description: "Sets the target stage to build" | ||
| required: false | ||
| ulimit: | ||
| type: string | ||
| description: "Ulimit options (e.g., nofile=1024:1024)" | ||
| required: false | ||
| # docker/metadata-action | ||
| set-meta-annotations: | ||
| type: boolean | ||
| description: "Append OCI Image Format Specification annotations generated by docker/metadata-action" | ||
| required: false | ||
| default: false | ||
| set-meta-labels: | ||
| type: boolean | ||
| description: "Append OCI Image Format Specification labels generated by docker/metadata-action" | ||
| required: false | ||
| default: false | ||
| meta-images: | ||
| type: string | ||
| description: "List of images to use as base name for tags (required for image output)" | ||
| required: false | ||
| meta-tags: | ||
| type: string | ||
| description: "List of tags as key-value pair attributes" | ||
| required: false | ||
| meta-flavor: | ||
| type: string | ||
| description: "Flavor defines a global behavior for meta-tags" | ||
| required: false | ||
| secrets: | ||
| registry-auths: | ||
| description: "Raw authentication to registries, defined as YAML objects (for image output)" | ||
| required: false | ||
| github-token: | ||
| description: "GitHub Token used to authenticate against the repository for Git context" | ||
| required: false | ||
| outputs: | ||
| meta-json: | ||
| description: "Metadata JSON output (for image output)" | ||
| value: ${{ jobs.finalize.outputs.meta-json }} | ||
| cosign-version: | ||
| description: "Cosign version used for verification" | ||
| value: ${{ jobs.finalize.outputs.cosign-version }} | ||
| cosign-verify-commands: | ||
| description: "Cosign verify commands" | ||
| value: ${{ jobs.finalize.outputs.cosign-verify-commands }} | ||
| artifact-name: | ||
| description: "Name of the uploaded artifact (for local output)" | ||
| value: ${{ jobs.finalize.outputs.artifact-name }} | ||
| output-type: | ||
| description: "Build output type" | ||
| value: ${{ jobs.finalize.outputs.output-type }} | ||
| signed: | ||
| description: "Whether attestations manifests or artifacts were signed" | ||
| value: ${{ jobs.finalize.outputs.signed }} | ||
| env: | ||
| BUILDX_VERSION: "v0.30.1" | ||
| BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available | ||
| SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0" | ||
| BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.0.4-56" | ||
| DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/[email protected]" | ||
| COSIGN_VERSION: "v3.0.2" | ||
| LOCAL_EXPORT_DIR: "/tmp/buildx-output" | ||
| MATRIX_SIZE_LIMIT: "20" | ||
| jobs: | ||
| prepare: | ||
| runs-on: ubuntu-24.04 | ||
| outputs: | ||
| includes: ${{ steps.set.outputs.includes }} | ||
| sign: ${{ steps.set.outputs.sign }} | ||
| privateRepo: ${{ steps.set.outputs.privateRepo }} | ||
| ghaCacheSign: ${{ steps.set.outputs.ghaCacheSign }} | ||
| steps: | ||
| - | ||
| name: Install @docker/actions-toolkit | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} | ||
| with: | ||
| script: | | ||
| await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]); | ||
| - | ||
| name: Set outputs | ||
| id: set | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }} | ||
| INPUT_ACTIONS-ID-TOKEN-SET: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }} | ||
| INPUT_RUNNER: ${{ inputs.runner }} | ||
| INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }} | ||
| INPUT_OUTPUT: ${{ inputs.output }} | ||
| INPUT_PLATFORMS: ${{ inputs.platforms }} | ||
| INPUT_PUSH: ${{ inputs.push }} | ||
| INPUT_SIGN: ${{ inputs.sign }} | ||
| with: | ||
| script: | | ||
| const { GitHub } = require('@docker/actions-toolkit/lib/github'); | ||
| const { Util } = require('@docker/actions-toolkit/lib/util'); | ||
| const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10); | ||
| const inpActionsIdTokenSet = core.getBooleanInput('actions-id-token-set'); | ||
| const inpRunner = core.getInput('runner'); | ||
| const inpArtifactUpload = core.getBooleanInput('artifact-upload'); | ||
| const inpPlatforms = Util.getInputList('platforms'); | ||
| const inpOutput = core.getInput('output'); | ||
| const inpPush = core.getBooleanInput('push'); | ||
| const inpSign = core.getInput('sign'); | ||
| let runner = inpRunner; | ||
| if (inpRunner === 'amd64') { | ||
| runner = 'ubuntu-24.04'; | ||
| } else if (inpRunner === 'arm64') { | ||
| runner = 'ubuntu-24.04-arm'; | ||
| } else if (inpRunner !== 'auto') { | ||
| core.setFailed(`Invalid runner input: ${inpRunner}`); | ||
| return; | ||
| } | ||
| const sign = | ||
| inpSign === 'auto' | ||
| ? (inpOutput === 'image' && inpPush) || (inpOutput === 'local' && inpArtifactUpload) | ||
| : inpSign === 'true'; | ||
| if (inpOutput === 'local' && inpPush) { | ||
| core.warning(`push is ignored when output is local`); | ||
| } else if (inpOutput === 'image' && inpArtifactUpload) { | ||
| core.warning(`artifact-upload is ignored when output is image`); | ||
| } | ||
| if (inpOutput === 'image' && !inpPush && sign) { | ||
| core.setFailed(`signing attestation manifests requires push to be enabled`); | ||
| return; | ||
| } | ||
| if (inpPlatforms.length > inpMatrixSizeLimit) { | ||
| core.setFailed(`Platforms to build exceed matrix size limit of ${inpMatrixSizeLimit}`); | ||
| return; | ||
| } | ||
| const privateRepo = GitHub.context.payload.repository?.private ?? false; | ||
| await core.group(`Set privateRepo output`, async () => { | ||
| core.info(`privateRepo: ${privateRepo}`); | ||
| core.setOutput('privateRepo', privateRepo); | ||
| }); | ||
| core.setOutput('ghaCacheSign', inpActionsIdTokenSet ? 'true' : 'false'); | ||
| await core.group(`Set includes output`, async () => { | ||
| let includes = []; | ||
| if (inpPlatforms.length === 0) { | ||
| includes.push({ | ||
| index: 0, | ||
| runner: runner === 'auto' ? 'ubuntu-24.04' : runner | ||
| }); | ||
| } else { | ||
| inpPlatforms.forEach((platform, index) => { | ||
| includes.push({ | ||
| index: index, | ||
| platform: platform, | ||
| runner: runner === 'auto' ? ((!privateRepo && platform.startsWith('linux/arm')) ? 'ubuntu-24.04-arm' : 'ubuntu-24.04') : runner | ||
| }); | ||
| }); | ||
| } | ||
| core.info(JSON.stringify(includes, null, 2)); | ||
| core.setOutput('includes', JSON.stringify(includes)); | ||
| }); | ||
| await core.group(`Set sign output`, async () => { | ||
| core.info(`sign: ${sign}`); | ||
| core.setOutput('sign', sign); | ||
| }); | ||
| build: | ||
| runs-on: ${{ matrix.runner }} | ||
| needs: | ||
| - prepare | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: ${{ fromJson(needs.prepare.outputs.includes) }} | ||
| outputs: | ||
| # needs predefined outputs as we can't use dynamic ones atm: https://github.com/actions/runner/pull/2477 | ||
| # 20 is the maximum number of platforms supported by our matrix strategy | ||
| result_0: ${{ steps.result.outputs.result_0 }} | ||
| result_1: ${{ steps.result.outputs.result_1 }} | ||
| result_2: ${{ steps.result.outputs.result_2 }} | ||
| result_3: ${{ steps.result.outputs.result_3 }} | ||
| result_4: ${{ steps.result.outputs.result_4 }} | ||
| result_5: ${{ steps.result.outputs.result_5 }} | ||
| result_6: ${{ steps.result.outputs.result_6 }} | ||
| result_7: ${{ steps.result.outputs.result_7 }} | ||
| result_8: ${{ steps.result.outputs.result_8 }} | ||
| result_9: ${{ steps.result.outputs.result_9 }} | ||
| result_10: ${{ steps.result.outputs.result_10 }} | ||
| result_11: ${{ steps.result.outputs.result_11 }} | ||
| result_12: ${{ steps.result.outputs.result_12 }} | ||
| result_13: ${{ steps.result.outputs.result_13 }} | ||
| result_14: ${{ steps.result.outputs.result_14 }} | ||
| result_15: ${{ steps.result.outputs.result_15 }} | ||
| result_16: ${{ steps.result.outputs.result_16 }} | ||
| result_17: ${{ steps.result.outputs.result_17 }} | ||
| result_18: ${{ steps.result.outputs.result_18 }} | ||
| result_19: ${{ steps.result.outputs.result_19 }} | ||
| steps: | ||
| - | ||
| name: Install @docker/actions-toolkit | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} | ||
| with: | ||
| script: | | ||
| await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]); | ||
| - | ||
| name: Docker meta | ||
| id: meta | ||
| if: ${{ inputs.output == 'image' }} | ||
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | ||
| with: | ||
| images: ${{ inputs.meta-images }} | ||
| tags: ${{ inputs.meta-tags }} | ||
| flavor: ${{ inputs.meta-flavor }} | ||
| labels: ${{ inputs.meta-labels }} | ||
| annotations: ${{ inputs.meta-annotations }} | ||
| - | ||
| name: Set up QEMU | ||
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | ||
| if: ${{ inputs.setup-qemu }} | ||
| with: | ||
| image: ${{ env.BINFMT_IMAGE }} | ||
| cache-image: false | ||
| - | ||
| name: Expose GitHub Runtime | ||
| uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 | ||
| - | ||
| name: Set up Docker Buildx | ||
| id: buildx | ||
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | ||
| with: | ||
| version: ${{ env.BUILDX_VERSION }} | ||
| cache-binary: false | ||
| buildkitd-flags: --debug | ||
| driver-opts: | | ||
| image=${{ env.BUILDKIT_IMAGE }} | ||
| env.ACTIONS_ID_TOKEN_REQUEST_TOKEN=${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }} | ||
| env.ACTIONS_ID_TOKEN_REQUEST_URL=${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }} | ||
| buildkitd-config-inline: | | ||
| [cache] | ||
| [cache.gha] | ||
| [cache.gha.sign] | ||
| command = [${{ ghaCacheSignEnabled && '"ghacache-sign-script.sh"' || '' }}] | ||
| [cache.gha.verify] | ||
| required = ${{ ghaCacheSignEnabled }} | ||
| [cache.gha.verify.policy] | ||
| timestampThreshold = 1 | ||
| tlogThreshold = ${{ needs.prepare.outputs.privateRepo == 'true' && '0' || '1' }} | ||
| subjectAlternativeName = "https://github.com/docker/github-builder-experimental/.github/workflows/build.yml*" | ||
| githubWorkflowRepository = "docker/github-builder-experimental" | ||
| issuer = "https://token.actions.githubusercontent.com" | ||
| runnerEnvironment = "github-hosted" | ||
| sourceRepositoryURI = "${{ github.server_url }}/${{ github.repository }}" | ||
| sourceRepositoryRef = "${{ github.event_name != 'pull_request' && github.ref || '' }}" | ||
| - | ||
| name: Install Cosign | ||
| if: ${{ needs.prepare.outputs.sign == 'true' || inputs.cache }} | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }} | ||
| INPUT_BUILDER-NAME: ${{ steps.buildx.outputs.name }} | ||
| INPUT_GHA-CACHE-SIGN-SCRIPT: | | ||
| #!/bin/sh | ||
| set -e | ||
| # Create temporary files | ||
| out_file=$(mktemp) | ||
| in_file=$(mktemp) | ||
| trap 'rm -f "$in_file" "$out_file"' EXIT | ||
| cat > "$in_file" | ||
| set -x | ||
| # Sign with cosign | ||
| cosign sign-blob \ | ||
| --yes \ | ||
| --oidc-provider github-actions \ | ||
| --new-bundle-format \ | ||
| --use-signing-config \ | ||
| --bundle "$out_file" \ | ||
| --tlog-upload=${{ needs.prepare.outputs.privateRepo == 'false' }} \ | ||
| "$in_file" | ||
| # Output bundle to stdout | ||
| cat "$out_file" | ||
| with: | ||
| script: | | ||
| const fs = require('fs'); | ||
| const os = require('os'); | ||
| const path = require('path'); | ||
| const { Buildx } = require('@docker/actions-toolkit/lib/buildx/buildx'); | ||
| const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign'); | ||
| const { Install } = require('@docker/actions-toolkit/lib/cosign/install'); | ||
| const inpCosignVersion = core.getInput('cosign-version'); | ||
| const inpBuilderName = core.getInput('builder-name'); | ||
| const inpGHACacheSignScript = core.getInput('gha-cache-sign-script'); | ||
| const cosignInstall = new Install(); | ||
| const cosignBinPath = await cosignInstall.download({ | ||
| version: core.getInput('cosign-version'), | ||
| ghaNoCache: true, | ||
| skipState: true, | ||
| verifySignature: true | ||
| }); | ||
| const cosignPath = await cosignInstall.install(cosignBinPath); | ||
| const cosign = new Cosign(); | ||
| await cosign.printVersion(); | ||
| const containerName = `${Buildx.containerNamePrefix}${inpBuilderName}0`; | ||
| const ghaCacheSignScriptPath = path.join(os.tmpdir(), `ghacache-sign-script.sh`); | ||
| core.info(`Writing GitHub Actions cache sign script to ${ghaCacheSignScriptPath}`); | ||
| await fs.writeFileSync(ghaCacheSignScriptPath, inpGHACacheSignScript, {mode: 0o700}); | ||
| core.info(`Copying GitHub Actions cache sign script to BuildKit container ${containerName}`); | ||
| await exec.exec('docker', [ | ||
| 'cp', | ||
| ghaCacheSignScriptPath, | ||
| `${containerName}:/usr/bin/ghacache-sign-script.sh` | ||
| ]); | ||
| core.info(`Copying cosign binary to BuildKit container ${containerName}`); | ||
| await exec.exec('docker', [ | ||
| 'cp', | ||
| cosignPath, | ||
| `${containerName}:/usr/bin/cosign` | ||
| ]); | ||
| - | ||
| name: Prepare | ||
| id: prepare | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_PLATFORM: ${{ matrix.platform }} | ||
| INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }} | ||
| INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }} | ||
| INPUT_ANNOTATIONS: ${{ inputs.annotations }} | ||
| INPUT_CACHE: ${{ inputs.cache }} | ||
| INPUT_CACHE-SCOPE: ${{ inputs.cache-scope }} | ||
| INPUT_CACHE-MODE: ${{ inputs.cache-mode }} | ||
| INPUT_LABELS: ${{ inputs.labels }} | ||
| INPUT_CONTEXT: ${{ inputs.context }} | ||
| INPUT_OUTPUT: ${{ inputs.output }} | ||
| INPUT_PUSH: ${{ inputs.push }} | ||
| INPUT_SBOM: ${{ inputs.sbom }} | ||
| INPUT_TARGET: ${{ inputs.target }} | ||
| INPUT_META-IMAGES: ${{ inputs.meta-images }} | ||
| INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }} | ||
| INPUT_META-ANNOTATIONS: ${{ steps.meta.outputs.annotations }} | ||
| INPUT_SET-META-LABELS: ${{ inputs.set-meta-labels }} | ||
| INPUT_META-LABELS: ${{ steps.meta.outputs.labels }} | ||
| with: | ||
| script: | | ||
| const { GitHub } = require('@docker/actions-toolkit/lib/github'); | ||
| const inpPlatform = core.getInput('platform'); | ||
| const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : ''; | ||
| core.setOutput('platform-pair-suffix', platformPairSuffix); | ||
| const inpSbomImage = core.getInput('sbom-image'); | ||
| const inpLocalExportDir = core.getInput('local-export-dir'); | ||
| const inpAnnotations = core.getMultilineInput('annotations'); | ||
| const inpCache = core.getBooleanInput('cache'); | ||
| const inpCacheScope = core.getInput('cache-scope'); | ||
| const inpCacheMode = core.getInput('cache-mode'); | ||
| const inpContext = core.getInput('context'); | ||
| const inpLabels = core.getMultilineInput('labels'); | ||
| const inpOutput = core.getInput('output'); | ||
| const inpPush = core.getBooleanInput('push'); | ||
| const inpSbom = core.getBooleanInput('sbom'); | ||
| const inpTarget = core.getInput('target'); | ||
| const inpMetaImages = core.getMultilineInput('meta-images'); | ||
| const inpSetMetaAnnotations = core.getBooleanInput('set-meta-annotations'); | ||
| const inpMetaAnnotations = core.getMultilineInput('meta-annotations'); | ||
| const inpSetMetaLabels = core.getBooleanInput('set-meta-labels'); | ||
| const inpMetaLabels = core.getMultilineInput('meta-labels'); | ||
| const buildContext = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}.git#${process.env.GITHUB_REF}:${inpContext}`; | ||
| core.setOutput('context', buildContext); | ||
| switch (inpOutput) { | ||
| case 'image': | ||
| if (inpMetaImages.length == 0) { | ||
| core.setFailed('meta-images is required when output is image'); | ||
| return; | ||
| } | ||
| core.setOutput('output', `type=image,"name=${inpMetaImages.join(',')}",oci-artifact=true,push-by-digest=true,name-canonical=true,push=${inpPush}`); | ||
| break; | ||
| case 'local': | ||
| core.setOutput('output', `type=local,platform-split=true,dest=${inpLocalExportDir}`); | ||
| break; | ||
| default: | ||
| core.setFailed(`Invalid output: ${inpOutput}`); | ||
| return; | ||
| } | ||
| if (inpPlatform) { | ||
| core.setOutput('platform', inpPlatform); | ||
| } | ||
| core.setOutput('sbom', inpSbom ? `generator=${inpSbomImage}` : 'false'); | ||
| if (inpCache) { | ||
| core.setOutput('cache-from', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix}`); | ||
| core.setOutput('cache-to', `type=gha,ignore-error=true,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix},mode=${inpCacheMode}`); | ||
| } | ||
| if (inpSetMetaAnnotations && inpMetaAnnotations.length > 0) { | ||
| inpAnnotations.push(...inpMetaAnnotations); | ||
| } | ||
| core.setOutput('annotations', inpAnnotations.join('\n')); | ||
| if (inpSetMetaLabels && inpMetaLabels.length > 0) { | ||
| inpLabels.push(...inpMetaLabels); | ||
| } | ||
| core.setOutput('labels', inpLabels.join('\n')); | ||
| if (GitHub.context.payload.repository?.private ?? false) { | ||
| // if this is a private repository, we set the default provenance | ||
| // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603 | ||
| core.setOutput('provenance', 'mode=min,inline-only=true,version=v1'); | ||
| } else { | ||
| // for a public repository, we set max provenance mode | ||
| core.setOutput('provenance', 'mode=max,version=v1'); | ||
| } | ||
| - | ||
| name: Login to registry | ||
| if: ${{ inputs.push && inputs.output == 'image' }} | ||
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | ||
| with: | ||
| registry-auth: ${{ secrets.registry-auths }} | ||
| - | ||
| name: Build | ||
| id: build | ||
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | ||
| with: | ||
| annotations: ${{ steps.prepare.outputs.annotations }} | ||
| build-args: ${{ inputs.build-args }} | ||
| cache-from: ${{ steps.prepare.outputs.cache-from }} | ||
| cache-to: ${{ steps.prepare.outputs.cache-to }} | ||
| context: ${{ steps.prepare.outputs.context }} | ||
| file: ${{ inputs.file }} | ||
| labels: ${{ steps.prepare.outputs.labels }} | ||
| outputs: ${{ steps.prepare.outputs.output }} | ||
| platforms: ${{ steps.prepare.outputs.platform }} | ||
| provenance: ${{ steps.prepare.outputs.provenance }} | ||
| sbom: ${{ steps.prepare.outputs.sbom }} | ||
| secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN | ||
| shm-size: ${{ inputs.shm-size }} | ||
| target: ${{ inputs.target }} | ||
| ulimit: ${{ inputs.ulimit }} | ||
| env: | ||
| BUILDKIT_MULTI_PLATFORM: 1 | ||
| GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }} | ||
| - | ||
| name: Signing attestation manifests | ||
| id: signing-attestation-manifests | ||
| if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_IMAGE-NAMES: ${{ inputs.meta-images }} | ||
| INPUT_IMAGE-DIGEST: ${{ steps.build.outputs.digest }} | ||
| with: | ||
| script: | | ||
| const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore'); | ||
| const inpImageNames = core.getMultilineInput('image-names'); | ||
| const inpImageDigest = core.getInput('image-digest'); | ||
| // ECR registry regexes: https://github.com/docker/login-action/blob/28fdb31ff34708d19615a74d67103ddc2ea9725c/src/aws.ts#L8-L9 | ||
| const ecrRegistryRegex = /^(([0-9]{12})\.(dkr\.ecr|dkr-ecr)\.(.+)\.(on\.aws|amazonaws\.com(.cn)?))(\/([^:]+)(:.+)?)?$/; | ||
| const ecrPublicRegistryRegex = /public\.ecr\.aws|ecr-public\.aws\.com/; | ||
| for (const imageName of inpImageNames) { | ||
| if (ecrRegistryRegex.test(imageName) || ecrPublicRegistryRegex.test(imageName)) { | ||
| core.info(`Detected ECR image name: ${imageName}, adding delay to mitigate eventual consistency issue`); | ||
| // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved | ||
| await new Promise(resolve => setTimeout(resolve, 5000)); | ||
| break; | ||
| } | ||
| } | ||
| const sigstore = new Sigstore(); | ||
| const signResults = await sigstore.signAttestationManifests({ | ||
| imageNames: inpImageNames, | ||
| imageDigest: inpImageDigest | ||
| }); | ||
| const verifyResults = await sigstore.verifySignedManifests( | ||
| { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` }, | ||
| signResults | ||
| ); | ||
| await core.group(`Verify commands`, async () => { | ||
| const verifyCommands = []; | ||
| for (const [attestationRef, verifyResult] of Object.entries(verifyResults)) { | ||
| const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} ${attestationRef}`; | ||
| core.info(cmd); | ||
| verifyCommands.push(cmd); | ||
| } | ||
| core.setOutput('verify-commands', verifyCommands.join('\n')); | ||
| }); | ||
| - | ||
| name: Signing local artifacts | ||
| id: signing-local-artifacts | ||
| if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'local' }} | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_LOCAL-OUTPUT-DIR: ${{ env.LOCAL_EXPORT_DIR }} | ||
| with: | ||
| script: | | ||
| const path = require('path'); | ||
| const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore'); | ||
| const inplocalExportDir = core.getInput('local-output-dir'); | ||
| const sigstore = new Sigstore(); | ||
| const signResults = await sigstore.signProvenanceBlobs({ | ||
| localExportDir: inplocalExportDir | ||
| }); | ||
| const verifyResults = await sigstore.verifySignedArtifacts( | ||
| { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` }, | ||
| signResults | ||
| ); | ||
| await core.group(`Verify commands`, async () => { | ||
| const verifyCommands = []; | ||
| for (const [artifactPath, verifyResult] of Object.entries(verifyResults)) { | ||
| const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} --bundle ${path.relative(inplocalExportDir, verifyResult.bundlePath)} ${path.relative(inplocalExportDir, artifactPath)}`; | ||
| core.info(cmd); | ||
| verifyCommands.push(cmd); | ||
| } | ||
| core.setOutput('verify-commands', verifyCommands.join('\n')); | ||
| }); | ||
| - | ||
| name: List local output | ||
| if: ${{ inputs.output == 'local' }} | ||
| run: | | ||
| tree -nh ${{ env.LOCAL_EXPORT_DIR }} | ||
| - | ||
| name: Upload artifact | ||
| if: ${{ inputs.output == 'local' && inputs.artifact-upload }} | ||
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | ||
| with: | ||
| name: ${{ inputs.artifact-name }}${{ steps.prepare.outputs.platform-pair-suffix || '0' }} | ||
| path: ${{ env.LOCAL_EXPORT_DIR }} | ||
| if-no-files-found: error | ||
| - | ||
| name: Set result output | ||
| id: result | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_INDEX: ${{ matrix.index }} | ||
| INPUT_VERIFY-COMMANDS: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }} | ||
| INPUT_IMAGE-DIGEST: ${{ steps.build.outputs.digest }} | ||
| INPUT_ARTIFACT-NAME: ${{ inputs.artifact-name }}${{ steps.prepare.outputs.platform-pair-suffix }} | ||
| INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }} | ||
| INPUT_SIGNED: ${{ needs.prepare.outputs.sign }} | ||
| with: | ||
| script: | | ||
| const inpIndex = core.getInput('index'); | ||
| const inpVerifyCommands = core.getInput('verify-commands'); | ||
| const inpImageDigest = core.getInput('image-digest'); | ||
| const inpArtifactName = core.getInput('artifact-name'); | ||
| const inpArtifactUpload = core.getBooleanInput('artifact-upload'); | ||
| const inpSigned = core.getBooleanInput('signed'); | ||
| const result = { | ||
| verifyCommands: inpVerifyCommands, | ||
| imageDigest: inpImageDigest, | ||
| artifactName: inpArtifactUpload ? inpArtifactName : '', | ||
| signed: inpSigned | ||
| } | ||
| core.info(JSON.stringify(result, null, 2)); | ||
| core.setOutput(`result_${inpIndex}`, JSON.stringify(result)); | ||
| finalize: | ||
| runs-on: ubuntu-24.04 | ||
| outputs: | ||
| meta-json: ${{ steps.meta.outputs.json }} | ||
| cosign-version: ${{ env.COSIGN_VERSION }} | ||
| cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }} | ||
| artifact-name: ${{ inputs.artifact-upload && inputs.artifact-name || '' }} | ||
| output-type: ${{ inputs.output }} | ||
| signed: ${{ needs.prepare.outputs.sign }} | ||
| needs: | ||
| - prepare | ||
| - build | ||
| steps: | ||
| - | ||
| name: Docker meta | ||
| id: meta | ||
| if: ${{ inputs.output == 'image' }} | ||
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | ||
| with: | ||
| images: ${{ inputs.meta-images }} | ||
| tags: ${{ inputs.meta-tags }} | ||
| flavor: ${{ inputs.meta-flavor }} | ||
| labels: ${{ inputs.meta-labels }} | ||
| annotations: ${{ inputs.meta-annotations }} | ||
| - | ||
| name: Login to registry | ||
| if: ${{ inputs.push && inputs.output == 'image' }} | ||
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | ||
| with: | ||
| registry-auth: ${{ secrets.registry-auths }} | ||
| - | ||
| name: Set up Docker Buildx | ||
| if: ${{ inputs.push && inputs.output == 'image' }} | ||
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | ||
| with: | ||
| version: ${{ env.BUILDX_VERSION }} | ||
| buildkitd-flags: --debug | ||
| driver-opts: image=${{ env.BUILDKIT_IMAGE }} | ||
| cache-binary: false | ||
| - | ||
| name: Create manifest | ||
| if: ${{ inputs.output == 'image' }} | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_PUSH: ${{ inputs.push }} | ||
| INPUT_IMAGE-NAMES: ${{ inputs.meta-images }} | ||
| INPUT_TAG-NAMES: ${{ steps.meta.outputs.tag-names }} | ||
| INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }} | ||
| with: | ||
| script: | | ||
| const inpPush = core.getBooleanInput('push'); | ||
| const inpImageNames = core.getMultilineInput('image-names'); | ||
| const inpTagNames = core.getMultilineInput('tag-names'); | ||
| const inpBuildOutputs = JSON.parse(core.getInput('build-outputs')); | ||
| const digests = []; | ||
| for (const key of Object.keys(inpBuildOutputs)) { | ||
| const output = JSON.parse(inpBuildOutputs[key]); | ||
| if (output.imageDigest) { | ||
| digests.push(output.imageDigest); | ||
| } | ||
| } | ||
| if (digests.length === 0) { | ||
| core.setFailed('No image digests found from build outputs'); | ||
| return; | ||
| } | ||
| for (const imageName of inpImageNames) { | ||
| let createArgs = ['buildx', 'imagetools', 'create']; | ||
| for (const tag of inpTagNames) { | ||
| createArgs.push('-t', `${imageName}:${tag}`); | ||
| } | ||
| for (const digest of digests) { | ||
| createArgs.push(digest); | ||
| } | ||
| if (inpPush) { | ||
| await exec.exec('docker', createArgs); | ||
| } else { | ||
| await core.group(`Generated imagetools create command for ${imageName}`, async () => { | ||
| core.info(`docker ${createArgs.join(' ')}`); | ||
| }); | ||
| } | ||
| } | ||
| - | ||
| name: Merge artifacts | ||
| if: ${{ inputs.output == 'local' && inputs.artifact-upload }} | ||
| uses: actions/upload-artifact/merge@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | ||
| with: | ||
| name: ${{ inputs.artifact-name }} | ||
| pattern: ${{ inputs.artifact-name }}* | ||
| delete-merged: true | ||
| - | ||
| name: Set outputs | ||
| id: set | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }} | ||
| INPUT_SIGNED: ${{ needs.prepare.outputs.sign }} | ||
| with: | ||
| script: | | ||
| const inpBuildOutputs = JSON.parse(core.getInput('build-outputs')); | ||
| const inpSigned = core.getBooleanInput('signed'); | ||
| if (inpSigned) { | ||
| const verifyCommands = []; | ||
| for (const key of Object.keys(inpBuildOutputs)) { | ||
| const output = JSON.parse(inpBuildOutputs[key]); | ||
| if (output.verifyCommands) { | ||
| verifyCommands.push(output.verifyCommands); | ||
| } | ||
| } | ||
| core.setOutput('cosign-verify-commands', verifyCommands.join('\n')); | ||
| } | ||
