From 3f27c9e786ba49587a067ce02f746ac1ade95732 Mon Sep 17 00:00:00 2001 From: Brooks Newberry Date: Fri, 11 Oct 2024 10:43:57 -0700 Subject: [PATCH] use publish-image action Signed-off-by: Brooks Newberry --- .github/workflows/release.yml | 85 ++++++++++++++++++++++----- Makefile | 4 ++ scripts/build-image-runtime | 20 +------ scripts/build-image-runtime-windows | 24 ++++++++ scripts/build-images | 1 + scripts/publish-image-runtime | 7 --- scripts/publish-image-runtime-windows | 8 +++ scripts/publish-manifest-runtime | 10 ++-- scripts/version.sh | 2 +- 9 files changed, 116 insertions(+), 45 deletions(-) create mode 100755 scripts/build-image-runtime-windows create mode 100755 scripts/publish-image-runtime-windows diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4177ec388b..591f5c2ce8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,6 +42,9 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD - name: Package Images run: | @@ -57,12 +60,37 @@ jobs: dapper -f Dockerfile --target dapper make test - name: Publish Image Runtime - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-image-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} - + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + + - name: Publish Image Runtime (Windows) + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime-windows + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + - name: Package windows images run: | GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make package-windows-images @@ -101,6 +129,9 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ; - name: Package Images run: | @@ -112,11 +143,20 @@ jobs: dapper -f Dockerfile --target dapper make scan-images - name: Publish Image Runtime - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-image-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} - name: Checksum run: | @@ -145,13 +185,26 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ; - name: Manifest - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-manifest-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-manifest-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + dispatch: needs: [release-amd64, release-arm64] runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }},image=ubuntu22-full-x64,hdd=64 diff --git a/Makefile b/Makefile index 13cb6387ca..863501b189 100644 --- a/Makefile +++ b/Makefile @@ -55,6 +55,10 @@ build-image-runtime: ## Build the runtime image publish-image-runtime: build-image-runtime ./scripts/publish-image-runtime +.PHONY: publish-image-runtime-windows +publish-image-runtime: build-image-runtime-windows + ./scripts/publish-image-runtime-windows + .PHONY: validate validate: ## Run go fmt/vet ./scripts/validate diff --git a/scripts/build-image-runtime b/scripts/build-image-runtime index ed8f143d0e..316669b3e8 100755 --- a/scripts/build-image-runtime +++ b/scripts/build-image-runtime @@ -6,6 +6,9 @@ cd $(dirname $0)/.. source ./scripts/version.sh DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \ + ${IID_FILE_FLAG} \ + --sbom=true \ + --attest type=provenance,mode=max \ --build-arg TAG=${VERSION} \ --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ --build-arg MAJOR=${VERSION_MAJOR} \ @@ -18,23 +21,6 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \ --file Dockerfile \ . -if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ] && [ -z "$SKIP_WINDOWS" ]; then - DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \ - --build-arg TAG=${VERSION} \ - --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ - --build-arg MAJOR=${VERSION_MAJOR} \ - --build-arg MINOR=${VERSION_MINOR} \ - --build-arg CACHEBUST="$(date +%s%N)" \ - --tag ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 \ - --target windows-runtime \ - --file Dockerfile.windows \ - . - # Only ever used in its compressed form for e2e tests - mkdir -p build/images - docker image save \ - ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-${GOARCH} | \ - zstd -T0 -16 -f --long=25 --no-progress - -o build/images/${PROG}-images.windows-${GOARCH}.tar.zst -fi mkdir -p build/images docker image save \ --output build/images/${PROG}-runtime.tar \ diff --git a/scripts/build-image-runtime-windows b/scripts/build-image-runtime-windows new file mode 100755 index 0000000000..1172d870b4 --- /dev/null +++ b/scripts/build-image-runtime-windows @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +set -ex + +cd $(dirname $0)/.. + +source ./scripts/version.sh + +if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ] && [ -z "$SKIP_WINDOWS" ]; then + DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \ + --build-arg TAG=${VERSION} \ + --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ + --build-arg MAJOR=${VERSION_MAJOR} \ + --build-arg MINOR=${VERSION_MINOR} \ + --build-arg CACHEBUST="$(date +%s%N)" \ + --tag ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 \ + --target windows-runtime \ + --file Dockerfile.windows \ + . + # Only ever used in its compressed form for e2e tests + mkdir -p build/images + docker image save \ + ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-${GOARCH} | \ + zstd -T0 -16 -f --long=25 --no-progress - -o build/images/${PROG}-images.windows-${GOARCH}.tar.zst +fi diff --git a/scripts/build-images b/scripts/build-images index 7da4cc8c56..01dbb719ba 100755 --- a/scripts/build-images +++ b/scripts/build-images @@ -6,6 +6,7 @@ cd $(dirname $0)/.. source ./scripts/version.sh ./scripts/build-image-runtime +./scripts/build-image-runtime-windows awk '{print $1}' << EOF > build/images-core.txt ${REGISTRY}/${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} diff --git a/scripts/publish-image-runtime b/scripts/publish-image-runtime index 16ef2821c8..983ada55de 100755 --- a/scripts/publish-image-runtime +++ b/scripts/publish-image-runtime @@ -5,11 +5,4 @@ cd $(dirname $0)/.. source ./scripts/version.sh -set +x -docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD -set -x - docker image push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-${GOOS}-${GOARCH} -if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then - docker image push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 -fi diff --git a/scripts/publish-image-runtime-windows b/scripts/publish-image-runtime-windows new file mode 100755 index 0000000000..5141b088f7 --- /dev/null +++ b/scripts/publish-image-runtime-windows @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -ex + +cd $(dirname $0)/.. + +source ./scripts/version.sh + +docker image push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 diff --git a/scripts/publish-manifest-runtime b/scripts/publish-manifest-runtime index 7364ea7eda..528c8277f4 100755 --- a/scripts/publish-manifest-runtime +++ b/scripts/publish-manifest-runtime @@ -16,8 +16,10 @@ docker manifest annotate ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} ${REPO}/$ docker manifest annotate ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-linux-arm64 --os linux --arch arm64 docker manifest annotate ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 --os windows --arch amd64 -set +x -docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD -set -x - docker manifest push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} + +if [ -n "${IID_FILE_FLAG}" ]; then + DIGEST=$(docker buildx imagetools inspect --format "{{json .Manifest}}" ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} | jq -r '.digest') + IID_FILE_PATH=$(echo "${IID_FILE_FLAG}" | cut -d' ' -f2) + echo "${DIGEST}" > "${IID_FILE_PATH}" +fi diff --git a/scripts/version.sh b/scripts/version.sh index a92a8ea30b..239806b2ac 100755 --- a/scripts/version.sh +++ b/scripts/version.sh @@ -25,7 +25,7 @@ if [ -z "$GOOS" ]; then fi fi -GIT_TAG=$GITHUB_ACTION_TAG +GIT_TAG=${GITHUB_ACTION_TAG:-$TAG} TREE_STATE=clean COMMIT=$DRONE_COMMIT REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .dirty; fi)