Skip to content

Merge pull request #334 from bpfman/anfredette-scorecard #329

Merge pull request #334 from bpfman/anfredette-scorecard

Merge pull request #334 from bpfman/anfredette-scorecard #329

Workflow file for this run

name: operator-image-build
on: # yamllint disable-line rule:truthy
push:
branches: [main]
tags:
- v*
pull_request:
paths:
- .github/workflows/image-build.yaml
- Containerfile.bpfman-agent
- Containerfile.bpfman-operator
jobs:
build-and-push-images:
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
image:
- registry: quay.io
repository: bpfman
image: bpfman-agent
dockerfile: ./Containerfile.bpfman-agent
context: .
tags: |
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
type=sha,format=long
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
- registry: quay.io
repository: bpfman
image: bpfman-operator
dockerfile: ./Containerfile.bpfman-operator
context: .
tags: |
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
type=sha,format=long
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
name: Build Image (${{ matrix.image.image }})
steps:
- name: Checkout bpfman
uses: actions/checkout@v4
- name: Install cosign
uses: sigstore/[email protected]
- name: Login to quay.io/bpfman
uses: redhat-actions/podman-login@v1
if: ${{ github.event_name == 'push' && matrix.image.repository == 'bpfman'}}
with:
registry: ${{ matrix.image.registry }}
username: ${{ secrets.BPFMAN_USERNAME }}
password: ${{ secrets.BPFMAN_ROBOT_TOKEN }}
- name: Extract metadata (tags, labels) for image
id: meta
uses: docker/[email protected]
with:
images: ${{ matrix.image.registry }}/${{ matrix.image.repository }}/${{ matrix.image.image }}
tags: ${{ matrix.image.tags }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Set push flag
id: set-push
run: |
if [ ${{ github.event_name }} == 'push' ]; then
echo "push_flag=true" >> "$GITHUB_OUTPUT"
else
echo "push_flag=false" >> "$GITHUB_OUTPUT"
fi
- name: Build and push
id: build-push-image
uses: docker/build-push-action@v5
with:
platforms: linux/amd64, linux/arm64, linux/ppc64le, linux/s390x
push: ${{ fromJSON(steps.set-push.outputs.push_flag) }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: ${{ matrix.image.dockerfile }}
build-args: BUILDPLATFORM=linux/amd64
context: ${{ matrix.image.context }}
- name: Sign the images with GitHub OIDC Token
if: ${{ github.event_name == 'push' }}
run: |
readarray -t tags <<<"${{ steps.meta.outputs.tags }}"
for tag in ${tags[@]}; do
cosign sign -y "${tag}@${{ steps.build-push-image.outputs.digest }}"
done
generate-and-push-bundle-images:
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
image:
- registry: quay.io
repository: bpfman
image: bpfman-operator-bundle
context: .
dockerfile: ./bundle.Dockerfile
tags: |
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
type=sha,format=long
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
name: Build Bundle Image (${{ matrix.image.image }})
steps:
- name: Checkout bpfman
uses: actions/checkout@v4
- name: Install cosign
uses: sigstore/[email protected]
- name: Login to quay.io/bpfman
uses: redhat-actions/podman-login@v1
if: ${{ github.event_name == 'push' && matrix.image.repository == 'bpfman'}}
with:
registry: ${{ matrix.image.registry }}
username: ${{ secrets.BPFMAN_USERNAME }}
password: ${{ secrets.BPFMAN_ROBOT_TOKEN }}
- name: Extract metadata (tags, labels) for image
id: meta
uses: docker/[email protected]
with:
images: ${{ matrix.image.registry }}/${{ matrix.image.repository }}/${{ matrix.image.image }}
tags: ${{ matrix.image.tags }}
- name: Build image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ matrix.image.image }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
containerfiles: ${{ matrix.image.dockerfile }}
build-args: BUILDPLATFORM=linux/amd64
context: ${{ matrix.image.context }}
- name: Push to registry
id: push-image
uses: redhat-actions/push-to-registry@v2
if: ${{ github.event_name == 'push' }}
with:
tags: ${{ steps.meta.outputs.tags }}
- name: Sign the images with GitHub OIDC Token
if: ${{ github.event_name == 'push' }}
run: |
readarray -t tags <<<"${{ steps.meta.outputs.tags }}"
for tag in ${tags[@]}; do
cosign sign -y "${tag}@${{ steps.push-image.outputs.digest }}"
done