policy: Do not store policy reference in Cilium socket option #1548
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Build & Push | |
on: | |
pull_request_target: | |
types: [opened, synchronize, reopened] | |
permissions: | |
# To be able to access the repository with `actions/checkout` | |
contents: read | |
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | |
id-token: write | |
jobs: | |
build-and-push-prs: | |
timeout-minutes: 360 | |
name: Build and push multi-arch images | |
runs-on: ubuntu-latest-64-cores-256gb | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Cache Docker layers | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: /tmp/buildx-cache | |
key: docker-cache-${{ github.head_ref }} | |
restore-keys: docker-cache-main | |
- name: Login to quay.io | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }} | |
password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }} | |
- name: Checkout PR | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
persist-credentials: false | |
- name: Prep for build | |
run: | | |
echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION | |
echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV | |
echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV | |
echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV | |
- name: Checking if cilium-envoy-builder image exists | |
id: cilium-builder-tag-in-repositories | |
shell: bash | |
run: | | |
if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then | |
echo exists="true" >> $GITHUB_OUTPUT | |
else | |
echo exists="false" >> $GITHUB_OUTPUT | |
fi | |
- name: PR Multi-arch build & push of Builder image (dev) | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' | |
id: docker_build_builder_ci | |
with: | |
provenance: false | |
context: . | |
file: ./Dockerfile.builder | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} | |
- name: CI Builder Image Digest | |
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' | |
shell: bash | |
run: | | |
echo "Digests:" | |
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}" | |
- name: PR Multi-arch build & push of cilium-envoy | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
id: docker_build_ci | |
with: | |
provenance: false | |
context: . | |
file: ./Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
build-args: | | |
BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} | |
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest | |
BAZEL_BUILD_OPTS=--remote_upload_local_results=false | |
cache-from: type=local,src=/tmp/buildx-cache | |
cache-to: type=local,dest=/tmp/buildx-cache,mode=max | |
push: true | |
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Sign Container Image | |
run: | | |
cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }} | |
- name: Install Bom | |
shell: bash | |
env: | |
# renovate: datasource=github-releases depName=kubernetes-sigs/bom | |
BOM_VERSION: v0.6.0 | |
run: | | |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom | |
sudo mv ./bom /usr/local/bin/bom | |
sudo chmod +x /usr/local/bin/bom | |
- name: Generate SBOM | |
shell: bash | |
# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed | |
run: | | |
bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} | |
- name: Attach SBOM to container images | |
run: | | |
cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }} | |
- name: Sign SBOM Image | |
run: | | |
docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}" | |
image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom" | |
docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}" | |
- name: Envoy binary version check | |
shell: bash | |
run: | | |
envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version) | |
expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//') | |
echo ${envoy_version} | |
[[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]] | |
- name: CI Image Digest | |
shell: bash | |
run: | | |
echo "Digests:" | |
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}" |