-
Notifications
You must be signed in to change notification settings - Fork 54
140 lines (122 loc) · 6.35 KB
/
build-envoy-image-ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: CI Build & Push
on:
pull_request_target:
types: [opened, synchronize, reopened]
permissions:
# To be able to access the repository with `actions/checkout`
contents: read
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
id-token: write
jobs:
build-and-push-prs:
timeout-minutes: 360
name: Build and push multi-arch images
runs-on: ubuntu-latest-64-cores-256gb
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Cache Docker layers
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: /tmp/buildx-cache
key: docker-cache-${{ github.head_ref }}
restore-keys: docker-cache-main
- name: Login to quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }}
password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }}
- name: Checkout PR
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Prep for build
run: |
echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION
echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV
echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV
echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV
- name: Checking if cilium-envoy-builder image exists
id: cilium-builder-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
fi
- name: PR Multi-arch build & push of Builder image (dev)
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
id: docker_build_builder_ci
with:
provenance: false
context: .
file: ./Dockerfile.builder
platforms: linux/amd64,linux/arm64
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
- name: CI Builder Image Digest
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
shell: bash
run: |
echo "Digests:"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}"
- name: PR Multi-arch build & push of cilium-envoy
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: docker_build_ci
with:
provenance: false
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
build-args: |
BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest
BAZEL_BUILD_OPTS=--remote_upload_local_results=false
cache-from: type=local,src=/tmp/buildx-cache
cache-to: type=local,dest=/tmp/buildx-cache,mode=max
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Sign Container Image
run: |
cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
- name: Install Bom
shell: bash
env:
# renovate: datasource=github-releases depName=kubernetes-sigs/bom
BOM_VERSION: v0.6.0
run: |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
sudo mv ./bom /usr/local/bin/bom
sudo chmod +x /usr/local/bin/bom
- name: Generate SBOM
shell: bash
# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
run: |
bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
- name: Attach SBOM to container images
run: |
cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
- name: Sign SBOM Image
run: |
docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom"
docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}"
- name: Envoy binary version check
shell: bash
run: |
envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version)
expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//')
echo ${envoy_version}
[[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]]
- name: CI Image Digest
shell: bash
run: |
echo "Digests:"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}"