docker-images/.github/workflows/ubi-rust-builder.yml at main · stackabletech/docker-images · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
name: Build UBI Rust Builders
run-name: |
  Build UBI Rust Builders (attempt #${{ github.run_attempt }})

on:
  push:
    branches:
      - main
    paths:
      - ubi9-rust-builder/**
      - ubi10-rust-builder/**
      - .github/actions/**
      - .github/workflows/ubi-rust-builder.yml
      - .github/workflows/reusable_build_image.yaml
  schedule:
    - cron: 30 4 * * *
  workflow_dispatch:

permissions: {}

jobs:
  build:
    permissions:
      id-token: write
      contents: read
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
      matrix:
        runner:
          - ubuntu-latest
          - ubicloud-standard-8-arm-ubuntu-2404
        ubi-version:
          - ubi9
          - ubi10
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to Stackable Harbor
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: oci.stackable.tech
          username: robot$sdp+github-action-build
          password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}

      - name: Set up Cosign
        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1

      - name: Determine Architecture
        run: |
          echo "TAG=$(git rev-parse --short HEAD)-$(arch)" >> "$GITHUB_ENV"

      - name: Build and push
        id: build-and-push
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile
          push: true
          tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }}
          provenance: false

      - name: Sign the published builder image
        shell: bash
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: |
          # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
          # This generates a signature and publishes it to the registry, next to the image
          # Uses the keyless signing flow with Github Actions as identity provider
          cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@$DIGEST"

  publish_manifests:
    name: Build/Publish Image Index Manifest
    needs: [build]
    permissions:
      id-token: write
      contents: read
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        ubi-version:
          - ubi9
          - ubi10
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Login to Stackable Harbor
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: oci.stackable.tech
          username: robot$sdp+github-action-build
          password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}

      - name: Set up Cosign
        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1

      - name: Create and Push Image Index Manifest
        shell: bash
        run: |
          COMMIT_ID=$(git rev-parse --short HEAD)
          MANIFEST_LIST_NAME=oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder
          docker manifest create "$MANIFEST_LIST_NAME:latest" "$MANIFEST_LIST_NAME:$COMMIT_ID-x86_64" "$MANIFEST_LIST_NAME:$COMMIT_ID-aarch64"
          # `docker manifest push` directly returns the digest of the manifest list
          # As it is an experimental feature, this might change in the future
          # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/
          DIGEST=$(docker manifest push "$MANIFEST_LIST_NAME:latest")
          # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
          # This generates a signature and publishes it to the registry, next to the image
          # Uses the keyless signing flow with Github Actions as identity provider
          cosign sign -y "$MANIFEST_LIST_NAME@$DIGEST"

  notify:
    name: Failure Notification
    needs: [build, publish_manifests]
    runs-on: ubuntu-latest
    if: failure() || (github.run_attempt > 1 && !cancelled())
    steps:
      - name: Send Notification
        uses: stackabletech/actions/send-slack-notification@1b8db26b7406c66a7ab74e344a9e54edb2bc2690 # v0.14.3
        with:
          publish-manifests-result: ${{ needs.publish_manifests.result }}
          build-result: ${{ needs.build.result }}
          slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
          channel-id: C07UG6JH44F # notifications-container-images
          type: container-image-build