Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consolidate PR and real release workflows #1845

Merged
merged 4 commits into from
Dec 21, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions .github/workflows/images.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
name: Build images

on:
pull_request:
branches: ['master']
push:
branches: ['master']
tags: ['v[0-9]+.[0-9]+.[0-9]+*']

concurrency:
group: release-images-${{ github.head_ref }}
cancel-in-progress: true

jobs:
build-images:
permissions:
contents: read # Read the repo contents.
id-token: write # Produce identity token for keyless signing.
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- executor
- executor-debug
- executor-slim
- warmer

include:
- image: executor
dockerfile: ./deploy/Dockerfile
platforms: linux/amd64,linux/arm64
image-name: gcr.io/kaniko-project/executor
tag: ${{ github.sha }}
release-tag: latest

- image: executor-debug
dockerfile: ./deploy/Dockerfile_debug
platforms: linux/amd64,linux/arm64
image-name: gcr.io/kaniko-project/executor
tag: ${{ github.sha }}-debug
release_tag: debug

- image: executor-slim
dockerfile: ./deploy/Dockerfile_slim
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
image-name: gcr.io/kaniko-project/executor
tag: ${{ github.sha }}-slim
release-tag: slim

- image: warmer
dockerfile: ./deploy/Dockerfile_warmer
platforms: linux/amd64,linux/arm64
image-name: gcr.io/kaniko-project/warmer
tag: ${{ github.sha }}
release-tag: latest

steps:
- uses: actions/checkout@v2

# Setup auth if not a PR.
- if: github.event_name != 'pull_request'
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
project_id: kaniko-project
export_default_credentials: true
- if: github.event_name != 'pull_request'
run: gcloud auth configure-docker

# Build and push with Docker.
- uses: docker/setup-qemu-action@v1
with:
platforms: ${{ matrix.platforms }}
- uses: docker/setup-buildx-action@v1
- uses: docker/build-push-action@v2
id: build-and-push
with:
context: .
file: ${{ matrix.dockerfile }}
platforms: ${{ matrix.platforms }}
push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR.
tags: ${{ matrix.image-name }}:${{ matrix.tag }}
# https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache
cache-from: type=gha
cache-to: type=gha,mode=max
Comment on lines +84 to +86
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we avoid the cache on releases?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That feels a bit overly paranoid, but sure. Is there some public guidance around building release without caches that I can link to in a comment?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It’s a strict interpretation of some of the higher SLSA levels, and one build being able to influence others.


# Sign images if not a PR.
- if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.4.1'
- if: github.event_name != 'pull_request'
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign \
--kms gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign \
${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}
cosign sign ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }}

# If a tag push, use crane to add more tags.
- if: startsWith(github.ref, 'refs/tags/v')
uses: imjasonh/[email protected]
- if: startsWith(github.ref, 'refs/tags/v')
name: Apply release tags
run: |
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
${{ matrix.image-name }}:${GITHUB_REF/refs\/tags\//}
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \
${{ matrix.image-name }}:${{ matrix.release-tag }}
61 changes: 0 additions & 61 deletions .github/workflows/pr_release.yaml

This file was deleted.

Loading