forked from fluent/fluent-bit
-
Notifications
You must be signed in to change notification settings - Fork 0
470 lines (434 loc) · 16.7 KB
/
call-build-images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
---
name: Reusable workflow to build container images
on:
workflow_call:
inputs:
version:
description: The version of Fluent Bit to create.
type: string
required: true
ref:
description: The commit, tag or branch of Fluent Bit to checkout for building that creates the version above.
type: string
required: true
registry:
description: The registry to push container images to.
type: string
required: true
username:
description: The username for the registry.
type: string
required: true
image:
description: The name of the container image to push to the registry.
type: string
required: true
environment:
description: The Github environment to run this workflow on.
type: string
required: false
unstable:
description: Optionally add metadata to build to indicate an unstable build, set to the contents you want to add.
type: string
required: false
default: ''
secrets:
token:
description: The Github token or similar to authenticate with for the registry.
required: true
cosign_private_key:
description: The optional Cosign key to use for signing the images.
required: false
cosign_private_key_password:
description: If the Cosign key requires a password then specify here, otherwise not required.
required: false
jobs:
call-build-images-meta:
name: Extract any supporting metadata
outputs:
build-type: ${{ steps.determine-build-type.outputs.BUILD_TYPE }}
major-version: ${{ steps.determine-major-version.outputs.replaced }}
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
# Determine if this is a 1.8 type of build which is different
- name: Determine build type
id: determine-build-type
run: |
BUILD_TYPE="1.8"
if [[ -f "dockerfiles/Dockerfile" ]]; then
BUILD_TYPE="modern"
fi
echo "Detected type: $BUILD_TYPE"
echo ::set-output name=BUILD_TYPE::$BUILD_TYPE
shell: bash
# For main branch/releases we want to also tag with the major version.
# E.g. if we build version 1.9.2 we want to tag with 1.9.2 and 1.9.
- name: Determine major version tag
id: determine-major-version
uses: frabert/[email protected]
with:
pattern: '^(\d+\.\d+).*$'
string: ${{ inputs.version }}
replace-with: '$1'
flags: 'g'
# For 1.8 builds it is a little more complex so we have this build matrix to handle it.
# This creates separate images for each architecture.
# The later step then creates a multi-arch manifest for all of these.
call-build-legacy-images-matrix:
if: needs.call-build-images-meta.outputs.build-type == '1.8'
name: Build single arch legacy images
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
needs:
- call-build-images-meta
strategy:
fail-fast: false
matrix:
arch: [ amd64, arm64, arm/v7 ]
include:
- arch: amd64
suffix: x86_64
- arch: arm/v7
suffix: arm32v7
- arch: arm64
suffix: arm64v8
permissions:
contents: read
packages: write
steps:
- name: Checkout the docker build repo for legacy builds
uses: actions/checkout@v3
with:
repository: fluent/fluent-bit-docker-image
ref: '1.8' # Fixed to this branch
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- id: debug-meta
uses: docker/metadata-action@v4
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ inputs.version }}-debug
raw,${{ needs.call-build-images-meta.outputs.major-version }}-debug
- name: Build the legacy x86_64 debug image
if: matrix.arch == 'amd64'
uses: docker/build-push-action@v3
with:
file: ./Dockerfile.x86_64.debug
context: .
tags: ${{ steps.debug-meta.outputs.tags }}
labels: ${{ steps.debug-meta.outputs.labels }}
platforms: linux/amd64
push: true
load: false
build-args: |
FLB_TARBALL=https://github.com/fluent/fluent-bit/tarball/${{ inputs.ref }}
- name: Extract metadata from Github
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ matrix.suffix }}-${{ inputs.version }}
- name: Build the legacy ${{ matrix.arch }} image
uses: docker/build-push-action@v3
with:
file: ./Dockerfile.${{ matrix.suffix }}
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/${{ matrix.arch }}
push: true
load: false
build-args: |
FLB_TARBALL=https://github.com/fluent/fluent-bit/tarball/${{ inputs.ref }}
# Create a multi-arch manifest for the separate 1.8 images.
call-build-legacy-image-manifests:
if: needs.call-build-images-meta.outputs.build-type == '1.8'
name: Deploy multi-arch container image manifests
permissions:
contents: read
packages: write
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
needs:
- call-build-images-meta
- call-build-legacy-images-matrix
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Pull all the images
# Use platform to trigger warnings on invalid image metadata
run: |
docker pull --platform=linux/amd64 ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }}
docker pull --platform=linux/arm64 ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }}
docker pull --platform=linux/arm/v7 ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
- name: Create manifests for images
# Latest is 1.9, not 1.8 now
run: |
docker manifest create ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:x86_64-${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:arm64v8-${{ inputs.version }} \
--amend ${{ inputs.registry }}/${{ inputs.image }}:arm32v7-${{ inputs.version }}
docker manifest push --purge ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}
env:
DOCKER_CLI_EXPERIMENTAL: enabled
shell: bash
- name: Create major version manifest
if: needs.call-build-images-meta.outputs.major-version != inputs.version
run: |
docker manifest push --purge ${{ inputs.registry }}/${{ inputs.image }}:${{ needs.call-build-images-meta.outputs.major-version }}
env:
DOCKER_CLI_EXPERIMENTAL: enabled
shell: bash
# This is the intended approach to multi-arch image and all the other checks scanning,
# signing, etc only trigger from this.
# 1.8 images are legacy and were not scanned or signed previously so this keeps it simple.
call-build-images:
if: needs.call-build-images-meta.outputs.build-type != '1.8'
needs:
- call-build-images-meta
name: Multiarch container images to GHCR
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
packages: write
steps:
- name: Checkout code for modern style builds
uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Extract metadata from Github
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ inputs.version }}
raw,${{ needs.call-build-images-meta.outputs.major-version }}
raw,latest
- name: Build the production images
uses: docker/build-push-action@v3
with:
file: ./dockerfiles/Dockerfile
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64, linux/arm64, linux/arm/v7
target: production
push: true
load: false
build-args: |
FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
RELEASE_VERSION=${{ inputs.version }}
- id: debug-meta
uses: docker/metadata-action@v4
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ inputs.version }}-debug
raw,${{ needs.call-build-images-meta.outputs.major-version }}-debug
raw,latest-debug
- name: Build the debug multi-arch images
uses: docker/build-push-action@v3
with:
file: ./dockerfiles/Dockerfile
context: .
tags: ${{ steps.debug-meta.outputs.tags }}
labels: ${{ steps.debug-meta.outputs.labels }}
platforms: linux/amd64, linux/arm64, linux/arm/v7
target: debug
push: true
load: false
build-args: |
FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
RELEASE_VERSION=${{ inputs.version }}
call-build-images-generate-schema:
needs:
- call-build-images-meta
- call-build-images
if: needs.call-build-images-meta.outputs.build-type != '1.8'
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
packages: read
steps:
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Generate schema
run: |
docker run --rm -t ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }} -J > fluent-bit-schema-${{ inputs.version }}.json
cat fluent-bit-schema-${{ inputs.version }}.json | jq -M > fluent-bit-schema-pretty-${{ inputs.version }}.json
shell: bash
- name: Upload the schema
uses: actions/upload-artifact@v3
with:
path: ./fluent-bit-schema*.json
name: fluent-bit-schema-${{ inputs.version }}
if-no-files-found: error
call-build-images-scan:
if: needs.call-build-images-meta.outputs.build-type != '1.8'
needs:
- call-build-images-meta
- call-build-images
name: Trivy + Dockle image scan
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
packages: read
steps:
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Trivy - multi-arch
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Dockle - multi-arch
uses: hands-lab/dockle-action@v1
with:
image: '${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}'
exit-code: '1'
exit-level: WARN
call-build-images-sign:
if: needs.call-build-images-meta.outputs.build-type != '1.8'
needs:
- call-build-images-meta
- call-build-images
name: Deploy and sign multi-arch container image manifests
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- name: Install cosign
uses: sigstore/cosign-installer@v2
- name: Cosign keyless signing using Rektor public transparency log
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance, and records it to the
# sigstore community Rekor transparency log.
#
# We use recursive signing on the manifest to cover all the images.
run: |
cosign sign --recursive \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
-a "release=${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:${{ needs.call-build-images-meta.outputs.major-version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:latest"
shell: bash
# Ensure we move on to key-based signing as well
continue-on-error: true
env:
COSIGN_EXPERIMENTAL: "true"
- name: Cosign with a key
# Only run if we have a key defined
if: ${{ env.COSIGN_PRIVATE_KEY }}
# The key needs to cope with newlines
run: |
echo -e "${COSIGN_PRIVATE_KEY}" > /tmp/my_cosign.key
cosign sign --key /tmp/my_cosign.key --recursive \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
-a "release=${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:${{ needs.call-build-images-meta.outputs.major-version }}" \
"${{ inputs.registry }}/${{ inputs.image }}:latest"
rm -f /tmp/my_cosign.key
shell: bash
env:
COSIGN_PRIVATE_KEY: ${{ secrets.cosign_private_key }}
COSIGN_PASSWORD: ${{ secrets.cosign_private_key_password }} # optional
# This takes a long time...
call-build-windows-container:
if: needs.call-build-images-meta.outputs.build-type != '1.8'
name: Windows container image
runs-on: windows-2019
environment: ${{ inputs.environment }}
needs:
- call-build-images-meta
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Build the production images
run: |
docker build -t ${{ inputs.registry }}/${{ inputs.image }}:windows-2019-${{ inputs.version }} --build-arg FLB_NIGHTLY_BUILD=${{ inputs.unstable }} --build-arg WINDOWS_VERSION=ltsc2019 -f ./dockerfiles/Dockerfile.windows .
docker push ${{ inputs.registry }}/${{ inputs.image }}:windows-2019-${{ inputs.version }}
# We cannot use this action as it requires privileged mode
# uses: docker/build-push-action@v3
# with:
# file: ./dockerfiles/Dockerfile.windows
# context: .
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# platforms: windows/amd64
# target: runtime
# push: true
# load: false
# build-args: |
# FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
# WINDOWS_VERSION=ltsc2019