From 8a8a2c7402cfb4c1810ef2bb0ccbb17f6b4bee76 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Wed, 11 Sep 2024 10:31:04 -0400 Subject: [PATCH 1/4] Actions: tighten when docker build runs and how - We do not want to fails build when staff and community make fork PRs. - We want to make sure the latest feature branch is tagged and deployed for now, stop push PR container builds before merge. --- .github/workflows/content-artifacts.yml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index f8a50f1da..1255d36ef 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -5,6 +5,7 @@ on: branches: - master paths: + - Dockerfile - "src/**" - "oscal" pull_request: @@ -12,6 +13,7 @@ on: workflow_dispatch: branches: - master + - 'feature**' name: Process Content env: HOME_REPO: GSA/fedramp-automation @@ -62,22 +64,26 @@ jobs: commit_user_name: OSCAL GitHub Actions Bot commit_user_email: oscal@nist.gov commit_author: OSCAL GitHub Actions Bot - - name: Container image QEMU setup for cross-arch builds + - if: github.repository == env.HOME_REPO + name: Container image QEMU setup for cross-arch builds id: image_setup_qemu uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - - name: Container image buildx setup for cross-arch builds + - if: github.repository == env.HOME_REPO + name: Container image buildx setup for cross-arch builds id: image_setup_buildx with: platforms: linux/amd64,linux/arm64 uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db - - name: Container image login + - if: github.repository == env.HOME_REPO + name: Container image login id: image_login uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Container image metadata and tag generation + - if: github.repository == env.HOME_REPO + name: Container image metadata and tag generation id: image_metadata uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 with: @@ -91,7 +97,7 @@ jobs: # For now, do not auto-tag latest, maintainers will decided what is # release-worthy. flavor: | - latest=false + latest=true annotations: maintainers="FedRAMP Automation Team " org.opencontainers.image.authors="FedRAMP Automation Team " @@ -101,7 +107,8 @@ jobs: org.opencontainers.image.title="FedRAMP Validation Tools" org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data" org.opencontainers.image.licenses="CC0-1.0" - - name: Container image registry push + - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || 'refs/heads/feature/**') + name: Container image registry push id: image_registry_push uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 with: @@ -112,7 +119,8 @@ jobs: platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max - - name: Container image push attestations + - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || 'refs/heads/feature/**') + name: Container image push attestations uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} From 202616c8d2bdf4996086a48c934603ded879bbff Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Wed, 11 Sep 2024 10:43:48 -0400 Subject: [PATCH 2/4] Actions: more explicit branch targeting I am not sure that syntax is air-tight with var == 'value1' || 'value2', so make it more explicit and have var on left side and right side of the boolean OR check. --- .github/workflows/content-artifacts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index 1255d36ef..004b6e893 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -107,7 +107,7 @@ jobs: org.opencontainers.image.title="FedRAMP Validation Tools" org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data" org.opencontainers.image.licenses="CC0-1.0" - - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || 'refs/heads/feature/**') + - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/feature/**') name: Container image registry push id: image_registry_push uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 @@ -119,7 +119,7 @@ jobs: platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max - - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || 'refs/heads/feature/**') + - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/feature/**') name: Container image push attestations uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c with: From 65bc072a82c04ad514710c1f6e192661e2e9d553 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Wed, 11 Sep 2024 10:49:22 -0400 Subject: [PATCH 3/4] Actions: even more explicit use startsWith syntax --- .github/workflows/content-artifacts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index 004b6e893..e378f4580 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -107,7 +107,7 @@ jobs: org.opencontainers.image.title="FedRAMP Validation Tools" org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data" org.opencontainers.image.licenses="CC0-1.0" - - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/feature/**') + - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature')) name: Container image registry push id: image_registry_push uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 @@ -119,7 +119,7 @@ jobs: platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max - - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/feature/**') + - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature')) name: Container image push attestations uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c with: From cb75f03434850820f4771200b4c73104db039653 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Wed, 11 Sep 2024 10:53:06 -0400 Subject: [PATCH 4/4] Actions: one last attempt to force annotations --- .github/workflows/content-artifacts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index e378f4580..f1e45a392 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -21,6 +21,8 @@ env: REGISTRY: ghcr.io # Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha DOCKER_METADATA_PR_HEAD_SHA: true + # https://github.com/docker/metadata-action?tab=readme-ov-file#annotations + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index jobs: validate-and-publish-content: name: Content Validation Checking, Conversion and Validation