ci: fix signing cedarling whls #321
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Publish Releases to Hub | |
on: | |
schedule: | |
- cron: "0 23 * * *" | |
push: | |
tags: | |
- "*" | |
branches: | |
- main | |
paths: | |
- "docker-jans-**/**" | |
- "!**.md" | |
pull_request: | |
branches: | |
- main | |
paths: | |
- "docker-jans-**/**" | |
- "!docker-jans-**/CHANGELOG.md" | |
- "!docker-jans-**/version.txt" | |
- "!**.md" | |
workflow_dispatch: | |
inputs: | |
services: | |
description: 'One or set of the docker images. Format as following: "docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler cedarling-flask-sidecar"' | |
required: true | |
default: 'docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler cedarling-flask-sidecar' | |
cn_version: | |
description: 'The war version to build the image off' | |
required: false | |
default: '' | |
image_tag: | |
description: 'The manual image tag to post' | |
required: false | |
default: '' | |
tags: | |
description: 'Tags' | |
required: false | |
permissions: | |
contents: read | |
jobs: | |
docker: | |
permissions: | |
packages: write | |
id-token: write | |
runs-on: ubuntu-latest | |
strategy: | |
max-parallel: 8 | |
matrix: | |
docker-images: ["auth-server", "certmanager", "config-api", "configurator", "fido2", "persistence-loader", "scim", "monolith", "loadtesting-jmeter", "link", "casa", "all-in-one", "saml", "keycloak-link", "kc-scheduler", "cedarling-flask-sidecar"] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
sparse-checkout: | | |
docker-jans-${{ matrix.docker-images }} | |
automation | |
demos | |
jans-cedarling | |
- name: Check docker directories that changed | |
id: build_docker_image | |
run: | | |
BUILD=true | |
DEFAULT_ALL=${{ github.event.inputs.services }} | |
if [ -z "$DEFAULT_ALL" ] | |
then | |
DEFAULT_ALL="docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler cedarling-flask-sidecar" | |
else | |
echo "$DEFAULT_ALL" | |
fi | |
# Detect actual docker folders that changed if error arises default to all images | |
pull_number=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH") | |
DIRECTORIES_CHANGED=$(gh pr view $pull_number --json files --jq '.files.[].path' | cut -d/ -f1 | sort -u | grep "docker-jans" || echo "$DEFAULT_ALL") | |
if [[ "$DIRECTORIES_CHANGED" =~ "${{ matrix.docker-images }}" ]]; then | |
echo "A change in this images directory has occurred" | |
echo "build=${BUILD}" >> $GITHUB_OUTPUT | |
fi | |
- name: Install dependencies | |
if: steps.build_docker_image.outputs.build || github.event_name == 'tags' | |
run: | | |
sudo apt-get update | |
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip" | |
sudo pip3 install --ignore-installed setuptools --upgrade | |
sudo pip3 install --ignore-installed -r ./automation/requirements.txt | |
sudo apt-get update | |
#- uses: actions/delete-package-versions@v5 | |
# continue-on-error: true | |
# with: | |
# package-name: jans/${{ matrix.docker-images }} | |
# package-type: container | |
# min-versions-to-keep: 1000 | |
# token: ${{ secrets.GITHUB_TOKEN }} | |
# delete-only-untagged-versions: true | |
- name: Prepare | |
if: steps.build_docker_image.outputs.build || github.event_name == 'tags' | |
id: prep | |
run: | | |
REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') | |
DOCKER_FILE_LOCATION=./docker-jans-${{ matrix.docker-images }} | |
if [[ "loadtesting-jmeter" =~ "${{ matrix.docker-images }}" ]]; then | |
DOCKER_FILE_LOCATION=./demos/benchmarking/docker-jans-loadtesting-jmeter | |
fi | |
if [[ "cedarling-flask-sidecar" =~ "${{ matrix.docker-images }}" ]]; then | |
DOCKER_FILE_LOCATION=./jans-cedarling/flask-sidecar | |
fi | |
MAIN_VERSION=$(python3 -c "from dockerfile_parse import DockerfileParser ; dfparser = DockerfileParser('$DOCKER_FILE_LOCATION') ; print(dfparser.labels['org.opencontainers.image.version'])") | |
DOCKER_IMAGE=ghcr.io/$REPOSITORY/${{ matrix.docker-images }} | |
VERSION=${MAIN_VERSION} | |
BUILD=true | |
if [[ $GITHUB_REF == refs/tags/docker-jans-${{ matrix.docker-images }}-* ]]; then | |
VERSION=${GITHUB_REF#refs/tags/docker-jans-${{ matrix.docker-images }}-v} | |
elif [[ $GITHUB_REF == refs/tags/* ]]; then | |
echo "A tag not matching the image triggered the build. I will not continue." | |
BUILD="" | |
fi | |
TAGS="${DOCKER_IMAGE}:${VERSION}" | |
if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\_[a-b]{1}[0-9]{1,3}$ ]]; then | |
TAGS="$TAGS,${DOCKER_IMAGE}:${MAIN_VERSION}" | |
fi | |
# If the user passed a manual image tag to build a custom manual image | |
MANUAL_IMAGE_TAG=${{ github.event.inputs.image_tag }} | |
if [ ! -z "$MANUAL_IMAGE_TAG" ] | |
then | |
TAGS="$TAGS,${DOCKER_IMAGE}:${MANUAL_IMAGE_TAG}" | |
VERSION=$MANUAL_IMAGE_TAG | |
echo "Manual image tag has been inputted by the user" | |
else | |
echo "$TAGS" | |
fi | |
# If the user passed a war version to build off ,change this war version. | |
CN_VERSION=${{ github.event.inputs.cn_version }} | |
if [ ! -z "$CN_VERSION" ] | |
then | |
python3 -c "from dockerfile_parse import DockerfileParser ; dfparser = DockerfileParser('./docker-jans-${{ matrix.docker-images }}') ; dfparser.envs['CN_VERSION'] = '${{ github.event.inputs.cn_version }}'" | |
echo "War version has been modified." | |
else | |
echo "$CN_VERSION" | |
fi | |
echo "tags=${TAGS}" >> $GITHUB_OUTPUT | |
echo "build=${BUILD}" >> $GITHUB_OUTPUT | |
echo "dockerfilelocation=${DOCKER_FILE_LOCATION}" >> $GITHUB_OUTPUT | |
# wait for all images in DEFAULT_ALL to be built before building the all-in-one image as it depends on all other images | |
if [[ "docker-jans-all-in-one" =~ "${{ matrix.docker-images }}" ]]; then | |
if [[ ${{ github.event_name != 'pull_request' }} ]]; then | |
TEMP_IMG="auth-server certmanager config-api configurator fido2 persistence-loader scim monolith loadtesting-jmeter link casa saml keycloak-link kc-scheduler" | |
for i in $TEMP_IMG; do | |
echo "Waiting for $i to be built" | |
sleep 30 | |
done | |
fi | |
fi | |
# UPDATE BUILD DATES INSIDE THE DOCKERFILE BEFORE BUILDING THE DEV IMAGES TRIGGERED BY JENKINS | |
- name: Setup Python 3.10 | |
if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter' | |
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 | |
with: | |
python-version: "3.10" | |
- name: Install Python dependencies | |
if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter' | |
run: | | |
sudo apt-get update | |
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip" | |
sudo pip3 install --ignore-installed setuptools --upgrade | |
sudo pip3 install --ignore-installed -r ./automation/requirements.txt | |
sudo apt-get update | |
sudo apt-get install jq | |
- name: Update Build date in Dockerfile | |
if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter' | |
id: update_build_date_in_dockerfile | |
run: | | |
sudo python3 ./automation/auto_update_build_date.py | |
#END UPDATE BUILD DATES INSIDE THE DOCKERFILE BEFORE BUILDING THE DEV IMAGES TRIGGERED BY JENKINS | |
- name: Set up QEMU | |
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build | |
uses: docker/setup-qemu-action@5306bad0baa6b616b9934712d4eba8da2112606d # master | |
with: | |
image: tonistiigi/binfmt:master | |
platforms: all | |
- name: Set up Docker Buildx | |
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build | |
id: buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Login to ghcr | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push | |
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build | |
id: docker_build | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
builder: ${{ steps.buildx.outputs.name }} | |
context: ${{ steps.prep.outputs.dockerfilelocation }} | |
file: ${{ steps.prep.outputs.dockerfilelocation }}/Dockerfile | |
sbom: true | |
provenance: true | |
#target: prod | |
# add to platforms comma seperated linux/ppc64leL Issue: py3-grpcio | |
# add to platforms comma seperated linux/386 : Issue: openjdk11-jre-headless alpine package not | |
# add to platforms comma seperated ,linux/arm/v6 : Issue: openjdk11-jre-headless alpine package not found | |
# add to platforms comma seperated ,linux/arm/v7 : Issue: openjdk11-jre-headless alpine package not found | |
# add to platforms comma seperated ,linux/s390x: All images with openjdk hav an issue with linux/s390x Problematic frame: J 6 c1 java.lang.String.hashCode()I [email protected] (49 bytes) : Issue: openjdk11-jre-headles | |
# add to platforms comma seperated ,linux/arm64: : PyDev issue only | |
platforms: linux/amd64 | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.prep.outputs.tags }} | |
- name: Image digest | |
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build | |
run: echo ${{ steps.docker_build.outputs.digest }} | |
- name: Sign the images with GitHub OIDC Token | |
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build | |
env: | |
DIGEST: ${{ steps.docker_build.outputs.digest }} | |
TAGS: ${{ steps.prep.outputs.tags }} | |
run: | | |
images="" | |
for tag in ${TAGS//,/ }; do | |
if [[ $tag == *"_dev"* && $TAGS == *","* ]]; then | |
continue | |
fi | |
images+="${tag}@${DIGEST} " | |
done | |
if [[ -n $images ]]; then | |
cosign sign --yes -a author=JanssenProject ${images} || echo "Failed to sign images" | |
fi |