Skip to content

ci: fix signing cedarling whls #321

ci: fix signing cedarling whls

ci: fix signing cedarling whls #321

name: Build and Publish Releases to Hub
on:
schedule:
- cron: "0 23 * * *"
push:
tags:
- "*"
branches:
- main
paths:
- "docker-jans-**/**"
- "!**.md"
pull_request:
branches:
- main
paths:
- "docker-jans-**/**"
- "!docker-jans-**/CHANGELOG.md"
- "!docker-jans-**/version.txt"
- "!**.md"
workflow_dispatch:
inputs:
services:
description: 'One or set of the docker images. Format as following: "docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler cedarling-flask-sidecar"'
required: true
default: 'docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler cedarling-flask-sidecar'
cn_version:
description: 'The war version to build the image off'
required: false
default: ''
image_tag:
description: 'The manual image tag to post'
required: false
default: ''
tags:
description: 'Tags'
required: false
permissions:
contents: read
jobs:
docker:
permissions:
packages: write
id-token: write
runs-on: ubuntu-latest
strategy:
max-parallel: 8
matrix:
docker-images: ["auth-server", "certmanager", "config-api", "configurator", "fido2", "persistence-loader", "scim", "monolith", "loadtesting-jmeter", "link", "casa", "all-in-one", "saml", "keycloak-link", "kc-scheduler", "cedarling-flask-sidecar"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
sparse-checkout: |
docker-jans-${{ matrix.docker-images }}
automation
demos
jans-cedarling
- name: Check docker directories that changed
id: build_docker_image
run: |
BUILD=true
DEFAULT_ALL=${{ github.event.inputs.services }}
if [ -z "$DEFAULT_ALL" ]
then
DEFAULT_ALL="docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler cedarling-flask-sidecar"
else
echo "$DEFAULT_ALL"
fi
# Detect actual docker folders that changed if error arises default to all images
pull_number=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
DIRECTORIES_CHANGED=$(gh pr view $pull_number --json files --jq '.files.[].path' | cut -d/ -f1 | sort -u | grep "docker-jans" || echo "$DEFAULT_ALL")
if [[ "$DIRECTORIES_CHANGED" =~ "${{ matrix.docker-images }}" ]]; then
echo "A change in this images directory has occurred"
echo "build=${BUILD}" >> $GITHUB_OUTPUT
fi
- name: Install dependencies
if: steps.build_docker_image.outputs.build || github.event_name == 'tags'
run: |
sudo apt-get update
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
sudo pip3 install --ignore-installed setuptools --upgrade
sudo pip3 install --ignore-installed -r ./automation/requirements.txt
sudo apt-get update
#- uses: actions/delete-package-versions@v5
# continue-on-error: true
# with:
# package-name: jans/${{ matrix.docker-images }}
# package-type: container
# min-versions-to-keep: 1000
# token: ${{ secrets.GITHUB_TOKEN }}
# delete-only-untagged-versions: true
- name: Prepare
if: steps.build_docker_image.outputs.build || github.event_name == 'tags'
id: prep
run: |
REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')
DOCKER_FILE_LOCATION=./docker-jans-${{ matrix.docker-images }}
if [[ "loadtesting-jmeter" =~ "${{ matrix.docker-images }}" ]]; then
DOCKER_FILE_LOCATION=./demos/benchmarking/docker-jans-loadtesting-jmeter
fi
if [[ "cedarling-flask-sidecar" =~ "${{ matrix.docker-images }}" ]]; then
DOCKER_FILE_LOCATION=./jans-cedarling/flask-sidecar
fi
MAIN_VERSION=$(python3 -c "from dockerfile_parse import DockerfileParser ; dfparser = DockerfileParser('$DOCKER_FILE_LOCATION') ; print(dfparser.labels['org.opencontainers.image.version'])")
DOCKER_IMAGE=ghcr.io/$REPOSITORY/${{ matrix.docker-images }}
VERSION=${MAIN_VERSION}
BUILD=true
if [[ $GITHUB_REF == refs/tags/docker-jans-${{ matrix.docker-images }}-* ]]; then
VERSION=${GITHUB_REF#refs/tags/docker-jans-${{ matrix.docker-images }}-v}
elif [[ $GITHUB_REF == refs/tags/* ]]; then
echo "A tag not matching the image triggered the build. I will not continue."
BUILD=""
fi
TAGS="${DOCKER_IMAGE}:${VERSION}"
if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\_[a-b]{1}[0-9]{1,3}$ ]]; then
TAGS="$TAGS,${DOCKER_IMAGE}:${MAIN_VERSION}"
fi
# If the user passed a manual image tag to build a custom manual image
MANUAL_IMAGE_TAG=${{ github.event.inputs.image_tag }}
if [ ! -z "$MANUAL_IMAGE_TAG" ]
then
TAGS="$TAGS,${DOCKER_IMAGE}:${MANUAL_IMAGE_TAG}"
VERSION=$MANUAL_IMAGE_TAG
echo "Manual image tag has been inputted by the user"
else
echo "$TAGS"
fi
# If the user passed a war version to build off ,change this war version.
CN_VERSION=${{ github.event.inputs.cn_version }}
if [ ! -z "$CN_VERSION" ]
then
python3 -c "from dockerfile_parse import DockerfileParser ; dfparser = DockerfileParser('./docker-jans-${{ matrix.docker-images }}') ; dfparser.envs['CN_VERSION'] = '${{ github.event.inputs.cn_version }}'"
echo "War version has been modified."
else
echo "$CN_VERSION"
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "build=${BUILD}" >> $GITHUB_OUTPUT
echo "dockerfilelocation=${DOCKER_FILE_LOCATION}" >> $GITHUB_OUTPUT
# wait for all images in DEFAULT_ALL to be built before building the all-in-one image as it depends on all other images
if [[ "docker-jans-all-in-one" =~ "${{ matrix.docker-images }}" ]]; then
if [[ ${{ github.event_name != 'pull_request' }} ]]; then
TEMP_IMG="auth-server certmanager config-api configurator fido2 persistence-loader scim monolith loadtesting-jmeter link casa saml keycloak-link kc-scheduler"
for i in $TEMP_IMG; do
echo "Waiting for $i to be built"
sleep 30
done
fi
fi
# UPDATE BUILD DATES INSIDE THE DOCKERFILE BEFORE BUILDING THE DEV IMAGES TRIGGERED BY JENKINS
- name: Setup Python 3.10
if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter'
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: "3.10"
- name: Install Python dependencies
if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter'
run: |
sudo apt-get update
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
sudo pip3 install --ignore-installed setuptools --upgrade
sudo pip3 install --ignore-installed -r ./automation/requirements.txt
sudo apt-get update
sudo apt-get install jq
- name: Update Build date in Dockerfile
if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter'
id: update_build_date_in_dockerfile
run: |
sudo python3 ./automation/auto_update_build_date.py
#END UPDATE BUILD DATES INSIDE THE DOCKERFILE BEFORE BUILDING THE DEV IMAGES TRIGGERED BY JENKINS
- name: Set up QEMU
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
uses: docker/setup-qemu-action@5306bad0baa6b616b9934712d4eba8da2112606d # master
with:
image: tonistiigi/binfmt:master
platforms: all
- name: Set up Docker Buildx
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
id: buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Login to ghcr
if: github.event_name != 'pull_request'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
id: docker_build
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
builder: ${{ steps.buildx.outputs.name }}
context: ${{ steps.prep.outputs.dockerfilelocation }}
file: ${{ steps.prep.outputs.dockerfilelocation }}/Dockerfile
sbom: true
provenance: true
#target: prod
# add to platforms comma seperated linux/ppc64leL Issue: py3-grpcio
# add to platforms comma seperated linux/386 : Issue: openjdk11-jre-headless alpine package not
# add to platforms comma seperated ,linux/arm/v6 : Issue: openjdk11-jre-headless alpine package not found
# add to platforms comma seperated ,linux/arm/v7 : Issue: openjdk11-jre-headless alpine package not found
# add to platforms comma seperated ,linux/s390x: All images with openjdk hav an issue with linux/s390x Problematic frame: J 6 c1 java.lang.String.hashCode()I [email protected] (49 bytes) : Issue: openjdk11-jre-headles
# add to platforms comma seperated ,linux/arm64: : PyDev issue only
platforms: linux/amd64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.prep.outputs.tags }}
- name: Image digest
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Sign the images with GitHub OIDC Token
if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.prep.outputs.tags }}
run: |
images=""
for tag in ${TAGS//,/ }; do
if [[ $tag == *"_dev"* && $TAGS == *","* ]]; then
continue
fi
images+="${tag}@${DIGEST} "
done
if [[ -n $images ]]; then
cosign sign --yes -a author=JanssenProject ${images} || echo "Failed to sign images"
fi