-
Notifications
You must be signed in to change notification settings - Fork 58
198 lines (175 loc) · 7.07 KB
/
create_aca_images.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
name: Create ACA Docker Image
on:
release:
types: [ published ]
workflow_dispatch:
inputs:
# GITHUB_REF is assumed to be a tag
# tag is assumed to have the format vx.y.z. The docker images will be tagged :x.y.z
also_tag_latest:
description: 'Tag latest?'
required: false
type: boolean
env:
DOCKERFILE_ROCKY: aca-rocky
DOCKERFILE_WINDOWS: aca-windows
IMAGE_NAME_ROCKY: ghcr.io/nsacyber/hirs/aca-rocky
IMAGE_NAME_WINDOWS: ghcr.io/nsacyber/hirs/aca-windows
IMAGE_NAME_WINDOWS_COMPAT: ghcr.io/nsacyber/hirs/aca-windows-1809
PUBLIC_IMAGE_NAME: ghcr.io/nsacyber/hirs/aca
PUBLIC_IMAGE_TAG_LATEST: ghcr.io/nsacyber/hirs/aca:latest
TAG_LATEST: ${{ github.event_name == 'release' || inputs.also_tag_latest }} # The public docker image will be tagged 'latest' for releases, or if this option is selected.
jobs:
setup:
runs-on: ubuntu-latest
outputs:
IMAGE_TAG: ${{ steps.setenv.outputs.IMAGE_TAG }}
ROCKY_IMAGE_TAG: ${{ steps.setenv.outputs.ROCKY_IMAGE_TAG }}
WINDOWS_IMAGE_TAG: ${{ steps.setenv.outputs.WINDOWS_IMAGE_TAG }}
WINDOWS_COMPAT_IMAGE_TAG: ${{ steps.setenv.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
PUBLIC_IMAGE_TAG: ${{ steps.setenv.outputs.PUBLIC_IMAGE_TAG }}
steps:
- name: Set env
id: setenv
shell: bash
run: |
# Parse docker image tag from GitHub tag if available
if [ "${{ github.ref_type }}" = "tag" ]; then
# tags start with refs/tags/. Also remove v if it exists.
export IMAGE_TAG_VAR=${GITHUB_REF:10}
export IMAGE_TAG_VAR=${IMAGE_TAG_VAR//v/}
else
# Not a tag, use the commit hash. Do not tag as latest.
export IMAGE_TAG_VAR=${GITHUB_SHA:7}
fi
# To lowercase
export IMAGE_TAG_VAR=${IMAGE_TAG_VAR,,}
# Save to output
echo "IMAGE_TAG=$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "ROCKY_IMAGE_TAG=$IMAGE_NAME_ROCKY:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "WINDOWS_IMAGE_TAG=$IMAGE_NAME_WINDOWS:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "WINDOWS_COMPAT_IMAGE_TAG=$IMAGE_NAME_WINDOWS_COMPAT:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
echo "PUBLIC_IMAGE_TAG=ghcr.io/nsacyber/hirs/aca:IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
- name: Print env
run: |
echo DOCKERFILE_ROCKY=$DOCKERFILE_ROCKY
echo DOCKERFILE_WINDOWS=$DOCKERFILE_WINDOWS
echo IMAGE_NAME_ROCKY=$IMAGE_NAME_ROCKY
echo IMAGE_NAME_WINDOWS=$IMAGE_NAME_WINDOWS
echo IMAGE_NAME_WINDOWS_COMPAT=$IMAGE_NAME_WINDOWS_COMPAT
echo PUBLIC_IMAGE_NAME=$PUBLIC_IMAGE_NAME
echo PUBLIC_IMAGE_TAG_LATEST=$PUBLIC_IMAGE_TAG_LATEST
echo TAG_LATEST=$TAG_LATEST
echo IMAGE_TAG=${{ steps.setenv.outputs.IMAGE_TAG }}
echo ROCKY_IMAGE_TAG=$ROCKY_IMAGE_TAG
echo WINDOWS_IMAGE_TAG=$WINDOWS_IMAGE_TAG
echo WINDOWS_COMPAT_IMAGE_TAG=$WINDOWS_COMPAT_IMAGE_TAG
echo PUBLIC_IMAGE_TAG=$PUBLIC_IMAGE_TAG
rocky-image:
needs: setup
runs-on: ubuntu-latest
env:
TAG: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push a release Docker image for ${{ github.repository }}
uses: docker/build-push-action@v5
with:
context: "{{defaultContext}}:.ci/docker"
file: Dockerfile.${{env.DOCKERFILE_ROCKY}}
tags: ${{env.TAG}}
push: true
sbom: true
windows-11-image:
needs: setup
runs-on: windows-latest
env:
TAG: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Use Windows Containers
run: |
& $Env:ProgramFiles\Docker\Docker\DockerCli.exe -SwitchWindowsEngine
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build the docker image for ${{ github.repository }}
# docker/setup-buildx-action@v3 and docker/build-push-action@v5 do not work for Windows images.
# --sbom won't work. BuildKit not supported on Windows.
run: |
cd ./.ci/docker
docker build -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
- name: Push the docker image
run: |
docker push ${{env.TAG}}
windows-compat-image: # This job uses a different build arg than the other windows job.
needs: setup
runs-on: windows-latest
env:
TAG: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Use Windows Containers
run: |
& $Env:ProgramFiles\Docker\Docker\DockerCli.exe -SwitchWindowsEngine
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build the docker image for ${{ github.repository }}
# docker/setup-buildx-action@v3 and docker/build-push-action@v5 do not work for Windows images.
# --sbom won't work. BuildKit not supported on Windows.
run: |
cd ./.ci/docker
docker build -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
- name: Push the docker image
run: |
docker push ${{env.TAG}}
manifest:
needs: [rocky-image, windows-11-image, windows-compat-image]
runs-on: ubuntu-latest
env:
IMAGE1: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }}
IMAGE2: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }}
IMAGE3: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
PUB: ${{ needs.setup.outputs.PUBLIC_IMAGE_TAG }}
steps:
- name: Checkout main
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Clear any potential cached tag
run: |
docker manifest rm ${{env.PUB}}
- name: Create a new manifest
run: |
docker manifest create ${{env.PUB}} --amend ${{env.IMAGE1}} --amend ${{env.IMAGE2}} --amend ${{env.IMAGE3}}
- name: Push the new manifest
run: |
docker manifest push ${{env.PUB}}
- name: Create and push manifest latest if selected
if: env.TAG_LATEST
run: |
docker manifest rm $PUBLIC_IMAGE_TAG_LATEST
docker manifest create $PUBLIC_IMAGE_TAG_LATEST --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3
docker manifest push $PUBLIC_IMAGE_TAG_LATEST