Skip to content

doc: update ibmse verifier document #6

doc: update ibmse verifier document

doc: update ibmse verifier document #6

name: Build and Push KBS Image
on:
push:
branches:
- main
jobs:
build_and_push:
permissions:
packages: write
strategy:
fail-fast: false
matrix:
instance:
- ubuntu-latest
- s390x
tag:
- kbs
- kbs-grpc-as
- kbs-ita-as
exclude:
- instance: s390x
tag: kbs-ita-as
include:
- tag: kbs
docker_file: kbs/docker/Dockerfile
https_crypto: openssl
name: build-in AS
- tag: kbs-grpc-as
docker_file: kbs/docker/coco-as-grpc/Dockerfile
https_crypto: rustls
name: gRPC AS
- tag: kbs-ita-as
docker_file: kbs/docker/intel-trust-authority/Dockerfile
https_crypto: rustls
name: Intel Trust Authority AS
runs-on: ${{ matrix.instance }}
steps:
- name: Take a pre-action for self-hosted runner
run: |
# NOTE: Use file checking instead triggering a step based on a runner type
# to avoid updating the step for each new self-hosted runner.
if [ -f "${HOME}/script/pre_action.sh" ]; then
"${HOME}/script/pre_action.sh" cc-trustee
fi
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Container Image KBS (${{ matrix.name }})
run: |
commit_sha=${{ github.sha }}
arch=$(uname -m)
https_crypto=${{ matrix.https_crypto }}
[ "${arch}" = "s390x" ] && https_crypto=openssl
DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \
--build-arg ARCH="${arch}" --build-arg HTTPS_CRYPTO="${https_crypto}" .
- name: Take a post-action for self-hosted runner
if: always()
run: |
# Please check out the note in the pre-action step for the reason of using file checking
if [ -f "${HOME}/script/post_action.sh" ]; then
"${HOME}/script/post_action.sh" cc-trustee
fi
publish_multi_arch_image:
needs: build_and_push
strategy:
fail-fast: false
matrix:
image:
- kbs
- kbs-grpc-as
permissions:
packages: write
runs-on: ubuntu-latest
steps:
- name: Login to GHCR Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish Multi-Arch ${{ matrix.image }} image
run: |
commit_sha=${{ github.sha }}
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}"
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest"