-
Notifications
You must be signed in to change notification settings - Fork 90
112 lines (100 loc) · 3.8 KB
/
push-kbs-image-to-ghcr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: Build and Push KBS Image
on:
push:
branches:
- main
jobs:
build_and_push:
permissions:
packages: write
strategy:
fail-fast: false
matrix:
instance:
- ubuntu-latest
- s390x
tag:
- kbs
- kbs-grpc-as
- kbs-ita-as
exclude:
- instance: s390x
tag: kbs-ita-as
include:
- tag: kbs
docker_file: kbs/docker/Dockerfile
https_crypto: openssl
name: build-in AS
- tag: kbs-grpc-as
docker_file: kbs/docker/Dockerfile.coco-as-grpc
https_crypto: rustls
name: gRPC AS
- tag: kbs-ita-as
docker_file: kbs/docker/Dockerfile.intel-trust-authority
https_crypto: rustls
name: Intel Trust Authority AS
runs-on: ${{ matrix.instance }}
steps:
- name: Take a pre-action for self-hosted runner
run: |
# NOTE: Use file checking instead triggering a step based on a runner type
# to avoid updating the step for each new self-hosted runner.
if [ -f "${HOME}/script/pre_action.sh" ]; then
"${HOME}/script/pre_action.sh" cc-trustee
fi
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Container Image KBS (${{ matrix.name }})
run: |
commit_sha=${{ github.sha }}
arch=$(uname -m)
https_crypto=${{ matrix.https_crypto }}
[ "${arch}" = "s390x" ] && https_crypto=openssl
DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \
--build-arg ARCH="${arch}" --build-arg HTTPS_CRYPTO="${https_crypto}" .
- name: Take a post-action for self-hosted runner
if: always()
run: |
# Please check out the note in the pre-action step for the reason of using file checking
if [ -f "${HOME}/script/post_action.sh" ]; then
"${HOME}/script/post_action.sh" cc-trustee
fi
publish_multi_arch_image:
needs: build_and_push
strategy:
fail-fast: false
matrix:
image:
- kbs
- kbs-grpc-as
permissions:
packages: write
runs-on: ubuntu-latest
steps:
- name: Login to GHCR Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish Multi-Arch ${{ matrix.image }} image
run: |
commit_sha=${{ github.sha }}
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}"
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest"