Daily Release AtlasCLI Docker Image #435
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# See RELEASING.md#DockerImage for more details about the steps in this workflow. | |
name: Daily Release AtlasCLI Docker Image | |
on: | |
schedule: | |
- cron: "0 1 * * *" # Every day at 1:00 AM | |
workflow_dispatch: # Run the action manually | |
jobs: | |
build_images: | |
name: Build and publish docker image to staging registry | |
runs-on: ubuntu-latest | |
env: | |
STAGING_IMAGE_REPOSITORY: mongodb/apix_test | |
PLATFORMS: linux/amd64,linux/arm64 | |
steps: | |
- uses: GitHubSecurityLab/actions-permissions/monitor@v1 | |
with: | |
config: ${{ vars.PERMISSIONS_CONFIG }} | |
- name: Check out code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Set date | |
id: set-date | |
run: | | |
DATE=$(date +'%Y-%m-%d') | |
echo "DATE=${DATE}" >> "$GITHUB_ENV" | |
- name: 'Get latest tag' | |
id: get-latest-tag | |
uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1 | |
with: | |
repository: mongodb/mongodb-atlas-cli | |
releases-only: true | |
regex: 'atlascli*' | |
- name: Extract version | |
run: | | |
release_tag=${{ steps.get-latest-tag.outputs.tag }} | |
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV" | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db | |
- name: Login to Docker Hub | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
with: | |
username: "${{ secrets.DOCKERHUB_USER }}" | |
password: "${{ secrets.DOCKERHUB_SECRET }}" | |
- name: Build and push image to dockerhub staging registry | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 | |
with: | |
context: . | |
platforms: ${{ env.PLATFORMS }} | |
tags: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest , | |
${{ env.STAGING_IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} , | |
${{ env.STAGING_IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }} | |
file: Dockerfile | |
push: true | |
- name: Create Issue | |
if: ${{ failure() }} | |
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd | |
with: | |
labels: failed-release | |
title: Release Failure for Atlas CLI Docker Image ${{ env.LATEST_VERSION }} | |
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
publish_images: | |
name: Sign and Publish docker image | |
needs: [ build_images ] | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_REPOSITORY: mongodb/atlas | |
STAGING_IMAGE_REPOSITORY: mongodb/apix_test | |
PLATFORMS: linux/amd64,linux/arm64 | |
QUAY: quay.io | |
DOCKER_CLI_EXPERIMENTAL: enabled # used for enabling containerd image storage. See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952 | |
steps: | |
- name: Set date | |
id: set-date | |
run: | | |
DATE=$(date +'%Y-%m-%d') | |
echo "DATE=${DATE}" >> "$GITHUB_ENV" | |
- name: 'Get latest tag' | |
id: get-latest-tag | |
uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1 | |
with: | |
repository: mongodb/mongodb-atlas-cli | |
releases-only: true | |
regex: 'atlascli*' | |
- name: Extract version | |
run: | | |
release_tag=${{ steps.get-latest-tag.outputs.tag }} | |
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV" | |
- name: Enable containerd image store # See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952 | |
uses: crazy-max/ghaction-setup-docker@78318f8be53384b971671f27d81f5e72526c102d | |
with: | |
version: v24.0.6 | |
daemon-config: | | |
{ | |
"features": { | |
"containerd-snapshotter": true | |
} | |
} | |
- name: Download cosign image | |
env: | |
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
run: | | |
echo "${ARTIFACTORY_PASSWORD}" | docker login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com | |
docker pull artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign | |
- name: Sign docker images with cosign | |
env: | |
PKCS11_URI: ${{ secrets.PKCS11_URI }} | |
GRS_USERNAME: ${{ secrets.GRS_USERNAME }} | |
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} | |
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} | |
DOCKERHUB_SECRET: ${{ secrets.DOCKERHUB_SECRET }} | |
SIGNATURE_REPO: ${{ secrets.SIGNATURE_REPO }} | |
IMAGE: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest | |
run: | | |
docker pull "${IMAGE}" | |
# DIGESTS contains a list of three digests separated by a comma. | |
DIGESTS=$(docker buildx imagetools inspect "${IMAGE}" --format '{{- range .Manifest.Manifests}}{{- if eq .Platform.OS "linux" }}{{ .Digest }},{{- end }}{{- end }}{{- .Manifest.Digest }} | |
') | |
echo "These are the Docker image DIGESTS: ${DIGESTS}" | |
{ | |
echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" | |
echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" | |
echo "COSIGN_REPOSITORY=${SIGNATURE_REPO}" | |
} >> "signing-envfile" | |
echo "${DOCKERHUB_SECRET}" | docker login --password-stdin --username "${DOCKERHUB_USER}" | |
for DIGEST in $(echo "$DIGESTS" | tr ',' ' '); do | |
echo "Signing ${DIGEST}" | |
docker run \ | |
--env-file=signing-envfile \ | |
--rm \ | |
-v ~/.docker/config.json:/root/.docker/config.json \ | |
-v "$(pwd):$(pwd)" \ | |
-w "$(pwd)" \ | |
artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign \ | |
cosign sign --key "${PKCS11_URI}" --sign-container-identity=index.docker.io/mongodb/atlas --tlog-upload=false "${IMAGE}@${DIGEST}" | |
done | |
- name: Push image to dockerhub public registry | |
run: | | |
docker buildx imagetools create \ | |
--tag ${{ env.IMAGE_REPOSITORY }}:latest \ | |
--tag ${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} \ | |
--tag ${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }} \ | |
${{ env.STAGING_IMAGE_REPOSITORY }}:latest | |
- name: Login to Quay | |
uses: docker/login-action@v3 | |
with: | |
registry: "${{ env.QUAY }}" | |
username: "${{ secrets.QUAY_USER }}" | |
password: "${{ secrets.QUAY_TOKEN }}" | |
- name: Push image to Quay public registry | |
run: | | |
docker buildx imagetools create \ | |
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest \ | |
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} \ | |
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }} \ | |
${{ env.IMAGE_REPOSITORY }}:latest | |
- name: Create Issue | |
if: ${{ failure() }} | |
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd | |
with: | |
labels: failed-release | |
title: Release Failure for Atlas CLI Docker Image ${{ env.LATEST_VERSION }} | |
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
verify_docker_image: | |
name: Verify Signature Docker Image | |
needs: [ publish_images ] | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_REPOSITORY: mongodb/atlas | |
steps: | |
- name: Login to Docker Hub | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
with: | |
username: "${{ secrets.DOCKERHUB_USER }}" | |
password: "${{ secrets.DOCKERHUB_SECRET }}" | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
with: | |
cosign-release: 'v2.2.3' | |
- name: Verify Signature Docker Image | |
env: | |
IMAGE: ${{ env.IMAGE_REPOSITORY }}:latest | |
COSIGN_REPOSITORY: docker.io/mongodb/signatures | |
run: | | |
# Download MongoDB Atlas CLI Public Key | |
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem | |
docker pull "${IMAGE}" | |
# Verify the signature | |
if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "docker.io/${IMAGE}"; | |
then | |
echo "Error: Signature verification for ${IMAGE} failed." | |
exit 1 | |
fi | |
- name: Create Issue | |
if: ${{ failure() }} | |
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd | |
with: | |
labels: failed-release | |
title: Signature Verification Failure for Atlas CLI Docker Image on Docker Hub | |
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
verify_quay_image: | |
name: Verify Signature Quay Image | |
needs: [ publish_images ] | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_REPOSITORY: mongodb/atlas | |
QUAY: quay.io | |
steps: | |
- name: Login to Quay | |
uses: docker/login-action@v3 | |
with: | |
registry: "${{ env.QUAY }}" | |
username: "${{ secrets.QUAY_USER }}" | |
password: "${{ secrets.QUAY_TOKEN }}" | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
with: | |
cosign-release: 'v2.2.3' | |
- name: Verify Signature Quay Image | |
env: | |
IMAGE: ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest | |
COSIGN_REPOSITORY: docker.io/mongodb/signatures | |
run: | | |
# Download MongoDB Atlas CLI Public Key | |
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem | |
docker pull "${IMAGE}" | |
# Verify the signature | |
if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "${IMAGE}"; | |
then | |
echo "Error: Signature verification for ${IMAGE} failed." | |
exit 1 | |
fi | |
- name: Create Issue | |
if: ${{ failure() }} | |
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd | |
with: | |
labels: failed-release | |
title: Signature Verification Failure for Atlas CLI Docker Image on Quay.io | |
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} |