Skip to content

Daily Release AtlasCLI Docker Image #435

Daily Release AtlasCLI Docker Image

Daily Release AtlasCLI Docker Image #435

# See RELEASING.md#DockerImage for more details about the steps in this workflow.
name: Daily Release AtlasCLI Docker Image
on:
schedule:
- cron: "0 1 * * *" # Every day at 1:00 AM
workflow_dispatch: # Run the action manually
jobs:
build_images:
name: Build and publish docker image to staging registry
runs-on: ubuntu-latest
env:
STAGING_IMAGE_REPOSITORY: mongodb/apix_test
PLATFORMS: linux/amd64,linux/arm64
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- name: Check out code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Set date
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo "DATE=${DATE}" >> "$GITHUB_ENV"
- name: 'Get latest tag'
id: get-latest-tag
uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1
with:
repository: mongodb/mongodb-atlas-cli
releases-only: true
regex: 'atlascli*'
- name: Extract version
run: |
release_tag=${{ steps.get-latest-tag.outputs.tag }}
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
username: "${{ secrets.DOCKERHUB_USER }}"
password: "${{ secrets.DOCKERHUB_SECRET }}"
- name: Build and push image to dockerhub staging registry
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85
with:
context: .
platforms: ${{ env.PLATFORMS }}
tags: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest ,
${{ env.STAGING_IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} ,
${{ env.STAGING_IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }}
file: Dockerfile
push: true
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Release Failure for Atlas CLI Docker Image ${{ env.LATEST_VERSION }}
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
publish_images:
name: Sign and Publish docker image
needs: [ build_images ]
runs-on: ubuntu-latest
env:
IMAGE_REPOSITORY: mongodb/atlas
STAGING_IMAGE_REPOSITORY: mongodb/apix_test
PLATFORMS: linux/amd64,linux/arm64
QUAY: quay.io
DOCKER_CLI_EXPERIMENTAL: enabled # used for enabling containerd image storage. See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952
steps:
- name: Set date
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo "DATE=${DATE}" >> "$GITHUB_ENV"
- name: 'Get latest tag'
id: get-latest-tag
uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1
with:
repository: mongodb/mongodb-atlas-cli
releases-only: true
regex: 'atlascli*'
- name: Extract version
run: |
release_tag=${{ steps.get-latest-tag.outputs.tag }}
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
- name: Enable containerd image store # See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952
uses: crazy-max/ghaction-setup-docker@78318f8be53384b971671f27d81f5e72526c102d
with:
version: v24.0.6
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}
- name: Download cosign image
env:
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
run: |
echo "${ARTIFACTORY_PASSWORD}" | docker login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
docker pull artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign
- name: Sign docker images with cosign
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
DOCKERHUB_SECRET: ${{ secrets.DOCKERHUB_SECRET }}
SIGNATURE_REPO: ${{ secrets.SIGNATURE_REPO }}
IMAGE: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest
run: |
docker pull "${IMAGE}"
# DIGESTS contains a list of three digests separated by a comma.
DIGESTS=$(docker buildx imagetools inspect "${IMAGE}" --format '{{- range .Manifest.Manifests}}{{- if eq .Platform.OS "linux" }}{{ .Digest }},{{- end }}{{- end }}{{- .Manifest.Digest }}
')
echo "These are the Docker image DIGESTS: ${DIGESTS}"
{
echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}"
echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}"
echo "COSIGN_REPOSITORY=${SIGNATURE_REPO}"
} >> "signing-envfile"
echo "${DOCKERHUB_SECRET}" | docker login --password-stdin --username "${DOCKERHUB_USER}"
for DIGEST in $(echo "$DIGESTS" | tr ',' ' '); do
echo "Signing ${DIGEST}"
docker run \
--env-file=signing-envfile \
--rm \
-v ~/.docker/config.json:/root/.docker/config.json \
-v "$(pwd):$(pwd)" \
-w "$(pwd)" \
artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign \
cosign sign --key "${PKCS11_URI}" --sign-container-identity=index.docker.io/mongodb/atlas --tlog-upload=false "${IMAGE}@${DIGEST}"
done
- name: Push image to dockerhub public registry
run: |
docker buildx imagetools create \
--tag ${{ env.IMAGE_REPOSITORY }}:latest \
--tag ${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} \
--tag ${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }} \
${{ env.STAGING_IMAGE_REPOSITORY }}:latest
- name: Login to Quay
uses: docker/login-action@v3
with:
registry: "${{ env.QUAY }}"
username: "${{ secrets.QUAY_USER }}"
password: "${{ secrets.QUAY_TOKEN }}"
- name: Push image to Quay public registry
run: |
docker buildx imagetools create \
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest \
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} \
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }} \
${{ env.IMAGE_REPOSITORY }}:latest
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Release Failure for Atlas CLI Docker Image ${{ env.LATEST_VERSION }}
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
verify_docker_image:
name: Verify Signature Docker Image
needs: [ publish_images ]
runs-on: ubuntu-latest
env:
IMAGE_REPOSITORY: mongodb/atlas
steps:
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
username: "${{ secrets.DOCKERHUB_USER }}"
password: "${{ secrets.DOCKERHUB_SECRET }}"
- name: Install Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382
with:
cosign-release: 'v2.2.3'
- name: Verify Signature Docker Image
env:
IMAGE: ${{ env.IMAGE_REPOSITORY }}:latest
COSIGN_REPOSITORY: docker.io/mongodb/signatures
run: |
# Download MongoDB Atlas CLI Public Key
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
docker pull "${IMAGE}"
# Verify the signature
if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "docker.io/${IMAGE}";
then
echo "Error: Signature verification for ${IMAGE} failed."
exit 1
fi
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Signature Verification Failure for Atlas CLI Docker Image on Docker Hub
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
verify_quay_image:
name: Verify Signature Quay Image
needs: [ publish_images ]
runs-on: ubuntu-latest
env:
IMAGE_REPOSITORY: mongodb/atlas
QUAY: quay.io
steps:
- name: Login to Quay
uses: docker/login-action@v3
with:
registry: "${{ env.QUAY }}"
username: "${{ secrets.QUAY_USER }}"
password: "${{ secrets.QUAY_TOKEN }}"
- name: Install Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382
with:
cosign-release: 'v2.2.3'
- name: Verify Signature Quay Image
env:
IMAGE: ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest
COSIGN_REPOSITORY: docker.io/mongodb/signatures
run: |
# Download MongoDB Atlas CLI Public Key
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
docker pull "${IMAGE}"
# Verify the signature
if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "${IMAGE}";
then
echo "Error: Signature verification for ${IMAGE} failed."
exit 1
fi
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Signature Verification Failure for Atlas CLI Docker Image on Quay.io
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}