-
Notifications
You must be signed in to change notification settings - Fork 73
241 lines (238 loc) · 10.3 KB
/
docker-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
# See RELEASING.md#DockerImage for more details about the steps in this workflow.
name: Daily Release AtlasCLI Docker Image
on:
schedule:
- cron: "0 1 * * *" # Every day at 1:00 AM
workflow_dispatch: # Run the action manually
jobs:
build_images:
name: Build and publish docker image to staging registry
runs-on: ubuntu-latest
env:
STAGING_IMAGE_REPOSITORY: mongodb/apix_test
PLATFORMS: linux/amd64,linux/arm64
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- name: Check out code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Set date
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo "DATE=${DATE}" >> "$GITHUB_ENV"
- name: 'Get latest tag'
id: get-latest-tag
uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1
with:
repository: mongodb/mongodb-atlas-cli
releases-only: true
regex: 'atlascli*'
- name: Extract version
run: |
release_tag=${{ steps.get-latest-tag.outputs.tag }}
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@460e45646ded27e46146cedd75d922e7fd9ef69f
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
username: "${{ secrets.DOCKERHUB_USER }}"
password: "${{ secrets.DOCKERHUB_SECRET }}"
- name: Build and push image to dockerhub staging registry
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
with:
context: .
platforms: ${{ env.PLATFORMS }}
tags: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest ,
${{ env.STAGING_IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} ,
${{ env.STAGING_IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }}
file: Dockerfile
push: true
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Release Failure for Atlas CLI Docker Image ${{ env.LATEST_VERSION }}
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
publish_images:
name: Sign and Publish docker image
needs: [ build_images ]
runs-on: ubuntu-latest
env:
IMAGE_REPOSITORY: mongodb/atlas
STAGING_IMAGE_REPOSITORY: mongodb/apix_test
PLATFORMS: linux/amd64,linux/arm64
QUAY: quay.io
DOCKER_CLI_EXPERIMENTAL: enabled # used for enabling containerd image storage. See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952
steps:
- name: Set date
id: set-date
run: |
DATE=$(date +'%Y-%m-%d')
echo "DATE=${DATE}" >> "$GITHUB_ENV"
- name: 'Get latest tag'
id: get-latest-tag
uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1
with:
repository: mongodb/mongodb-atlas-cli
releases-only: true
regex: 'atlascli*'
- name: Extract version
run: |
release_tag=${{ steps.get-latest-tag.outputs.tag }}
echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
- name: Enable containerd image store # See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952
uses: crazy-max/ghaction-setup-docker@26145a578dce008fee793528d031cd72c57d51af
with:
version: v24.0.6
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}
- name: Download cosign image
env:
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
run: |
echo "${ARTIFACTORY_PASSWORD}" | docker login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
docker pull artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign
- name: Sign docker images with cosign
env:
PKCS11_URI: ${{ secrets.PKCS11_URI }}
GRS_USERNAME: ${{ secrets.GRS_USERNAME }}
GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }}
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
DOCKERHUB_SECRET: ${{ secrets.DOCKERHUB_SECRET }}
SIGNATURE_REPO: ${{ secrets.SIGNATURE_REPO }}
IMAGE: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest
run: |
docker pull "${IMAGE}"
# DIGESTS contains a list of three digests separated by a comma.
DIGESTS=$(docker buildx imagetools inspect "${IMAGE}" --format '{{- range .Manifest.Manifests}}{{- if eq .Platform.OS "linux" }}{{ .Digest }},{{- end }}{{- end }}{{- .Manifest.Digest }}
')
echo "These are the Docker image DIGESTS: ${DIGESTS}"
{
echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}"
echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}"
echo "COSIGN_REPOSITORY=${SIGNATURE_REPO}"
} >> "signing-envfile"
echo "${DOCKERHUB_SECRET}" | docker login --password-stdin --username "${DOCKERHUB_USER}"
for DIGEST in $(echo "$DIGESTS" | tr ',' ' '); do
echo "Signing ${DIGEST}"
docker run \
--env-file=signing-envfile \
--rm \
-v ~/.docker/config.json:/root/.docker/config.json \
-v "$(pwd):$(pwd)" \
-w "$(pwd)" \
artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign \
cosign sign --key "${PKCS11_URI}" --sign-container-identity=index.docker.io/mongodb/atlas --tlog-upload=false "${IMAGE}@${DIGEST}"
done
- name: Push image to dockerhub public registry
run: |
docker buildx imagetools create \
--tag ${{ env.IMAGE_REPOSITORY }}:latest \
--tag ${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} \
--tag ${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }} \
${{ env.STAGING_IMAGE_REPOSITORY }}:latest
- name: Login to Quay
uses: docker/login-action@v3
with:
registry: "${{ env.QUAY }}"
username: "${{ secrets.QUAY_USER }}"
password: "${{ secrets.QUAY_TOKEN }}"
- name: Push image to Quay public registry
run: |
docker buildx imagetools create \
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest \
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }} \
--tag ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:${{ env.LATEST_VERSION }}-${{ env.DATE }} \
${{ env.IMAGE_REPOSITORY }}:latest
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Release Failure for Atlas CLI Docker Image ${{ env.LATEST_VERSION }}
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
verify_docker_image:
name: Verify Signature Docker Image
needs: [ publish_images ]
runs-on: ubuntu-latest
env:
IMAGE_REPOSITORY: mongodb/atlas
steps:
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
username: "${{ secrets.DOCKERHUB_USER }}"
password: "${{ secrets.DOCKERHUB_SECRET }}"
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
with:
cosign-release: 'v2.2.3'
- name: Verify Signature Docker Image
env:
IMAGE: ${{ env.IMAGE_REPOSITORY }}:latest
COSIGN_REPOSITORY: docker.io/mongodb/signatures
run: |
# Download MongoDB Atlas CLI Public Key
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
docker pull "${IMAGE}"
# Verify the signature
if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "docker.io/${IMAGE}";
then
echo "Error: Signature verification for ${IMAGE} failed."
exit 1
fi
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Signature Verification Failure for Atlas CLI Docker Image on Docker Hub
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
verify_quay_image:
name: Verify Signature Quay Image
needs: [ publish_images ]
runs-on: ubuntu-latest
env:
IMAGE_REPOSITORY: mongodb/atlas
QUAY: quay.io
steps:
- name: Login to Quay
uses: docker/login-action@v3
with:
registry: "${{ env.QUAY }}"
username: "${{ secrets.QUAY_USER }}"
password: "${{ secrets.QUAY_TOKEN }}"
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
with:
cosign-release: 'v2.2.3'
- name: Verify Signature Quay Image
env:
IMAGE: ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest
COSIGN_REPOSITORY: docker.io/mongodb/signatures
run: |
# Download MongoDB Atlas CLI Public Key
curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
docker pull "${IMAGE}"
# Verify the signature
if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "${IMAGE}";
then
echo "Error: Signature verification for ${IMAGE} failed."
exit 1
fi
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: Signature Verification Failure for Atlas CLI Docker Image on Quay.io
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}