Build images (RedHat) #621
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build images (RedHat) | |
on: | |
release: | |
types: | |
- published | |
push: | |
branches: | |
- '[0-9]+.[0-9]+' | |
- 'trunk' | |
paths: | |
- 'Dockerfiles/*/rhel/*' | |
- 'build.json' | |
- '!**/README.md' | |
- '!**/README.html' | |
- '.github/workflows/images_build_rhel.yml' | |
workflow_dispatch: | |
inputs: | |
publish_images: | |
description: 'Publish images' | |
required: true | |
default: false | |
type: boolean | |
trunk_version: | |
description: 'Specify trunk major version' | |
type: string | |
defaults: | |
run: | |
shell: bash | |
permissions: | |
contents: read | |
env: | |
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} | |
AUTO_PUSH_IMAGES: ${{ (! contains(fromJSON('["push"]'), github.event_name) && vars.AUTO_PUSH_IMAGES) || (contains(fromJSON('["workflow_dispatch"]'), github.event_name) && inputs.publish_images == 'true' ) }} | |
LATEST_BRANCH: ${{ github.event.repository.default_branch }} | |
TRUNK_GIT_BRANCH: "refs/heads/trunk" | |
IMAGES_PREFIX: "zabbix-" | |
BASE_BUILD_NAME: "build-base" | |
MATRIX_FILE: "build.json" | |
DOCKERFILES_DIRECTORY: "Dockerfiles" | |
OIDC_ISSUER: "https://token.actions.githubusercontent.com" | |
IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" | |
REGISTRY: "quay.io" | |
REGISTRY_NAMESPACE: "redhat-isv-containers" | |
PREFLIGHT_IMAGE: "quay.io/opdev/preflight:stable" | |
PFLT_LOGLEVEL: "warn" | |
PFLT_ARTIFACTS: "/tmp/artifacts" | |
IMAGE_DIR: "/tmp/images" | |
RHEL_BUILD: "true" | |
jobs: | |
init_build: | |
name: Initialize build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
actions: write | |
outputs: | |
platforms: ${{ steps.platform_list.outputs.list }} | |
database: ${{ steps.database.outputs.list }} | |
components: ${{ steps.components.outputs.list }} | |
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} | |
current_branch: ${{ steps.branch_info.outputs.current_branch }} | |
sha_short: ${{ steps.branch_info.outputs.sha_short }} | |
secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }} | |
steps: | |
- name: Block egress traffic | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 1 | |
sparse-checkout: ${{ env.MATRIX_FILE }} | |
- name: Check ${{ env.MATRIX_FILE }} file | |
id: build_exists | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
if [[ ! -f "$MATRIX_FILE" ]]; then | |
echo "::error::File $MATRIX_FILE is missing" | |
exit 1 | |
fi | |
- name: Prepare Platform list | |
id: platform_list | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
platform_list=$(jq -r '.["os-linux"].rhel | @json' "$MATRIX_FILE") | |
echo "::group::Platform List" | |
echo "$platform_list" | |
echo "::endgroup::" | |
echo "list=$platform_list" >> $GITHUB_OUTPUT | |
- name: Prepare Database engine list | |
id: database | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
database_list=$(jq -r '[.components | map_values(select(.rhel == true)) | values[].base ] | sort | unique | del(.. | select ( . == "" ) ) | @json' "$MATRIX_FILE") | |
echo "::group::Database List" | |
echo "$database_list" | |
echo "::endgroup::" | |
echo "list=$database_list" >> $GITHUB_OUTPUT | |
- name: Prepare Zabbix component list | |
id: components | |
env: | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
component_list=$(jq -r '.components | map_values(select(.rhel == true)) | keys | @json' "$MATRIX_FILE") | |
echo "::group::Zabbix Component List" | |
echo "$component_list" | |
echo "::endgroup::" | |
echo "list=$component_list" >> $GITHUB_OUTPUT | |
- name: Get branch info | |
id: branch_info | |
shell: bash | |
env: | |
LATEST_BRANCH: ${{ env.LATEST_BRANCH }} | |
github_ref: ${{ github.ref }} | |
TRUNK_MAJOR_VERSION: ${{ inputs.trunk_version }} | |
run: | | |
result=false | |
sha_short=$(git rev-parse --short HEAD) | |
if [[ "$github_ref" == "refs/tags/"* ]]; then | |
github_ref=${github_ref%.*} | |
fi | |
github_ref=${github_ref##*/} | |
if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then | |
result=true | |
fi | |
echo "::group::Branch metadata" | |
echo "is_default_branch - $result" | |
echo "current_branch - $github_ref" | |
if [ "${github_ref//.}" == "trunk" ] && [ ! -z "$TRUNK_MAJOR_VERSION" ]; then | |
echo "secret_prefix=RHEL_${TRUNK_MAJOR_VERSION//.}" | |
else | |
echo "secret_prefix=RHEL_${github_ref//.}" | |
fi | |
echo "sha_short - $sha_short" | |
echo "::endgroup::" | |
echo "is_default_branch=$result" >> $GITHUB_OUTPUT | |
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT | |
if [ "${github_ref//.}" == "trunk" ] && [ ! -z "$TRUNK_MAJOR_VERSION" ]; then | |
echo "secret_prefix=RHEL_${TRUNK_MAJOR_VERSION//.}" >> $GITHUB_OUTPUT | |
else | |
echo "secret_prefix=RHEL_${github_ref//.}" >> $GITHUB_OUTPUT | |
fi | |
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT | |
- name: Cleanup existing cache | |
shell: bash | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
REPO: ${{ github.repository }} | |
BRANCH: ${{ steps.branch_info.outputs.current_branch }} | |
GH_RUN_ID: ${{ github.run_id }} | |
run: | | |
gh extension install actions/gh-actions-cache | |
cache_keys=$(gh actions-cache list -R "${REPO}" -B "${BRANCH}" -L 100 --sort created-at --order desc | cut -f 1) | |
## Setting this to not fail the workflow while deleting cache keys | |
set +e | |
echo "Deleting caches..." | |
for cache_key in $cache_keys | |
do | |
if [[ "$cache_key" == *"${GH_RUN_ID}" ]]; then | |
gh actions-cache delete $cache_key -R "${REPO}" -B "${BRANCH}" --confirm | |
fi | |
done | |
build_base: | |
timeout-minutes: 30 | |
name: Build ${{ matrix.build }} base (${{ matrix.arch }}) | |
needs: ["init_build"] | |
strategy: | |
fail-fast: false | |
matrix: | |
build: [build-base] | |
arch: ${{ fromJson(needs.init_build.outputs.platforms) }} | |
runs-on: [self-hosted, linux, "${{ matrix.arch }}"] | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 1 | |
- name: Install cosign | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Check cosign version | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
run: cosign version | |
- name: Fix string case | |
id: lc | |
env: | |
ARCH: ${{ matrix.arch }} | |
run: | | |
echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT | |
- name: Generate tags | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} | |
tags: | | |
type=sha,suffix=-${{ steps.lc.outputs.arch }} | |
- name: Build image | |
id: build_image | |
uses: redhat-actions/[email protected] | |
with: | |
context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }} | |
layers: false | |
tags: ${{ steps.meta.outputs.tags }} | |
containerfiles: | | |
${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile | |
extra-args: | | |
--pull | |
--iidfile=${{ github.workspace }}/iidfile | |
- name: Image metadata | |
id: image_metadata | |
env: | |
IMAGE_TAG: ${{ steps.build_image.outputs.image-with-tag }} | |
CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
TAG_ID=$(cat $GITHUB_WORKSPACE/iidfile) | |
echo "::group::Image tag" | |
echo "image_tag=$IMAGE_TAG" | |
echo "::endgroup::" | |
echo "::group::Image Tag ID" | |
echo "tag_id=$TAG_ID" | |
echo "::endgroup::" | |
echo "::group::Cache file name" | |
echo "$CACHE_FILE_NAME" | |
echo "::endgroup::" | |
echo "$TAG_ID" > "${CACHE_FILE_NAME}_tag_id" | |
echo "$IMAGE_TAG" > "${CACHE_FILE_NAME}_tag" | |
echo "image_tag_id=${TAG_ID}" >> $GITHUB_OUTPUT | |
echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
- name: Cache image metadata | |
uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: | | |
${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id | |
${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag | |
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} | |
- name: Push image to local storage | |
id: push_image | |
env: | |
IMAGE_TAG: ${{ steps.image_metadata.outputs.image_tag }} | |
IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} | |
IMAGE_DIR: ${{ env.IMAGE_DIR }} | |
run: | | |
echo "::group::Result" | |
echo "Image ${IMAGE_TAG} location: \"${IMAGE_DIR}/${IMAGE_TAG_ID}\"" | |
podman push "${IMAGE_TAG}" dir:"${IMAGE_DIR}/${IMAGE_TAG_ID}" | |
echo "::endgroup::" | |
- name: Post build image | |
if: ${{ success() || failure() }} | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
echo "::group::Result" | |
rm -rf "$GITHUB_WORKSPACE/iidfile" | |
echo "Removing working containers" | |
buildah rm -a 2>/dev/null || true | |
echo "Removing container data in storage not controlled by podman" | |
podman system prune --external 2>/dev/null | |
echo "Removing all unused container data with volumes" | |
podman system prune -a --volumes -f 2>/dev/null | |
echo "Reseting podman storage to default state" | |
podman system reset -f 2>/dev/null || true | |
echo "::endgroup::" | |
- name: Check on failures | |
if: ${{ (cancelled() || failure()) && ( steps.push_image.outcome == 'failure' || steps.push_image.outcome == 'cancelled') }} | |
env: | |
IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} | |
IMAGE_DIR: ${{ env.IMAGE_DIR }} | |
run: | | |
echo "::group::Removing orphaned image" | |
rm -rf "${IMAGE_DIR}/${IMAGE_TAG_ID}" | |
echo "::endgroup::" | |
build_base_database: | |
timeout-minutes: 90 | |
needs: [ "build_base", "init_build"] | |
name: Build ${{ matrix.build }} base (${{ matrix.arch }}) | |
strategy: | |
fail-fast: false | |
matrix: | |
build: ${{ fromJson(needs.init_build.outputs.database) }} | |
arch: ${{ fromJson(needs.init_build.outputs.platforms) }} | |
runs-on: [self-hosted, linux, "${{ matrix.arch }}"] | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 1 | |
- name: Fix string case | |
id: lc | |
env: | |
ARCH: ${{ matrix.arch }} | |
run: | | |
echo "arch=${ARCH,,}" >> $GITHUB_OUTPUT | |
- name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} | |
uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: | | |
${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id | |
${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag | |
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} | |
- name: Pull ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} image from local storage | |
id: base_build | |
env: | |
MATRIX_ARCH: ${{ matrix.arch }} | |
BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} | |
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} | |
run: | | |
BASE_TAG_ID=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}_tag_id") | |
BASE_IMAGE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}_tag") | |
echo "::group::Pull image" | |
echo "podman pull dir:\"${IMAGE_DIR}/${BASE_TAG_ID}\"" | |
podman pull dir:"${IMAGE_DIR}/${BASE_TAG_ID}" | |
echo "::endgroup::" | |
echo "::group::Tag image" | |
echo "podman tag \"${BASE_TAG_ID}\" \"${BASE_IMAGE_TAG}\"" | |
podman tag "${BASE_TAG_ID}" "${BASE_IMAGE_TAG}" | |
echo "::endgroup::" | |
echo "::group::SHA256 tag" | |
DIGEST=$(podman inspect "${BASE_TAG_ID}" --format '{{ .Digest }}') | |
BASE_BUILD_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${DIGEST}" | |
echo "base_build_image=${BASE_BUILD_IMAGE}" | |
echo "::endgroup::" | |
echo "base_build_image=${BASE_BUILD_IMAGE}" >> $GITHUB_OUTPUT | |
- name: Generate tags | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.IMAGES_PREFIX }}${{ matrix.build }} | |
tags: | | |
type=sha,suffix=-${{ steps.lc.outputs.arch }} | |
- name: Build image | |
id: build_image | |
uses: redhat-actions/[email protected] | |
with: | |
context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }} | |
layers: false | |
tags: ${{ steps.meta.outputs.tags }} | |
containerfiles: | | |
${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile | |
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} | |
extra-args: | | |
--iidfile=${{ github.workspace }}/iidfile | |
--build-context sources=./sources/ | |
--build-context config_templates=./config_templates/ | |
- name: Prepare image metadata | |
id: image_metadata | |
env: | |
IMAGE_TAG: ${{ steps.build_image.outputs.image-with-tag }} | |
CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.arch }} | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
TAG_ID=$(cat $GITHUB_WORKSPACE/iidfile) | |
echo "::group::Image tag" | |
echo "image_tag=$IMAGE_TAG" | |
echo "::endgroup::" | |
echo "::group::Image Tag ID" | |
echo "tag_id=$TAG_ID" | |
echo "::endgroup::" | |
echo "::group::Cache file name" | |
echo "$CACHE_FILE_NAME" | |
echo "::endgroup::" | |
echo "$TAG_ID" > "${CACHE_FILE_NAME}_tag_id" | |
echo "$IMAGE_TAG" > "${CACHE_FILE_NAME}_tag" | |
echo "image_tag_id=${TAG_ID}" >> $GITHUB_OUTPUT | |
echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
- name: Cache image metadata | |
uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: | | |
${{ matrix.build }}_${{ matrix.arch }}_tag_id | |
${{ matrix.build }}_${{ matrix.arch }}_tag | |
key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }} | |
- name: Push image to local storage | |
id: push_image | |
env: | |
IMAGE_TAG: ${{ steps.image_metadata.outputs.image_tag }} | |
IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} | |
IMAGE_DIR: ${{ env.IMAGE_DIR }} | |
run: | | |
echo "::group::Result" | |
echo "podman push \"${IMAGE_TAG}\" dir:\"${IMAGE_DIR}/${IMAGE_TAG_ID}\"" | |
podman push "${IMAGE_TAG}" dir:"${IMAGE_DIR}/${IMAGE_TAG_ID}" | |
echo "::endgroup::" | |
- name: Post build image | |
if: ${{ success() || failure() }} | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
echo "::group::Result" | |
rm -rf "$GITHUB_WORKSPACE/iidfile" | |
echo "Removing working containers" | |
buildah rm -a 2>/dev/null || true | |
echo "Removing container data in storage not controlled by podman" | |
podman system prune --external 2>/dev/null | |
echo "Removing all unused container data with volumes" | |
podman system prune -a --volumes -f 2>/dev/null | |
echo "Reseting podman storage to default state" | |
podman system reset -f 2>/dev/null || true | |
echo "::endgroup::" | |
- name: Check on failures | |
if: ${{ (cancelled() || failure()) && ( steps.push_image.outcome == 'failure' || steps.push_image.outcome == 'cancelled') }} | |
env: | |
IMAGE_TAG_ID: ${{ steps.image_metadata.outputs.image_tag_id }} | |
IMAGE_DIR: ${{ env.IMAGE_DIR }} | |
run: | | |
echo "::group::Removing orphaned image" | |
rm -rf "${IMAGE_DIR}/${IMAGE_TAG_ID}" | |
echo "::endgroup::" | |
build_images: | |
timeout-minutes: 30 | |
needs: [ "build_base_database", "init_build"] | |
name: Build ${{ matrix.build }} image (${{ matrix.arch }}) | |
strategy: | |
fail-fast: false | |
matrix: | |
build: ${{ fromJson(needs.init_build.outputs.components) }} | |
arch: ${{ fromJson(needs.init_build.outputs.platforms) }} | |
runs-on: [self-hosted, linux, "${{ matrix.arch }}"] | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 1 | |
- name: Variables formating | |
id: var_format | |
env: | |
MATRIX_BUILD: ${{ matrix.build }} | |
run: | | |
MATRIX_BUILD=${MATRIX_BUILD^^} | |
MATRIX_BUILD=${MATRIX_BUILD//-/_} | |
echo "::group::Result" | |
echo "matrix_build=${MATRIX_BUILD}" | |
echo "::endgroup::" | |
echo "matrix_build=${MATRIX_BUILD}" >> $GITHUB_OUTPUT | |
- name: Detect Build Base Image | |
id: build_base_image | |
if: ${{ matrix.build != 'snmptraps' }} | |
env: | |
MATRIX_BUILD: ${{ matrix.build }} | |
MATRIX_FILE: ${{ env.MATRIX_FILE }} | |
run: | | |
BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE") | |
echo "::group::Base Build Image" | |
echo "$BUILD_BASE" | |
echo "::endgroup::" | |
echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT | |
- name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} | |
if: ${{ matrix.build != 'snmptraps' }} | |
uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: | | |
${{ steps.build_base_image.outputs.build_base }}_${{ matrix.arch }}_tag_id | |
${{ steps.build_base_image.outputs.build_base }}_${{ matrix.arch }}_tag | |
key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.arch }}-${{ github.run_id }} | |
- name: Pull ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.arch }} image | |
id: base_build | |
if: ${{ matrix.build != 'snmptraps' }} | |
env: | |
MATRIX_ARCH: ${{ matrix.arch }} | |
BASE_IMAGE: ${{ steps.build_base_image.outputs.build_base }} | |
IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} | |
run: | | |
BASE_TAG_ID=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}_tag_id") | |
BASE_IMAGE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_ARCH}_tag") | |
echo "::group::Pull image" | |
echo "podman pull dir:\"${IMAGE_DIR}/${BASE_TAG_ID}\"" | |
podman pull dir:"${IMAGE_DIR}/${BASE_TAG_ID}" | |
echo "::endgroup::" | |
echo "::group::Tag image" | |
echo "podman tag \"${BASE_TAG_ID}\" \"${BASE_IMAGE_TAG}\"" | |
podman tag "${BASE_TAG_ID}" "${BASE_IMAGE_TAG}" | |
echo "::endgroup::" | |
echo "::group::SHA256 tag" | |
DIGEST=$(podman inspect "${BASE_TAG_ID}" --format '{{ .Digest }}') | |
BASE_BUILD_IMAGE="${IMAGES_PREFIX}${BASE_IMAGE}@${DIGEST}" | |
echo "digest=${BASE_BUILD_IMAGE}" | |
echo "::endgroup::" | |
echo "base_build_image=${BASE_BUILD_IMAGE}" >> $GITHUB_OUTPUT | |
- name: Remove smartmontools | |
if: ${{ matrix.build == 'agent2' }} | |
env: | |
DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} | |
run: | | |
sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" | |
- name: Generate tags | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }} | |
tags: | | |
type=semver,pattern={{version}} | |
type=sha | |
flavor: | | |
latest=${{ github.event_name == 'release' }} | |
suffix=${{ matrix.arch == 'ARM64' && '-arm64' || '' }},onlatest=true | |
- name: Build image | |
id: build_image | |
uses: redhat-actions/[email protected] | |
with: | |
context: ${{ format('{0}/{1}/rhel', env.DOCKERFILES_DIRECTORY, matrix.build) }} | |
layers: false | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: | | |
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
containerfiles: | | |
${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile | |
extra-args: | | |
--pull | |
--iidfile=${{ github.workspace }}/iidfile | |
build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} | |
- name: Log in to ${{ env.REGISTRY }} | |
uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6 | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
with: | |
username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)]) }} | |
password: ${{ secrets[format('{0}_{1}_SECRET', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} | |
registry: ${{ env.REGISTRY }} | |
auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} | |
- name: Push to RedHat certification procedure (1st) | |
id: push_to_registry | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 | |
with: | |
tags: ${{ steps.meta.outputs.tags }} | |
- name: Preflight certification | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
env: | |
PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} | |
PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} | |
PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} | |
PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} | |
PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }} | |
IMAGE_TAG: ${{ steps.build_image.outputs.image-with-tag }} | |
PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} | |
run: | | |
mkdir -p $PFLT_ARTIFACTS | |
echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image" | |
podman pull "$PREFLIGHT_IMAGE" | |
echo "::endgroup::" | |
echo "::group::Perform certification tests" | |
podman run \ | |
-it \ | |
--rm \ | |
--security-opt=label=disable \ | |
--env PFLT_LOGLEVEL=$PFLT_LOGLEVEL \ | |
--env PFLT_ARTIFACTS=/artifacts \ | |
--env PFLT_LOGFILE=/artifacts/preflight.log \ | |
--env PFLT_CERTIFICATION_PROJECT_ID=$PFLT_CERTIFICATION_PROJECT_ID \ | |
--env PFLT_PYXIS_API_TOKEN=$PFLT_PYXIS_API_TOKEN \ | |
--env PFLT_DOCKERCONFIG=/temp-authfile.json \ | |
-v $PFLT_ARTIFACTS:/artifacts \ | |
-v $PFLT_DOCKERCONFIG:/temp-authfile.json:ro \ | |
"$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit | |
podman rmi -i -f "$PREFLIGHT_IMAGE" | |
echo "::endgroup::" | |
- name: Push to RedHat certification procedure (all tags) | |
id: push_to_registry_all_tags | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} | |
uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 | |
with: | |
tags: ${{ steps.meta.outputs.tags }} | |
- name: Post Preflight certification | |
if: ${{ env.AUTO_PUSH_IMAGES == 'true' && (success() || failure()) }} | |
env: | |
PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} | |
PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} | |
run: | | |
echo "::group::Result" | |
rm -rf "$PFLT_ARTIFACTS" | |
podman rmi -i -f "$PREFLIGHT_IMAGE" | |
echo "::endgroup::" | |
- name: Image digest | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
TAG_ID=$(cat $GITHUB_WORKSPACE/iidfile) | |
echo "::group::Image digest" | |
echo "$TAG_ID" | |
echo "::endgroup::" | |
- name: Post build image | |
if: ${{ success() || failure() }} | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
echo "::group::Result" | |
rm -rf "$GITHUB_WORKSPACE/iidfile" | |
echo "Removing working containers" | |
buildah rm -a 2>/dev/null || true | |
echo "Removing container data in storage not controlled by podman" | |
podman system prune --external 2>/dev/null | |
echo "Removing all unused container data with volumes" | |
podman system prune -a --volumes -f 2>/dev/null | |
echo "Reseting podman storage to default state" | |
podman system reset -f 2>/dev/null || true | |
echo "::endgroup::" | |
clear_artifacts: | |
timeout-minutes: 10 | |
needs: [ "build_images", "init_build"] | |
name: Clear ${{ matrix.build }} image cache (${{ matrix.arch }}) | |
strategy: | |
fail-fast: false | |
matrix: | |
build: ${{ fromJson(needs.init_build.outputs.database) }} | |
arch: ${{ fromJson(needs.init_build.outputs.platforms) }} | |
runs-on: [self-hosted, linux, "${{ matrix.arch }}"] | |
if: ${{ needs.build_base_database.result == 'success' }} | |
permissions: {} | |
steps: | |
- name: Download metadata of ${{ matrix.build }}:${{ matrix.arch }} | |
uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: | | |
${{ matrix.build }}_${{ matrix.arch }}_tag_id | |
${{ matrix.build }}_${{ matrix.arch }}_tag | |
key: ${{ matrix.build }}-${{ matrix.arch }}-${{ github.run_id }} | |
- name: Remove ${{ matrix.build }}:${{ matrix.arch }} cache | |
env: | |
CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.arch }} | |
IMAGE_DIR: ${{ env.IMAGE_DIR }} | |
run: | | |
echo "::group::Result" | |
BASE_TAG=$(cat "${CACHE_FILE_NAME}_tag_id") | |
echo "Removing ${IMAGE_DIR}/${BASE_TAG}" | |
rm -rf "${IMAGE_DIR}/${BASE_TAG}" | |
echo "::endgroup::" | |
- name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} | |
uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | |
with: | |
path: | | |
${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag_id | |
${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }}_tag | |
key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.arch }}-${{ github.run_id }} | |
- name: Remove ${{ env.BASE_BUILD_NAME }}:${{ matrix.arch }} cache | |
env: | |
CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.arch }} | |
IMAGE_DIR: ${{ env.IMAGE_DIR }} | |
run: | | |
echo "::group::Result" | |
BASE_TAG=$(cat "${CACHE_FILE_NAME}_tag_id") | |
echo "Removing ${IMAGE_DIR}/${BASE_TAG}" | |
rm -rf "${IMAGE_DIR}/${BASE_TAG}" | |
echo "::endgroup::" |