adjust token permissions #253
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and push Image | |
| on: | |
| push: | |
| jobs: | |
| build: | |
| permissions: | |
| packages: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_digest: ${{ steps.build-push.outputs.digest }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Check Version Format in Tag | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| uses: nowsprinting/[email protected] | |
| id: check-version | |
| with: | |
| prefix: "v" | |
| - name: Set tag | |
| id: set-tag | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short HEAD) | |
| TAG1="dev" | |
| TAG2="commit-$SHORT_SHA" | |
| if [[ "${{ steps.check-version.outputs.is_valid }}" == 'true' ]]; then | |
| TAG1="latest" | |
| TAG2="${{ steps.check-version.outputs.full_without_prefix }}" | |
| fi | |
| echo "TAG1=$TAG1" >> $GITHUB_ENV | |
| echo "TAG2=$TAG2" >> $GITHUB_ENV | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| mtr.devops.telekom.de/caas/py-kube-downscaler | |
| ghcr.io/caas-team/py-kube-downscaler | |
| tags: | | |
| ${{ env.TAG1 }} | |
| ${{ env.TAG2 }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| with: | |
| cosign-release: "v2.2.0" | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to MTR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: mtr.devops.telekom.de | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| id: build-push | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| - name: Get untagged sha256 | |
| run: | | |
| # Get the raw JSON metadata | |
| image_metadata=$(docker buildx imagetools inspect ghcr.io/caas-team/py-kube-downscaler:${{ env.TAG2 }} --raw) | |
| # Initialize variables to store each manifest digest and architecture | |
| declare -A digests | |
| declare -A architectures | |
| attestation_manifests=() | |
| # Parse the manifests array and process each platform | |
| for index in $(echo "$image_metadata" | jq -r '.manifests | keys | .[]'); do | |
| platform_architecture=$(echo "$image_metadata" | jq -r ".manifests[$index].platform.architecture") | |
| platform_os=$(echo "$image_metadata" | jq -r ".manifests[$index].platform.os") | |
| platform_digest=$(echo "$image_metadata" | jq -r ".manifests[$index].digest") | |
| # If the architecture is not 'unknown', store the digest and architecture as a unique variable | |
| if [ "$platform_architecture" != "unknown" ]; then | |
| digests["$platform_architecture"]=$platform_digest | |
| architectures["$platform_architecture"]=$platform_architecture | |
| # Assign each architecture-specific variable for the digest | |
| echo "${platform_architecture}_digest=$platform_digest" >> $GITHUB_ENV | |
| echo "${platform_architecture}_architecture=$platform_architecture" >> $GITHUB_ENV | |
| else | |
| # For 'unknown' architecture, compare with reference digest | |
| reference_digest=$(echo "$image_metadata" | jq -r ".manifests[$index].annotations.\"vnd.docker.reference.digest\"") | |
| # Check if reference_digest matches any known architecture digests and assign a unique variable | |
| for arch in "${!digests[@]}"; do | |
| if [ "${digests[$arch]}" == "$reference_digest" ]; then | |
| # Create and assign the attestation manifest variable for the matching architecture | |
| attestation_manifest_var="attestation-manifest-$arch" | |
| echo "$attestation_manifest_var=$platform_digest" >> $GITHUB_ENV | |
| echo "Found matching attestation manifest for architecture $arch: $attestation_manifest_var with digest $platform_digest" | |
| break | |
| fi | |
| done | |
| fi | |
| done | |
| - name: Setup Crane | |
| uses: imjasonh/[email protected] | |
| - env: | |
| auth_token: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "${auth_token}" | crane auth login ghcr.io --username ${{ github.repository_owner }} --password-stdin | |
| - name: Tag architecture-specific images | |
| run: | | |
| crane copy ghcr.io/caas-team/py-kube-downscaler@${{ env.amd64_digest }} ghcr.io/caas-team/py-kube-downscaler:${{ env.TAG2 }}-amd64 | |
| crane copy ghcr.io/caas-team/py-kube-downscaler@${{ env.arm64_digest }} ghcr.io/caas-team/py-kube-downscaler:${{ env.TAG2 }}-arm64 | |
| crane copy ghcr.io/caas-team/py-kube-downscaler@${{ env.attestation-manifest-amd64 }} ghcr.io/caas-team/py-kube-downscaler:${{ env.TAG2 }}-attestation-manifest-amd64 | |
| crane copy ghcr.io/caas-team/py-kube-downscaler@${{ env.attestation-manifest-arm64 }} ghcr.io/caas-team/py-kube-downscaler:${{ env.TAG2 }}-attestation-manifest-arm64 | |
| - name: Sign Push | |
| run: | | |
| cosign sign --key env://COSIGN_KEY --tlog-upload=false ghcr.io/caas-team/py-kube-downscaler@${{ steps.build-push.outputs.digest }} | |
| cosign sign --key env://COSIGN_KEY --tlog-upload=false mtr.devops.telekom.de/caas/py-kube-downscaler@${{ steps.build-push.outputs.digest }} | |
| env: | |
| COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
| call-e2e: | |
| needs: build | |
| uses: ./.github/workflows/end2end.yml | |
| secrets: inherit |