Reproducing and Fixing #2892 #1625
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build images | |
on: | |
pull_request: | |
branches: ['main'] | |
push: | |
branches: ['main'] | |
tags: ['v[0-9]+.[0-9]+.[0-9]+*'] | |
jobs: | |
build-images: | |
concurrency: | |
# If a previous run is ongoing with the same head_ref (it's a run on the | |
# same PR) then cancel it to save time. If it isn't a PR, only cancel the | |
# previous run if it's on the same commit SHA. This prevents a run for a | |
# commit push from cancelling a previous commit push's build, since we | |
# want an image built and tagged for each commit. | |
group: build-images-${{ matrix.image }}-${{ github.head_ref || github.sha }} | |
cancel-in-progress: true | |
permissions: | |
contents: read # Read the repo contents. | |
id-token: write # Produce identity token for keyless signing. | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- executor | |
- executor-debug | |
- executor-slim | |
- warmer | |
include: | |
- image: executor | |
target: kaniko-executor | |
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
image-name: gcr.io/kaniko-project/executor | |
tag: ${{ github.sha }} | |
release-tag: latest | |
- image: executor-debug | |
target: kaniko-debug | |
platforms: linux/amd64,linux/arm64,linux/s390x | |
image-name: gcr.io/kaniko-project/executor | |
tag: ${{ github.sha }}-debug | |
release-tag: debug | |
- image: executor-slim | |
target: kaniko-slim | |
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
image-name: gcr.io/kaniko-project/executor | |
tag: ${{ github.sha }}-slim | |
release-tag: slim | |
- image: warmer | |
target: kaniko-warmer | |
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
image-name: gcr.io/kaniko-project/warmer | |
tag: ${{ github.sha }} | |
release-tag: latest | |
steps: | |
- uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3 | |
# Setup auth if not a PR. | |
- if: github.event_name != 'pull_request' | |
uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0 | |
with: | |
credentials_json: '${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}' | |
export_environment_variables: true | |
create_credentials_file: true | |
- if: github.event_name != 'pull_request' | |
uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 | |
- if: github.event_name != 'pull_request' | |
run: gcloud auth configure-docker | |
# Don't build for all platforms on PRs. | |
- id: platforms | |
run: | | |
event="${{ github.event_name }}" | |
if [[ "$event" == "pull_request" ]]; then | |
echo "platforms=linux/amd64" >> $GITHUB_OUTPUT | |
else | |
platforms="${{ matrix.platforms }}" | |
echo "platforms=${platforms}" >> $GITHUB_OUTPUT | |
fi | |
# Build and push with Docker. | |
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
with: | |
platforms: ${{ matrix.platforms }} | |
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v1 | |
- uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
id: build-and-push | |
with: | |
context: . | |
file: ./deploy/Dockerfile | |
platforms: ${{ steps.platforms.outputs.platforms }} | |
push: ${{ github.event_name != 'pull_request' }} # Only push if not a PR. | |
tags: ${{ matrix.image-name }}:${{ matrix.tag }} | |
no-cache-filters: certs | |
# https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
target: ${{ matrix.target }} | |
# Sign images if not a PR. | |
- if: github.event_name != 'pull_request' | |
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
- if: github.event_name != 'pull_request' | |
run: | | |
cosign sign --yes \ | |
--key gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign \ | |
${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} | |
cosign sign --yes \ | |
${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} | |
# If a tag push, use crane to add more tags. | |
- if: startsWith(github.ref, 'refs/tags/v') | |
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 | |
- if: startsWith(github.ref, 'refs/tags/v') | |
name: Apply release tags | |
run: | | |
tag=${GITHUB_REF/refs\/tags\//} | |
# Tag :latest, :debug, :slim | |
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \ | |
${{ matrix.image-name }}:${{ matrix.release-tag }} | |
if [[ "${{ matrix.release-tag }}" == "latest" ]]; then | |
# Tag :latest images as :v1.X.Y | |
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \ | |
${{ matrix.image-name }}:${tag} | |
else | |
# Or tag :v1.X.Y-debug and :v1.X.Y-slim | |
crane cp ${{ matrix.image-name }}@${{ steps.build-and-push.outputs.digest }} \ | |
${{ matrix.image-name }}:${tag}-${{ matrix.release-tag }} | |
fi |