Skip to content

Make GitHub action use build time env vars on image publishing (#46159) #2

Make GitHub action use build time env vars on image publishing (#46159)

Make GitHub action use build time env vars on image publishing (#46159) #2

Workflow file for this run

name: build-docker-images
on:
push:
branches:
- "master"
- "release/v*"
tags:
- "v*"
env:
COMMIT: ${{ github.sha }}
REPOSITORY_OWNER: ${{ github.repository_owner }}
IMAGE: ${{ github.repository_owner }}/rancher
IMAGE_AGENT: ${{ github.repository_owner }}/rancher-agent
IMAGE_INSTALLER: ${{ github.repository_owner }}/system-agent-installer-rancher
CATTLE_KDM_BRANCH: dev-v2.9
HELM_VERSION_V3: v3.13.3
jobs:
unit-tests:
uses: ./.github/workflows/unit-test.yml
build-chart:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Install dependencies
env:
HELM_URL_V3: https://get.helm.sh/helm-${{ env.HELM_VERSION_V3 }}-linux-amd64.tar.gz
HELM_UNITTEST_VERSION: 0.3.2
run: |
sudo snap install yq
curl ${{ env.HELM_URL_V3 }} | tar xvzf - --strip-components=1 -C /tmp/ && \
sudo mv /tmp/helm /usr/bin/helm_v3 && \
sudo chmod +x /usr/bin/helm_v3
helm_v3 plugin install https://github.com/helm-unittest/helm-unittest.git --version ${{ env.HELM_UNITTEST_VERSION }}; \
- name: Build
run: ./scripts/chart/build chart
- name: Validate
run: ./scripts/chart/validate
- name: Test
run: ./scripts/chart/test
- name: Package
run: ./scripts/chart/package
- name: Upload chart
uses: actions/upload-artifact@v4
with:
name: chart
path: ./bin/chart/*
if-no-files-found: error
retention-days: 1
overwrite: true
publish-chart:
runs-on: ubuntu-latest
if: github.event_name == 'push' && contains(github.ref, 'tags/') # Only run on push
permissions:
contents: read
id-token: write
steps:
- name: Install gcloud CLI
run: |
sudo snap install google-cloud-cli --classic
- name: Download chart
uses: actions/download-artifact@v4
with:
name: chart
path: /tmp/charts/
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/google-auth/rancher/credentials token | GOOGLE_AUTH ;
- name: Upload chart to bucket
run: |
CLOUDSDK_AUTH_ACCESS_TOKEN=${{ env.GOOGLE_AUTH }} gcloud storage cp /tmp/charts gs://releases.rancher.com/server-charts --recursive --acl allUsers:READER --cache-control "public,no-cache,proxy-revalidate"
build-server:
runs-on: ubuntu-latest
needs: [unit-tests]
strategy:
matrix:
os: [linux]
arch: [amd64, arm64]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Clean runner
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf "/usr/local/share/boost"
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Set up build-time environment variables
run: |
echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV"
echo "RKE_VERSION=$(grep -m1 'github.com/rancher/rke' go.mod | awk '{print $4}')" >> "$GITHUB_ENV"
source scripts/export-config
echo "CATTLE_RANCHER_WEBHOOK_VERSION=$CATTLE_RANCHER_WEBHOOK_VERSION" >> "$GITHUB_ENV"
echo "CATTLE_CSP_ADAPTER_MIN_VERSION=$CATTLE_CSP_ADAPTER_MIN_VERSION" >> "$GITHUB_ENV"
echo "CATTLE_FLEET_VERSION=$CATTLE_FLEET_VERSION" >> "$GITHUB_ENV"
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.IMAGE }}
flavor: |
latest=false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Create k3s images file
run: touch k3s-airgap-images.tar
- name: Download data.json
run: curl -sLf https://releases.rancher.com/kontainer-driver-metadata/${{ env.CATTLE_KDM_BRANCH }}/data.json > ./data.json
- name: Build and export server
id: build
uses: docker/build-push-action@v5
with:
push: false
build-args: |
"VERSION=${{ env.TAG }}"
"COMMIT=${{ env.COMMIT }}"
"RKE_VERSION=${{ env.RKE_VERSION }}"
"ARCH=${{ matrix.arch }}"
"CATTLE_RANCHER_WEBHOOK_VERSION=${{ env.CATTLE_RANCHER_WEBHOOK_VERSION }}"
"CATTLE_CSP_ADAPTER_MIN_VERSION=${{ env.CATTLE_CSP_ADAPTER_MIN_VERSION }}"
"CATTLE_FLEET_VERSION=${{ env.CATTLE_FLEET_VERSION }}"
tags: ${{ env.IMAGE }}:${{ env.TAG }}-${{ matrix.arch }}
context: .
platforms: "${{ matrix.os }}/${{ matrix.arch }}"
file: ./package/Dockerfile
labels: "${{ steps.meta.outputs.labels }}"
outputs: type=docker,dest=/tmp/rancher-${{ matrix.os }}-${{ matrix.arch }}.tar
- name: Upload image
uses: actions/upload-artifact@v4
with:
name: "rancher-${{ matrix.os }}-${{ matrix.arch }}"
path: /tmp/rancher-${{ matrix.os }}-${{ matrix.arch }}.tar
if-no-files-found: error
retention-days: 1
overwrite: false
build-agent:
needs: [build-server]
runs-on: ubuntu-latest
strategy:
matrix:
os: [linux]
arch: [amd64, arm64]
services:
registry:
image: registry:2
ports:
- 5000:5000
env:
REGISTRY: "127.0.0.1:5000"
steps:
- name: Clean runner
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf "/usr/local/share/boost"
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
run: |
echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV"
source scripts/export-config
echo "CATTLE_RANCHER_WEBHOOK_VERSION=$CATTLE_RANCHER_WEBHOOK_VERSION" >> "$GITHUB_ENV"
- name: Setup TAG Variables
uses: ./.github/actions/setup-tag-env
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.IMAGE }}
flavor: |
latest=false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Download rancher image
uses: actions/download-artifact@v4
with:
name: "rancher-${{ matrix.os }}-${{ matrix.arch }}"
path: /tmp
- name: Load image
run: |
image_id=$(docker load --input /tmp/rancher-${{ matrix.os }}-${{ matrix.arch }}.tar 2>&1 | grep "Loaded image" | awk '{print $NF}')
if [ -z "$image_id" ]; then
echo "Error: Failed to load image from tarball!"
exit 1
fi
docker tag "$image_id" ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}
docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}
- name: Build agent
id: build
uses: docker/build-push-action@v5
with:
push: false
build-args: |
"VERSION=${{ env.TAG }}"
"ARCH=${{ matrix.arch }}"
"RANCHER_TAG=${{ env.TAG }}"
"RANCHER_REPO=${{ env.REPOSITORY_OWNER }}"
"REGISTRY=${{ env.REGISTRY }}"
"CATTLE_RANCHER_WEBHOOK_VERSION=${{ env.CATTLE_RANCHER_WEBHOOK_VERSION }}"
tags: ${{ env.IMAGE_AGENT }}:${{ env.TAG }}-${{ matrix.arch }}
context: .
platforms: "${{ matrix.os }}/${{ matrix.arch }}"
file: ./package/Dockerfile.agent
labels: "${{ steps.meta.outputs.labels }}"
outputs: type=docker,dest=/tmp/rancher-agent-${{ matrix.os }}-${{ matrix.arch }}.tar
- name: Upload image
uses: actions/upload-artifact@v4
with:
name: "rancher-agent-${{ matrix.os }}-${{ matrix.arch }}"
path: /tmp/rancher-agent-${{ matrix.os }}-${{ matrix.arch }}.tar
if-no-files-found: error
retention-days: 1
overwrite: false
integration-tests:
needs: [build-agent]
uses: ./.github/workflows/integration-tests.yml
with:
parent_run_id: ${{ github.run_id }}
build-agent-windows:
needs: [integration-tests]
strategy:
matrix:
os: [windows]
version: [2019, 2022]
runs-on: ${{ matrix.os }}-${{ matrix.version }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Build Windows Server Image
run: |
docker build -t ${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-${{ matrix.version }} --build-arg VERSION=${{ env.TAG }} --build-arg SERVERCORE_VERSION=ltsc${{ matrix.version }} -f package/windows/Dockerfile.agent .
docker push ${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-${{ matrix.version }}
shell: bash
push-images:
runs-on: ubuntu-latest
needs: [integration-tests]
permissions:
contents: read
id-token: write
strategy:
matrix:
os: [linux]
arch: [amd64, arm64]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download rancher image
uses: actions/download-artifact@v4
with:
pattern: "*-${{ matrix.os }}-${{ matrix.arch }}"
path: /tmp
merge-multiple: true
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
- name: Docker Registry Login
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Push server image
run: |
image_id=$(docker load --input /tmp/rancher-${{ matrix.os }}-${{ matrix.arch }}.tar 2>&1 | grep "Loaded image" | awk '{print $NF}')
if [ -z "$image_id" ]; then
echo "Error: Failed to load image from tarball!"
exit 1
fi
docker tag "$image_id" docker.io/${{ env.IMAGE }}:${{ env.TAG }}-${{ matrix.arch }}
docker push docker.io/${{ env.IMAGE }}:${{ env.TAG }}-${{ matrix.arch }}
- name: Push agent image
run: |
image_agent_id=$(docker load --input /tmp/rancher-agent-${{ matrix.os }}-${{ matrix.arch }}.tar 2>&1 | grep "Loaded image" | awk '{print $NF}')
if [ -z "$image_agent_id" ]; then
echo "Error: Failed to load image from tarball!"
exit 1
fi
docker tag "$image_agent_id" docker.io/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-${{ matrix.arch }}
docker push docker.io/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-${{ matrix.arch }}
merge-server-manifest:
runs-on: ubuntu-latest
needs: [push-images]
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Create manifest list and push
run: |
docker buildx imagetools create -t ${{ env.IMAGE }}:${{ env.TAG }} ${{ env.IMAGE }}:${{ env.TAG }}-amd64 ${{ env.IMAGE }}:${{ env.TAG }}-arm64
- name: Create head manifest list and push
run: |
if [[ "${{ github.ref_name }}" == release/v* ]]; then
docker buildx imagetools create -t ${{ env.IMAGE }}:${{ env.HEAD_TAG }} ${{ env.IMAGE }}:${{ env.TAG }}-amd64 ${{ env.IMAGE }}:${{ env.TAG }}-arm64
fi
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.IMAGE }}:${{ env.TAG }}
merge-agent-manifest:
runs-on: ubuntu-latest
needs: [push-images, build-agent-windows]
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Create manifest list and push
run: |
docker buildx imagetools create -t ${{ env.IMAGE_AGENT }}:${{ env.TAG }} \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-amd64 \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-arm64 \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2019 \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2022
if [[ "${{ github.ref_name }}" == release/v* ]]; then
docker buildx imagetools create -t ${{ env.IMAGE_AGENT }}:${{ env.HEAD_TAG }} \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-amd64 \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-arm64 \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2019 \
${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2022
fi
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.IMAGE_AGENT }}:${{ env.TAG }}
build-installer:
needs:
- merge-server-manifest
- build-chart
runs-on: ubuntu-latest
strategy:
matrix:
os: [linux]
arch: [amd64, arm64]
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Setup New Environment Variables
run: |
echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV"
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.IMAGE }}
flavor: |
latest=false
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
- name: Docker Registry Login
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Download chart
uses: actions/download-artifact@v4
with:
name: chart
path: ./chart
- name: Build and export agent
id: build
uses: docker/build-push-action@v5
with:
push: true
build-args: |
"VERSION=${{ env.TAG }}"
"ARCH=${{ matrix.arch }}"
"RANCHER_TAG=${{ env.TAG }}"
"RANCHER_REPO=${{ env.REPOSITORY_OWNER }}"
tags: ${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-${{ matrix.arch }}
context: .
platforms: "${{ matrix.os }}/${{ matrix.arch }}"
file: ./package/Dockerfile.installer
labels: "${{ steps.meta.outputs.labels }}"
merge-installer-manifest:
runs-on: ubuntu-latest
needs: [build-installer]
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.IMAGE_INSTALLER }}
flavor: |
latest=false
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Create manifest list and push
run: |
docker buildx imagetools create -t ${{ env.IMAGE_INSTALLER }}:${{ env.TAG }} ${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-amd64 ${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-arm64
if [[ "${{ github.ref_name }}" == release/v* ]]; then
docker buildx imagetools create -t ${{ env.IMAGE_INSTALLER }}:${{ env.HEAD_TAG }} ${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-amd64 ${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-arm64
fi
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}
create-images-files:
if: github.event_name == 'push' && contains(github.ref, 'tags/') # Only run on push
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Download data.json
run: |
mkdir -p bin
curl -sLf https://releases.rancher.com/kontainer-driver-metadata/${{ env.CATTLE_KDM_BRANCH }}/data.json > ./bin/data.json
- name: Create files
run: |
mkdir -p $HOME/bin
touch $HOME/bin/rancher-rke-k8s-versions.txt
- name: Create components and images files
run: sudo -E ./scripts/create-components-images-files.sh
- name: Move files
run: |
mv $HOME/bin/* ./dist
mv ./bin/*.txt ./dist
mv ./bin/*.sh ./dist
mv ./bin/*.ps1 ./dist
- name: Create sha256sum.txt file
run: ./scripts/artifacts-hashes.sh
- name: Upload artifacts
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} ./dist/* --clobber
docker-image-digests:
if: github.event_name == 'tag' && contains(github.ref, 'tags/') # Only run on tag
runs-on: ubuntu-latest
needs: [create-images-files]
env:
DOCKER_REGISTRY: "docker.io"
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Environment Variables
uses: ./.github/actions/setup-tag-env
- name: Create dist folder
run: mkdir -p dist
- name: Setup ecm-distro-tools
uses: rancher/[email protected]
with:
version: v0.38.1
- name: Create ECM Config
run: |
mkdir -p ~/.ecm-distro-tools
release config gen
mkdir -p /tmp/digests
- name: Generate Linux Digests
run: |
export LINUX_IMAGES_URL=https://github.com/${{ github.repository_owner }}/${{ github.repository }}/releases/download/${{ env.TAG}}/rancher-images.txt
release generate rancher docker-images-digests \
--images-url "$LINUX_IMAGES_URL" \
--output-file /tmp/digests/rancher-images-digests-linux-amd64.txt \
--registry ${{ env.DOCKER_REGISTRY }}
cp /tmp/digests/rancher-images-digests-linux-amd64.txt /tmp/digests/rancher-images-digests-linux-arm64.txt
- name: Generate Windows Digests
run: |
export LINUX_IMAGES_URL=https://github.com/${{ github.repository_owner }}/${{ github.repository }}/releases/download/${{ env.TAG}}/rancher-images.txt
release generate rancher docker-images-digests \
--images-url "$LINUX_IMAGES_URL" \
--output-file /tmp/digests/rancher-images-digests-windows-ltsc2019.txt \
--registry ${{ env.DOCKER_REGISTRY }}
cp /tmp/digests/rancher-images-digests-windows-ltsc2019.txt /tmp/digests/rancher-images-digests-windows-ltsc2022.txt
- name: Upload digests
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} /tmp/digests/* --clobber