From 55e79b21b69bdfe3b8eeeda1cbdf353a317bf2a8 Mon Sep 17 00:00:00 2001 From: Ivan Milchev Date: Tue, 25 Jun 2024 11:32:05 +0300 Subject: [PATCH 1/2] =?UTF-8?q?=E2=9C=A8=20push=20operator=20images=20to?= =?UTF-8?q?=20gcr?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ivan Milchev --- .github/workflows/cnspec.yaml | 21 ++++++++++++++++-- .github/workflows/publish.yaml | 39 +++++++++++++++++++++++++++++++--- 2 files changed, 55 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cnspec.yaml b/.github/workflows/cnspec.yaml index 209e95c0..08708a9a 100644 --- a/.github/workflows/cnspec.yaml +++ b/.github/workflows/cnspec.yaml @@ -12,7 +12,8 @@ on: default: 'latest' env: - IMAGE: ghcr.io/mondoohq/mondoo-operator/cnspec + GHCR_IMAGE: ghcr.io/mondoohq/mondoo-operator/cnspec + GCP_IMAGE: us-docker.pkg.dev/mondoohq/release/mondoo-operator-cnspec jobs: build-cnspec: @@ -55,11 +56,27 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Authenticate with Google Cloud + uses: "google-github-actions/auth@v2" + with: + credentials_json: "${{ secrets.GCP_ARTIFACT_REGISTRY_SA }}" + + - name: "Set up Cloud SDK" + uses: "google-github-actions/setup-gcloud@v2" + + - name: Docker Login (GCR) + run: | + gcloud auth configure-docker us-docker.pkg.dev + - name: "Setup Docker Buildx" + uses: docker/setup-buildx-action@v3 + - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.IMAGE }} + images: | + ${{ env.GHCR_IMAGE }} + ${{ env.GCP_IMAGE }} tags: | type=semver,pattern={{version}},value=${{ env.VERSION }} type=semver,pattern={{major}},value=${{ env.VERSION }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 5c21fd08..3d64d502 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -18,6 +18,9 @@ env: REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} + + GHCR_IMAGE: ghcr.io/${{ github.repository }} + GCP_IMAGE: us-docker.pkg.dev/mondoohq/release/${{ github.repository }} RELEASE: ${{ github.ref_name }} jobs: @@ -69,13 +72,27 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Authenticate with Google Cloud + uses: "google-github-actions/auth@v2" + with: + credentials_json: "${{ secrets.GCP_ARTIFACT_REGISTRY_SA }}" + + - name: "Set up Cloud SDK" + uses: "google-github-actions/setup-gcloud@v2" + + - name: Docker Login (GCR) + run: | + gcloud auth configure-docker us-docker.pkg.dev + # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: | + ${{ env.GHCR_IMAGE }} + ${{ env.GCP_IMAGE }} tags: | type=schedule,pattern=main type=ref,event=branch @@ -90,7 +107,9 @@ jobs: id: meta_clean uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: | + ${{ env.GHCR_IMAGE }} + ${{ env.GCP_IMAGE }} tags: | type=schedule,pattern=main type=ref,event=branch @@ -160,13 +179,27 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Authenticate with Google Cloud + uses: "google-github-actions/auth@v2" + with: + credentials_json: "${{ secrets.GCP_ARTIFACT_REGISTRY_SA }}" + + - name: "Set up Cloud SDK" + uses: "google-github-actions/setup-gcloud@v2" + + - name: Docker Login (GCR) + run: | + gcloud auth configure-docker us-docker.pkg.dev + # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: | + ${{ env.GHCR_IMAGE }} + ${{ env.GCP_IMAGE }} - name: Push multi-platform virtual tag and sign run: bash scripts/push-virtual-tag.sh From 9d8c63ddd545e6c6a1ac2d5d1f617b742a6eae1f Mon Sep 17 00:00:00 2001 From: Ivan Milchev Date: Tue, 25 Jun 2024 15:25:56 +0300 Subject: [PATCH 2/2] cleanup env vars Signed-off-by: Ivan Milchev --- .github/workflows/publish.yaml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 3d64d502..d06c06be 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -14,11 +14,6 @@ on: tags: ["v*.*.*"] env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - GHCR_IMAGE: ghcr.io/${{ github.repository }} GCP_IMAGE: us-docker.pkg.dev/mondoohq/release/${{ github.repository }} RELEASE: ${{ github.ref_name }} @@ -136,7 +131,7 @@ jobs: env: MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_CLIENT }} with: - image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push-operator.outputs.digest }} + image: ${{ env.GHCR_IMAGE }}@${{ steps.build-and-push-operator.outputs.digest }} # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker @@ -146,7 +141,7 @@ jobs: - name: Sign the published Docker image # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push-operator.outputs.digest }} + run: cosign sign -y ${{ env.GHCR_IMAGE }}@${{ steps.build-and-push-operator.outputs.digest }} push-virtual-tag: name: Push multi-platform virtual tag @@ -264,7 +259,7 @@ jobs: gpg -u "Operator SDK (release) " --verify checksums.txt.asc grep operator-sdk_${OS}_${ARCH} checksums.txt | sha256sum -c - chmod +x operator-sdk_${OS}_${ARCH} && sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - make bundle IMG='${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE }}' VERSION='${{ env.RELEASE }}' + make bundle IMG='${{ env.GHCR_IMAGE }}:${{ env.RELEASE }}' VERSION='${{ env.RELEASE }}' # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action @@ -272,7 +267,7 @@ jobs: id: meta-bundle uses: docker/metadata-action@v5 with: - images: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-bundle" + images: "${{ env.GHCR_IMAGE }}-bundle" # Build and push Docker image bundle with Buildx - name: Build and push bundle image @@ -294,7 +289,7 @@ jobs: - name: Sign the published Docker image # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-bundle@${{ steps.build-and-push-bundle.outputs.digest }} + run: cosign sign -y ${{ env.GHCR_IMAGE }}-bundle@${{ steps.build-and-push-bundle.outputs.digest }} # run olm e2e tests run-olm-e2e: @@ -365,7 +360,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: ${{ env.GHCR_IMAGE }} - name: Run integration tests env: