Skip to content

Build docker images #73

Build docker images

Build docker images #73

Workflow file for this run

name: Build docker images
on:
push:
schedule:
# At 00:00 every Sunday
- cron: 0 0 * * 0
concurrency:
group: docker-${{ github.ref }}
cancel-in-progress: true
jobs:
matrix:
name: Compute build matrix from pypi API
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.matrix.outputs.matrix }}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: './build-matrix/go.mod'
cache-dependency-path: './build-matrix/go.mod'
- name: Run matrix generator tests
working-directory: build-matrix
run: go test ./
- id: matrix
working-directory: build-matrix
run: |
MATRIX=$(go run ./)
echo ${MATRIX} | jq
echo "matrix=${MATRIX}" >> $GITHUB_OUTPUT
build:
needs: [ matrix ]
runs-on: ubuntu-latest
name: Build ansible ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }}
permissions:
packages: write
contents: read
strategy:
fail-fast: false
matrix:
target:
- base
- aws
- gcp
- azure
platform:
- linux/amd64
- linux/arm64
versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Set up QEMU
if: matrix.platform == 'linux/arm64'
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker images
uses: docker/build-push-action@v6
id: build
with:
pull: true
target: ${{ matrix.target }}
build-args: |
ANSIBLE_VERSION=${{ matrix.versions.ansible }}
platforms: ${{ matrix.platform }}
outputs: type=docker,dest=/tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar
tags: ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}-${{ github.sha }}
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}
path: /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar
retention-days: 1
if-no-files-found: error
test:
name: Test image ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }}
needs: [ matrix, build ]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- base
- aws
- gcp
- azure
platform:
- linux/amd64
versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- name: Prepare
run: |
platform=${{ matrix.platform }}
export PLATFORM_PAIR=${platform//\//-}
echo "PLATFORM_PAIR=${PLATFORM_PAIR}" >> $GITHUB_ENV
echo "IMAGE=ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${PLATFORM_PAIR}-${{ github.sha }}" >> $GITHUB_ENV
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}
path: /tmp
- name: Load image
run: |
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar
docker image ls -a
- name: Test ansible version
run: |
docker run --rm ${{ env.IMAGE }} ansible-community --version | grep 'Ansible community version ${{ matrix.versions.ansible }}'
docker run --rm ${{ env.IMAGE }} ansible --version
docker run --rm ${{ env.IMAGE }} ansible-playbook --version
docker run --rm ${{ env.IMAGE }} ansible-galaxy --version
docker run --rm ${{ env.IMAGE }} ansible-runner --version
- name: Test aws flavor
if: matrix.target == 'aws'
run: |
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import boto3; print(boto3.__version__)\""
- name: Test gcp flavor
if: matrix.target == 'gcp'
run: |
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import google.auth; print(google.auth.__version__)\""
- name: Test azure flavor
if: matrix.target == 'azure'
run: |
docker run --rm ${{ env.IMAGE }} az --version
deploy:
name: Push image ${{ matrix.versions.ansible }}/${{ matrix.target }}
needs: [ matrix, test ]
runs-on: ubuntu-latest
env:
AWS_REGION: "us-east-1"
strategy:
fail-fast: false
matrix:
target:
- base
- aws
- gcp
- azure
versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/ansible_build_matrix' }} # TODO(eliecharra): remove the branch
permissions:
id-token: write
packages: write
contents: read
steps:
- name: Download ${{ matrix.target }}/amd64 artifact
uses: actions/download-artifact@v4
with:
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64
path: /tmp
- name: Download ${{ matrix.target }}/arm64 artifact
uses: actions/download-artifact@v4
with:
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64
path: /tmp
- name: Load image
run: |
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64.tar
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64.tar
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 900
- name: Login to Amazon ECR
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${REPOSITORY_PATH}
env:
REPOSITORY_PATH: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }}
- name: Log in to Github Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Check out the repo
uses: actions/checkout@v4
- name: Push images ${{ matrix.versions.ansible }}/${{ matrix.target }}
working-directory: .github/scripts
env:
ECR_IMAGE: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }}
TARGET_TAG: -${{ matrix.target }}
run: |
if [[ "${TARGET_TAG}" == "-base" ]]; then
TARGET_TAG=""
fi
# Push ECR amd64 tag
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64
# Push ECR amd64 additional tags
for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
do
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-amd64
done
# Push ECR arm64 tags
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64
# Push ECR amd64 additional tags
for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
do
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-arm64
done
# Push ghcr amd64 tags
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64
# Push ghcr amd64 additional tags
for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
do
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-amd64
done
# Push ghcr arm64 tags
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64
# Push ghcr arm64 additional tags
for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
do
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-arm64
done
# Assemble multi arch ECR manifests
echo "Create ECR manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}"
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG} \
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 \
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}
# Assemble multi arch ECR manifests for additional tags
for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
do
echo "Create manifest ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}"
docker manifest create ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG} \
--amend ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-arm64 \
--amend ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-amd64
docker manifest push ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}
done
# Assemble multi arch ghcr manifests
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}"
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG} \
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 \
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}
# Assemble multi arch ghcr manifests for additional tags
for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
do
echo "Create manifest ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}"
docker manifest create ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG} \
--amend ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-arm64 \
--amend ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-amd64
docker manifest push ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}
done
security:
name: Security scan
needs: [ matrix, deploy ]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- base
- aws
- gcp
- azure
platform:
- linux/amd64
- linux/arm64
versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
steps:
- name: Prepare
env:
TARGET_TAG: -${{ matrix.target }}
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
if [[ "${TARGET_TAG}" == "-base" ]]; then
TARGET_TAG=""
fi
echo "TARGET_TAG=${TARGET_TAG}" >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner for ${{ matrix.target }} image
uses: aquasecurity/[email protected]
with:
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${{ env.TARGET_TAG }}-${{ env.PLATFORM_PAIR }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "${{ matrix.target }}.sarif"
severity: "CRITICAL,HIGH"
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Upload ${{ matrix.target }} image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
category: ${{ matrix.target }}
sarif_file: "${{ matrix.target }}.sarif"