Build docker images #73
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build docker images | |
on: | |
push: | |
schedule: | |
# At 00:00 every Sunday | |
- cron: 0 0 * * 0 | |
concurrency: | |
group: docker-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
matrix: | |
name: Compute build matrix from pypi API | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.matrix.outputs.matrix }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: './build-matrix/go.mod' | |
cache-dependency-path: './build-matrix/go.mod' | |
- name: Run matrix generator tests | |
working-directory: build-matrix | |
run: go test ./ | |
- id: matrix | |
working-directory: build-matrix | |
run: | | |
MATRIX=$(go run ./) | |
echo ${MATRIX} | jq | |
echo "matrix=${MATRIX}" >> $GITHUB_OUTPUT | |
build: | |
needs: [ matrix ] | |
runs-on: ubuntu-latest | |
name: Build ansible ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | |
permissions: | |
packages: write | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
- azure | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
if: matrix.platform == 'linux/arm64' | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build Docker images | |
uses: docker/build-push-action@v6 | |
id: build | |
with: | |
pull: true | |
target: ${{ matrix.target }} | |
build-args: | | |
ANSIBLE_VERSION=${{ matrix.versions.ansible }} | |
platforms: ${{ matrix.platform }} | |
outputs: type=docker,dest=/tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
tags: ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}-${{ github.sha }} | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | |
path: /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
retention-days: 1 | |
if-no-files-found: error | |
test: | |
name: Test image ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | |
needs: [ matrix, build ] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
- azure | |
platform: | |
- linux/amd64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
export PLATFORM_PAIR=${platform//\//-} | |
echo "PLATFORM_PAIR=${PLATFORM_PAIR}" >> $GITHUB_ENV | |
echo "IMAGE=ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${PLATFORM_PAIR}-${{ github.sha }}" >> $GITHUB_ENV | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | |
path: /tmp | |
- name: Load image | |
run: | | |
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
docker image ls -a | |
- name: Test ansible version | |
run: | | |
docker run --rm ${{ env.IMAGE }} ansible-community --version | grep 'Ansible community version ${{ matrix.versions.ansible }}' | |
docker run --rm ${{ env.IMAGE }} ansible --version | |
docker run --rm ${{ env.IMAGE }} ansible-playbook --version | |
docker run --rm ${{ env.IMAGE }} ansible-galaxy --version | |
docker run --rm ${{ env.IMAGE }} ansible-runner --version | |
- name: Test aws flavor | |
if: matrix.target == 'aws' | |
run: | | |
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import boto3; print(boto3.__version__)\"" | |
- name: Test gcp flavor | |
if: matrix.target == 'gcp' | |
run: | | |
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import google.auth; print(google.auth.__version__)\"" | |
- name: Test azure flavor | |
if: matrix.target == 'azure' | |
run: | | |
docker run --rm ${{ env.IMAGE }} az --version | |
deploy: | |
name: Push image ${{ matrix.versions.ansible }}/${{ matrix.target }} | |
needs: [ matrix, test ] | |
runs-on: ubuntu-latest | |
env: | |
AWS_REGION: "us-east-1" | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
- azure | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/ansible_build_matrix' }} # TODO(eliecharra): remove the branch | |
permissions: | |
id-token: write | |
packages: write | |
contents: read | |
steps: | |
- name: Download ${{ matrix.target }}/amd64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64 | |
path: /tmp | |
- name: Download ${{ matrix.target }}/arm64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64 | |
path: /tmp | |
- name: Load image | |
run: | | |
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64.tar | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ env.AWS_REGION }} | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-duration-seconds: 900 | |
- name: Login to Amazon ECR | |
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${REPOSITORY_PATH} | |
env: | |
REPOSITORY_PATH: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }} | |
- name: Log in to Github Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Push images ${{ matrix.versions.ansible }}/${{ matrix.target }} | |
working-directory: .github/scripts | |
env: | |
ECR_IMAGE: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }} | |
TARGET_TAG: -${{ matrix.target }} | |
run: | | |
if [[ "${TARGET_TAG}" == "-base" ]]; then | |
TARGET_TAG="" | |
fi | |
# Push ECR amd64 tag | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64 | |
# Push ECR amd64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-amd64 | |
done | |
# Push ECR arm64 tags | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 | |
# Push ECR amd64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-arm64 | |
done | |
# Push ghcr amd64 tags | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64 | |
# Push ghcr amd64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-amd64 | |
done | |
# Push ghcr arm64 tags | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 | |
# Push ghcr arm64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-arm64 | |
done | |
# Assemble multi arch ECR manifests | |
echo "Create ECR manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}" | |
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG} \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG} | |
# Assemble multi arch ECR manifests for additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
echo "Create manifest ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}" | |
docker manifest create ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG} \ | |
--amend ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG} | |
done | |
# Assemble multi arch ghcr manifests | |
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}" | |
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG} \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG} | |
# Assemble multi arch ghcr manifests for additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
echo "Create manifest ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}" | |
docker manifest create ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG} \ | |
--amend ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG} | |
done | |
security: | |
name: Security scan | |
needs: [ matrix, deploy ] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
- azure | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Prepare | |
env: | |
TARGET_TAG: -${{ matrix.target }} | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
if [[ "${TARGET_TAG}" == "-base" ]]; then | |
TARGET_TAG="" | |
fi | |
echo "TARGET_TAG=${TARGET_TAG}" >> $GITHUB_ENV | |
- name: Run Trivy vulnerability scanner for ${{ matrix.target }} image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${{ env.TARGET_TAG }}-${{ env.PLATFORM_PAIR }}" | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "${{ matrix.target }}.sarif" | |
severity: "CRITICAL,HIGH" | |
env: | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
- name: Upload ${{ matrix.target }} image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
category: ${{ matrix.target }} | |
sarif_file: "${{ matrix.target }}.sarif" |