Build docker images #76

Workflow file for this run

	name: Build docker images
	on:
	push:
	schedule:
	# At 00:00 every Sunday
	- cron: 0 0 * * 0
	concurrency:
	group: docker-${{ github.ref }}
	cancel-in-progress: true
	jobs:
	matrix:
	name: Compute build matrix from pypi API
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.matrix.outputs.matrix }}
	steps:
	- name: Check out the repo
	uses: actions/checkout@v4

	- uses: actions/setup-go@v5
	with:
	go-version-file: './build-matrix/go.mod'
	cache-dependency-path: './build-matrix/go.mod'

	- name: Run matrix generator tests
	working-directory: build-matrix
	run: go test ./

	- id: matrix
	working-directory: build-matrix
	run: \|
	MATRIX=$(go run ./)
	echo ${MATRIX} \| jq
	echo "matrix=${MATRIX}" >> $GITHUB_OUTPUT
	build:
	needs: [ matrix ]
	runs-on: ubuntu-latest
	name: Build ansible ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }}
	permissions:
	packages: write
	contents: read
	strategy:
	fail-fast: false
	matrix:
	target:
	- base
	- aws
	- gcp
	- azure
	platform:
	- linux/amd64
	- linux/arm64
	versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
	steps:
	- name: Check out the repo
	uses: actions/checkout@v4

	- name: Prepare
	run: \|
	platform=${{ matrix.platform }}
	echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

	- name: Set up QEMU
	if: matrix.platform == 'linux/arm64'
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build Docker images
	uses: docker/build-push-action@v6
	id: build
	with:
	pull: true
	target: ${{ matrix.target }}
	build-args: \|
	ANSIBLE_VERSION=${{ matrix.versions.ansible }}
	platforms: ${{ matrix.platform }}
	outputs: type=docker,dest=/tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar
	tags: ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}-${{ github.sha }}

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}
	path: /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar
	retention-days: 1
	if-no-files-found: error

	test:
	name: Test image ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }}
	needs: [ matrix, build ]
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	target:
	- base
	- aws
	- gcp
	- azure
	platform:
	- linux/amd64
	versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
	steps:
	- name: Prepare
	run: \|
	platform=${{ matrix.platform }}
	export PLATFORM_PAIR=${platform//\//-}
	echo "PLATFORM_PAIR=${PLATFORM_PAIR}" >> $GITHUB_ENV
	echo "IMAGE=ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${PLATFORM_PAIR}-${{ github.sha }}" >> $GITHUB_ENV
	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}
	path: /tmp

	- name: Load image
	run: \|
	docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar
	docker image ls -a

	- name: Test ansible version
	run: \|
	docker run --rm ${{ env.IMAGE }} ansible-community --version \| grep 'Ansible community version ${{ matrix.versions.ansible }}'
	docker run --rm ${{ env.IMAGE }} ansible --version
	docker run --rm ${{ env.IMAGE }} ansible-playbook --version
	docker run --rm ${{ env.IMAGE }} ansible-galaxy --version
	docker run --rm ${{ env.IMAGE }} ansible-runner --version

	- name: Test aws flavor
	if: matrix.target == 'aws'
	run: \|
	docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import boto3; print(boto3.__version__)\""

	- name: Test gcp flavor
	if: matrix.target == 'gcp'
	run: \|
	docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import google.auth; print(google.auth.__version__)\""

	- name: Test azure flavor
	if: matrix.target == 'azure'
	run: \|
	docker run --rm ${{ env.IMAGE }} az --version

	deploy:
	name: Push image ${{ matrix.versions.ansible }}/${{ matrix.target }}
	needs: [ matrix, test ]
	runs-on: ubuntu-latest
	env:
	AWS_REGION: "us-east-1"
	strategy:
	fail-fast: false
	matrix:
	target:
	- base
	- aws
	- gcp
	- azure
	versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
	if: ${{ github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/feat/ansible_build_matrix' }} # TODO(eliecharra): remove the branch
	permissions:
	id-token: write
	packages: write
	contents: read
	steps:
	- name: Download ${{ matrix.target }}/amd64 artifact
	uses: actions/download-artifact@v4
	with:
	name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64
	path: /tmp

	- name: Download ${{ matrix.target }}/arm64 artifact
	uses: actions/download-artifact@v4
	with:
	name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64
	path: /tmp

	- name: Load image
	run: \|
	docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64.tar
	docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64.tar

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: ${{ env.AWS_REGION }}
	role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
	role-duration-seconds: 900

	- name: Login to Amazon ECR
	run: aws ecr-public get-login-password --region us-east-1 \| docker login --username AWS --password-stdin ${REPOSITORY_PATH}
	env:
	REPOSITORY_PATH: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }}

	- name: Log in to Github Container registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Check out the repo
	uses: actions/checkout@v4

	- name: Push images ${{ matrix.versions.ansible }}/${{ matrix.target }}
	working-directory: .github/scripts
	env:
	ECR_IMAGE: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }}
	TARGET_TAG: -${{ matrix.target }}
	run: \|
	if [[ "${TARGET_TAG}" == "-base" ]]; then
	TARGET_TAG=""
	fi

	# Push ECR amd64 tag
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
	${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64

	# Push ECR amd64 additional tags
	for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
	do
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
	${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-amd64
	done

	# Push ECR arm64 tags
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
	${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64

	# Push ECR amd64 additional tags
	for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
	do
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
	${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-arm64
	done

	# Push ghcr amd64 tags
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
	ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64

	# Push ghcr amd64 additional tags
	for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
	do
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-amd64-${{ github.sha }}\
	ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-amd64
	done

	# Push ghcr arm64 tags
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
	ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64

	# Push ghcr arm64 additional tags
	for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
	do
	./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-linux-arm64-${{ github.sha }}\
	ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-arm64
	done

	# Assemble multi arch ECR manifests
	echo "Create ECR manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}"
	docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG} \
	--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 \
	--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64
	docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}${TARGET_TAG}

	# Assemble multi arch ECR manifests for additional tags
	for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
	do
	echo "Create manifest ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}"
	docker manifest create ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG} \
	--amend ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-arm64 \
	--amend ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}-linux-amd64
	docker manifest push ${{ env.ECR_IMAGE }}:${tag}${TARGET_TAG}
	done

	# Assemble multi arch ghcr manifests
	echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}"
	docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG} \
	--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-arm64 \
	--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}-linux-amd64
	docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${TARGET_TAG}

	# Assemble multi arch ghcr manifests for additional tags
	for tag in ${{ join(matrix.versions.additional_tags, ' ') }}
	do
	echo "Create manifest ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}"
	docker manifest create ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG} \
	--amend ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-arm64 \
	--amend ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}-linux-amd64
	docker manifest push ghcr.io/${{ github.repository }}:${tag}${TARGET_TAG}
	done

	security:
	name: Security scan
	needs: [ matrix, deploy ]
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	target:
	- base
	- aws
	- gcp
	- azure
	platform:
	- linux/amd64
	- linux/arm64
	versions: ${{ fromJson(needs.matrix.outputs.matrix) }}
	steps:
	- name: Prepare
	env:
	TARGET_TAG: -${{ matrix.target }}
	run: \|
	platform=${{ matrix.platform }}
	echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
	if [[ "${TARGET_TAG}" == "-base" ]]; then
	TARGET_TAG=""
	fi
	echo "TARGET_TAG=${TARGET_TAG}" >> $GITHUB_ENV

	- name: Run Trivy vulnerability scanner for ${{ matrix.target }} image
	uses: aquasecurity/[email protected]
	with:
	image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}${{ env.TARGET_TAG }}-${{ env.PLATFORM_PAIR }}"
	format: "template"
	template: "@/contrib/sarif.tpl"
	output: "${{ matrix.target }}.sarif"
	severity: "CRITICAL,HIGH"
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db

	- name: Upload ${{ matrix.target }} image scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	category: ${{ matrix.target }}
	sarif_file: "${{ matrix.target }}.sarif"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build docker images #76

Workflow file

Build docker images #76

Jobs

Run details

Workflow file for this run