docker-images/.github/workflows/mirror.yaml at main · stackabletech/docker-images · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
---
name: Mirror Container Image
run-name: |
  Mirror Container Image (${{ inputs.image-repository-uri }}:${{ inputs.image-index-manifest-tag }}, attempt #${{ github.run_attempt }})

on:
  workflow_dispatch:
    inputs:
      image-repository-uri:
        description: |
          The image repository URI, like registry.k8s.io/git-sync/git-sync
        type: choice
        options:
          - registry.k8s.io/sig-storage/csi-node-driver-registrar
          - registry.k8s.io/sig-storage/csi-provisioner
          - registry.k8s.io/git-sync/git-sync
          - registry-1.docker.io/library/golang
      image-index-manifest-tag:
        description: |
          The image index manifest tag, like 1.0.14 or v1.0.14
        type: string
        required: true

jobs:
  mirror-image:
    # even though we are dealing with multi-arch images, we can do all
    # operations from one arch.
    name: Mirror image (${{ matrix.arch }})
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        arch:
          - amd64
          - arm64
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Pull container image
        shell: bash
        env:
          IMAGE_INDEX_MANIFEST_TAG: ${{ inputs.image-index-manifest-tag }}
          IMAGE_REPOSITORY_URI: ${{ inputs.image-repository-uri }}
        run: |
          docker pull \
            --quiet \
            --platform ${{ matrix.arch }} \
            "$IMAGE_REPOSITORY_URI:$IMAGE_INDEX_MANIFEST_TAG"
      - name: Extract Repo Name
        env:
          IMAGE_REPOSITORY_URI: ${{ inputs.image-repository-uri }}
        run: |
          echo "IMAGE_REPOSITORY=$(.scripts/get_repo_name.sh)" | tee -a "$GITHUB_ENV"

      - name: Publish Container Image on oci.stackable.tech
        uses: stackabletech/actions/publish-image@7fb064db885e006f6a9eeff69c7cd5ff5dea68bc # v0.13.0
        with:
          image-registry-uri: oci.stackable.tech
          image-registry-username: robot$sdp+github-action-build
          image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
          image-repository: ${{ format('sdp/{0}', env.IMAGE_REPOSITORY) }}
          image-manifest-tag: ${{ format('{0}-{1}', inputs.image-index-manifest-tag, matrix.arch) }}
          source-image-uri: ${{ format('{0}:{1}', inputs.image-repository-uri, inputs.image-index-manifest-tag) }}

  publish_manifests:
    name: Build/Publish Image Index Manifest
    needs: [mirror-image]
    permissions:
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Extract Repo Name
        env:
          IMAGE_REPOSITORY_URI: ${{ inputs.image-repository-uri }}
        run: |
          echo "IMAGE_REPOSITORY=$(.scripts/get_repo_name.sh)" | tee -a "$GITHUB_ENV"

      - name: Publish and Sign Image Index Manifest to oci.stackable.tech
        uses: stackabletech/actions/publish-image-index-manifest@7fb064db885e006f6a9eeff69c7cd5ff5dea68bc # v0.13.0
        with:
          image-registry-uri: oci.stackable.tech
          image-registry-username: robot$sdp+github-action-build
          image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
          image-repository: ${{ format('sdp/{0}', env.IMAGE_REPOSITORY) }}
          image-index-manifest-tag: ${{ inputs.image-index-manifest-tag }}

  # NOTE (@Techassi) It is currently not possible to use our own action here, because the inputs
  # assume it is used to report on image build results, not mirror results. The action needs to be
  # adjusted to support other use-cases.
  notify:
    name: Failure Notification
    needs: [mirror-image, publish_manifests]
    runs-on: ubuntu-latest
    if: failure()
    steps:
      - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
        with:
          channel-id: "C07UG6JH44F" # notifications-container-images
          payload: |
            {
              "text": "*${{ github.workflow }}* failed (attempt ${{ github.run_attempt }})",
              "attachments": [
                {
                  "pretext": "See the details below for a summary of which job(s) failed.",
                  "color": "#aa0000",
                  "fields": [
                    {
                      "title": "Mirror Image",
                      "short": true,
                      "value": "${{ needs.mirror-image.result }}"
                    },
                    {
                      "title": "Build/Publish Manifests",
                      "short": true,
                      "value": "${{ needs.publish_manifests.result }}"
                    }
                  ],
                  "actions": [
                    {
                      "type": "button",
                      "text": "Go to workflow run",
                      "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}"
                    }
                  ]
                }
              ]
            }
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}