This repository has been archived by the owner on Aug 25, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 138
96 lines (92 loc) · 4 KB
/
build_images_containers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# References:
# - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_call
# - https://docs.github.com/en/actions/using-workflows/reusing-workflows
# - https://github.com/slsa-framework/slsa/blob/main/docs/get-started.md
# - https://github.com/slsa-framework/github-actions-demo
# - https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/
# - https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson
# - https://stackoverflow.com/questions/66381595/trying-to-parse-json-output-in-a-github-action
# - https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts
# - Git Repository
# - https://github.com/GoogleContainerTools/kaniko#debug-image
# - `$ docker run -it --entrypoint=/busybox/sh gcr.io/kaniko-project/executor:debug`
#
# Example usage:
#
# inputs.json
#
# {
# "manifests": "[{\"image_name\": \"dffml-base\", \"dockerfile\": \"Dockerfile\", \"branch\": \"alice\", \"commit\": \"9a0d2311bc9c8925e9387efc6f999c0434989015\"}]",
# }
#
# Enable SSO on token
#
# $ export GH_ACCESS_TOKEN=$(grep oauth_token < ~/.config/gh/hosts.yml | sed -e 's/ oauth_token: //g')
#
# Dispatch the workflow via curl
#
# $ curl -v -X POST \
# -H "Accept: application/vnd.github.v3+json" \
# -H "Authorization: token $GH_ACCESS_TOKEN" \
# https://api.github.com/repos/intel/dffml/actions/workflows/dispatch_build_images_containers.yml/dispatches \
# -d "$(echo '[{"branch": "main", "commit": "1a4d03b5bb5ecbc343430b6e725250cee24ccd21", "image_name": "dffml-base", "dockerfile": "Dockerfile"}]' | python -c 'import pathlib, json, sys; print(json.dumps({"ref": "main", "inputs": {"manifests": sys.stdin.read().strip()}}))')"
#
# Get the run id of the last dispatched workflow
#
# $ gh run list -w dispatch_build_images_containers.yml -L 1 | grep workflow_dispatch | awk '{print $(NF-2)}'
# 3293874395
#
# Watch the workflow run
#
# $ gh run watch --exit-status $(gh run list -w dispatch_build_images_containers.yml -L 1 | grep workflow_dispatch | awk '{print $(NF-2)}')
#
# In the event of a failure
#
# $ gh run view --exit-status --log $(gh run list -w dispatch_build_images_containers.yml -L 1 | grep workflow_dispatch | awk '{print $(NF-2)}')
#
name: "Build: Images: Containers (Reusable)"
on:
workflow_call:
inputs:
manifests:
required: true
type: string
description: 'https://github.com/intel/dffml/tree/main/schema/dffml/image/container/build/0.0.1.schema.json'
permissions:
contents: read
jobs:
build:
name: Build container images
runs-on: ubuntu-latest
strategy:
fail-fast: false
max-parallel: 40
matrix: ${{ fromJSON(inputs.manifests) }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: '${{ github.repository }}'
ref: '${{ matrix.commit }}'
persist-credentials: false
fetch-depth: 1
lfs: true
submodules: true
- name: Install dependencies
run: |
set -x
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update && sudo apt-get install -y docker-ce docker-ce-cli containerd.io
- name: Build image
env:
IMAGE_NAME: "${{ matrix.image_name }}"
DOCKERFILE: "${{ matrix.dockerfile }}"
BUILD_ARGS: "${{ matrix.build_args }}"
run: |
export BUILD_ARGS=$(jq -r <<<"${BUILD_ARGS}" | jq -r '.[] | ("--build-arg \"" + .[0] + "=" + .[1] + "\"")')
docker build --build-arg DFFML_RELEASE=main $BUILD_ARGS -t "${IMAGE_NAME}" -f "${DOCKERFILE}" .
# TODO Communicate built container hash for SLSA3 cosign send to transparency log