Build UBI Rust Builders (attempt #1) #432
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build UBI Rust Builders | |
| run-name: | | |
| Build UBI Rust Builders (attempt #${{ github.run_attempt }}) | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '30 4 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| permissions: | |
| id-token: write | |
| strategy: | |
| matrix: | |
| runner: ["ubuntu-latest", "ubicloud-standard-8-arm"] | |
| ubi-version: ["ubi8", "ubi9"] | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Login to Stackable Harbor | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: oci.stackable.tech | |
| username: robot$sdp+github-action-build | |
| password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} | |
| - name: Set up Cosign | |
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
| - name: Determine Architecture | |
| run: | | |
| echo "TAG=$(git rev-parse --short HEAD)-$(arch)" >> "$GITHUB_ENV" | |
| - name: Build and push | |
| id: build-and-push | |
| uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
| with: | |
| context: . | |
| file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile | |
| push: true | |
| tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }} | |
| - name: Sign the published builder image | |
| shell: bash | |
| run: | | |
| # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...) | |
| # This generates a signature and publishes it to the registry, next to the image | |
| # Uses the keyless signing flow with Github Actions as identity provider | |
| cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@${{ steps.build-and-push.outputs.digest }}" | |
| create_manifest: | |
| permissions: | |
| id-token: write | |
| strategy: | |
| matrix: | |
| ubi-version: ["ubi8", "ubi9"] | |
| runs-on: ubuntu-latest | |
| needs: ["build"] | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Login to Stackable Harbor | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: oci.stackable.tech | |
| username: robot$sdp+github-action-build | |
| password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} | |
| - name: Set up Cosign | |
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
| - name: Build Manifest List | |
| shell: bash | |
| run: | | |
| COMMIT_ID=$(git rev-parse --short HEAD) | |
| MANIFEST_LIST_NAME=oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder | |
| docker manifest create "$MANIFEST_LIST_NAME:latest" "$MANIFEST_LIST_NAME:$COMMIT_ID-x86_64" "$MANIFEST_LIST_NAME:$COMMIT_ID-aarch64" | |
| # `docker manifest push` directly returns the digest of the manifest list | |
| # As it is an experimental feature, this might change in the future | |
| # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/ | |
| DIGEST=$(docker manifest push "$MANIFEST_LIST_NAME:latest") | |
| # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...) | |
| # This generates a signature and publishes it to the registry, next to the image | |
| # Uses the keyless signing flow with Github Actions as identity provider | |
| cosign sign -y "$MANIFEST_LIST_NAME@$DIGEST" | |
| notify: | |
| name: Failure Notification | |
| needs: [build, create_manifest] | |
| runs-on: ubuntu-latest | |
| if: failure() | |
| steps: | |
| - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 | |
| with: | |
| channel-id: "C07UG6JH44F" # notifications-container-images | |
| payload: | | |
| { | |
| "text": "*${{ github.workflow }}* failed (attempt ${{ github.run_attempt }})", | |
| "attachments": [ | |
| { | |
| "pretext": "See the details below for a summary of which job(s) failed.", | |
| "color": "#aa0000", | |
| "fields": [ | |
| { | |
| "title": "Build", | |
| "short": true, | |
| "value": "${{ needs.build.result }}" | |
| }, | |
| { | |
| "title": "Create Manifest", | |
| "short": true, | |
| "value": "${{ needs.create_manifest.result }}" | |
| } | |
| ], | |
| "actions": [ | |
| { | |
| "type": "button", | |
| "text": "Go to workflow run", | |
| "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}" | |
| } | |
| ] | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} |