Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update image patching to use new workflows #5497

Merged
merged 6 commits into from
May 3, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions .github/actions/certify-openshift-image/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
name: Certify Openshift Image
description: This action with attempt to certify an image for use in Openshift
pdabelf5 marked this conversation as resolved.
Show resolved Hide resolved

inputs:
image:
description: The image manifest to certify in the format <registry>/<repository>:<tag>
required: true
project_id:
description: The certification project id
required: true
pyxis_token:
description: The Pyxis API Token
required: true
preflight_version:
description: The version of the preflight utility to install
required: false
default: 1.9.1
platforms:
description: A comma separated list of architectures in the image manifest to certify
required: false
default: ""

outputs:
result:
description: Did the certification succeed?
value: ${{ steps.result.outputs.result == 0 && true || false }}

runs:
using: composite
steps:
- name: Install openshift-preflight
run: |
curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/${{ inputs.preflight_version }}/preflight-linux-amd64 --output preflight
chmod +x preflight
shell: bash

- name: Certify Images
id: result
run: |
result=0
if [ -z "${{ inputs.platforms }}" ]; then
# list of platforms passed
IFS=',' read -ra arch_list <<< "${{ inputs.platforms }}"
for arch in "${arch_list[@]}"; do
architecture=("${arch#*/}")
./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --platform $architecture --submit
if [ $? -ne 0 ]; then
result=1
fi
done
else
# no platforms passed, this is either a manifest or a single platform image
./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --submit
result=$?
fi
echo "result=$result" >> $GITHUB_OUTPUT
shell: bash
84 changes: 84 additions & 0 deletions .github/workflows/patch-image.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: Patch Docker Image

on:
workflow_call:
inputs:
image:
description: The image name to patch
required: true
type: string
target_image:
description: The target name of the patched image
required: true
type: string
tag:
description: The image tag to patch
required: true
type: string
target_tag:
description: The target tag of the patched image
required: true
type: string
ic_version:
description: The IC version to label
required: true
type: string
platforms:
description: The platforms to patch
required: true
type: string

defaults:
run:
shell: bash

permissions:
contents: read

jobs:
patch-image:
name: Patch image
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
steps:
- name: Checkout Repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

- name: Docker Buildx
uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0

- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm,arm64,ppc64le,s390x

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

- name: Login to GCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Apply OS patches to Container
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: build/Dockerfile
context: "."
target: patched
tags: "${{ inputs.target_image }}:${{ inputs.target_tag }}"
platforms: ${{ inputs.platforms }}
pull: true
push: true
build-args: |
IMAGE_NAME=${{ inputs.image }}:${{ inputs.tag }}
IC_VERSION=${{ inputs.ic_version }}
Loading
Loading