github.com/argoproj/argo-cd/v2@v2.10.9/.github/workflows/image-reuse.yaml

github.com/argoproj/argo-cd/v2@v2.10.9/.github/workflows/image-reuse.yaml (about)

     1  name: Publish and Sign Container Image
     2  on:
     3    workflow_call:
     4      inputs:
     5        go-version:
     6          required: true
     7          type: string
     8        quay_image_name:
     9          required: false
    10          type: string
    11        ghcr_image_name:
    12          required: false
    13          type: string
    14        docker_image_name:
    15          required: false
    16          type: string
    17        platforms:
    18          required: true
    19          type: string
    20          default: linux/amd64
    21        push:
    22          required: true
    23          type: boolean
    24          default: false
    25        target:
    26          required: false
    27          type: string
    28  
    29      secrets:
    30        quay_username:
    31          required: false
    32        quay_password:
    33          required: false
    34        ghcr_username:
    35          required: false
    36        ghcr_password:
    37          required: false
    38        docker_username:
    39          required: false
    40        docker_password:
    41          required: false
    42  
    43      outputs:
    44        image-digest:
    45          description: "sha256 digest of container image"
    46          value: ${{ jobs.publish.outputs.image-digest }}
    47  
    48  permissions: {}
    49  
    50  jobs:
    51    publish:
    52      permissions:
    53        contents: read
    54        packages: write # Used to push images to `ghcr.io` if used.
    55        id-token: write # Needed to create an OIDC token for keyless signing
    56      runs-on: ubuntu-22.04
    57      outputs:
    58        image-digest: ${{ steps.image.outputs.digest }}
    59      steps:
    60        - name: Checkout code
    61          uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
    62          with:
    63            fetch-depth: 0
    64            token: ${{ secrets.GITHUB_TOKEN }}
    65          if: ${{ github.ref_type == 'tag'}}
    66  
    67        - name: Checkout code
    68          uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
    69          if: ${{ github.ref_type != 'tag'}}
    70  
    71        - name: Setup Golang
    72          uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
    73          with:
    74            go-version: ${{ inputs.go-version }}
    75  
    76        - name: Install cosign
    77          uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
    78  
    79        - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
    80        - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
    81  
    82        - name: Setup tags for container image as a CSV type
    83          run: |
    84            IMAGE_TAGS=$(for str in \
    85              ${{ inputs.quay_image_name }} \
    86              ${{ inputs.ghcr_image_name }} \
    87              ${{ inputs.docker_image_name}}; do
    88              echo -n "${str}",;done | sed 's/,$//')
    89  
    90            echo $IMAGE_TAGS
    91            echo "TAGS=$IMAGE_TAGS" >> $GITHUB_ENV
    92  
    93        - name: Setup image namespace for signing, strip off the tag
    94          run: |
    95            TAGS=$(for tag in \
    96              ${{ inputs.quay_image_name }} \
    97              ${{ inputs.ghcr_image_name }} \
    98              ${{ inputs.docker_image_name}}; do
    99              echo -n "${tag}" | awk -F ":" '{print $1}' -;done)
   100            
   101              echo $TAGS
   102              echo 'SIGNING_TAGS<<EOF' >> $GITHUB_ENV
   103              echo $TAGS >> $GITHUB_ENV
   104              echo 'EOF' >> $GITHUB_ENV
   105  
   106        - name: Login to Quay.io
   107          uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
   108          with:
   109            registry: quay.io
   110            username: ${{ secrets.quay_username }}
   111            password: ${{ secrets.quay_password }}
   112          if: ${{ inputs.quay_image_name && inputs.push }}
   113  
   114        - name: Login to GitHub Container Registry
   115          uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
   116          with:
   117            registry: ghcr.io
   118            username: ${{ secrets.ghcr_username }}
   119            password: ${{ secrets.ghcr_password }}
   120          if: ${{ inputs.ghcr_image_name && inputs.push }}
   121  
   122        - name: Login to dockerhub Container Registry
   123          uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
   124          with:
   125            username: ${{ secrets.docker_username }}
   126            password: ${{ secrets.docker_password }}
   127          if: ${{ inputs.docker_image_name && inputs.push }}
   128  
   129        - name: Set up build args for container image
   130          run: |
   131              echo "GIT_TAG=$(if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)" >> $GITHUB_ENV
   132              echo "GIT_COMMIT=$(git rev-parse HEAD)" >> $GITHUB_ENV
   133              echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
   134              echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
   135  
   136        - name: Free Disk Space (Ubuntu)
   137          uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91
   138          with:
   139            large-packages: false
   140            docker-images: false
   141            swap-storage: false
   142            tool-cache: false
   143  
   144        - name: Build and push container image
   145          id: image
   146          uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 #v5.1.0
   147          with:
   148            context: .
   149            platforms: ${{ inputs.platforms }}
   150            push: ${{ inputs.push }}
   151            tags: ${{ env.TAGS }}
   152            target: ${{ inputs.target }}
   153            provenance: false
   154            sbom: false
   155            build-args: |
   156              GIT_TAG=${{env.GIT_TAG}}
   157              GIT_COMMIT=${{env.GIT_COMMIT}}
   158              BUILD_DATE=${{env.BUILD_DATE}}
   159              GIT_TREE_STATE=${{env.GIT_TREE_STATE}}
   160  
   161        - name: Sign container images
   162          run: |
   163            for signing_tag in $SIGNING_TAGS; do
   164              cosign sign \
   165              -a "repo=${{ github.repository }}" \
   166              -a "workflow=${{ github.workflow }}" \
   167              -a "sha=${{ github.sha }}" \
   168              -y \
   169              "$signing_tag"@${{ steps.image.outputs.digest }}
   170            done
   171          if: ${{ inputs.push }}