github.com/argoproj/argo-cd/v3@v3.2.1/.github/workflows/image-reuse.yaml

github.com/argoproj/argo-cd/v3@v3.2.1/.github/workflows/image-reuse.yaml (about)

     1  name: Publish and Sign Container Image
     2  on:
     3    workflow_call:
     4      inputs:
     5        go-version:
     6          required: true
     7          type: string
     8        quay_image_name:
     9          required: false
    10          type: string
    11        ghcr_image_name:
    12          required: false
    13          type: string
    14        docker_image_name:
    15          required: false
    16          type: string
    17        platforms:
    18          required: true
    19          type: string
    20        push:
    21          required: true
    22          type: boolean
    23        target:
    24          required: false
    25          type: string
    26  
    27      secrets:
    28        quay_username:
    29          required: false
    30        quay_password:
    31          required: false
    32        ghcr_username:
    33          required: false
    34        ghcr_password:
    35          required: false
    36        docker_username:
    37          required: false
    38        docker_password:
    39          required: false
    40  
    41      outputs:
    42        image-digest:
    43          description: "sha256 digest of container image"
    44          value: ${{ jobs.publish.outputs.image-digest }}
    45  
    46  permissions: {}
    47  
    48  jobs:
    49    publish:
    50      permissions:
    51        contents: read
    52        packages: write # Used to push images to `ghcr.io` if used.
    53        id-token: write # Needed to create an OIDC token for keyless signing
    54      runs-on: ubuntu-22.04
    55      outputs:
    56        image-digest: ${{ steps.image.outputs.digest }}
    57      steps:
    58        - name: Checkout code
    59          uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
    60          with:
    61            fetch-depth: 0
    62            token: ${{ secrets.GITHUB_TOKEN }}
    63          if: ${{ github.ref_type == 'tag'}}
    64  
    65        - name: Checkout code
    66          uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
    67          if: ${{ github.ref_type != 'tag'}}
    68  
    69        - name: Setup Golang
    70          uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
    71          with:
    72            go-version: ${{ inputs.go-version }}
    73            cache: false
    74  
    75        - name: Install cosign
    76          uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
    77  
    78        - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
    79        - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
    80  
    81        - name: Setup tags for container image as a CSV type
    82          run: |
    83            IMAGE_TAGS=$(for str in \
    84              ${{ inputs.quay_image_name }} \
    85              ${{ inputs.ghcr_image_name }} \
    86              ${{ inputs.docker_image_name}}; do
    87              echo -n "${str}",;done | sed 's/,$//')
    88  
    89            echo $IMAGE_TAGS
    90            echo "TAGS=$IMAGE_TAGS" >> $GITHUB_ENV
    91  
    92        - name: Setup image namespace for signing, strip off the tag
    93          run: |
    94            TAGS=$(for tag in \
    95              ${{ inputs.quay_image_name }} \
    96              ${{ inputs.ghcr_image_name }} \
    97              ${{ inputs.docker_image_name}}; do
    98              echo -n "${tag}" | awk -F ":" '{print $1}' -;done)
    99            
   100              echo $TAGS
   101              echo 'SIGNING_TAGS<<EOF' >> $GITHUB_ENV
   102              echo $TAGS >> $GITHUB_ENV
   103              echo 'EOF' >> $GITHUB_ENV
   104  
   105        - name: Login to Quay.io
   106          uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
   107          with:
   108            registry: quay.io
   109            username: ${{ secrets.quay_username }}
   110            password: ${{ secrets.quay_password }}
   111          if: ${{ inputs.quay_image_name && inputs.push }}
   112  
   113        - name: Login to GitHub Container Registry
   114          uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
   115          with:
   116            registry: ghcr.io
   117            username: ${{ secrets.ghcr_username }}
   118            password: ${{ secrets.ghcr_password }}
   119          if: ${{ inputs.ghcr_image_name && inputs.push }}
   120  
   121        - name: Login to dockerhub Container Registry
   122          uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
   123          with:
   124            username: ${{ secrets.docker_username }}
   125            password: ${{ secrets.docker_password }}
   126          if: ${{ inputs.docker_image_name && inputs.push }}
   127  
   128        - name: Set up build args for container image
   129          run: |
   130              echo "GIT_TAG=$(if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)" >> $GITHUB_ENV
   131              echo "GIT_COMMIT=$(git rev-parse HEAD)" >> $GITHUB_ENV
   132              echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
   133              echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
   134  
   135        - name: Free Disk Space (Ubuntu)
   136          uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
   137          with:
   138            large-packages: false
   139            docker-images: false
   140            swap-storage: false
   141            tool-cache: false
   142  
   143        - name: Build and push container image
   144          id: image
   145          uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
   146          with:
   147            context: .
   148            platforms: ${{ inputs.platforms }}
   149            push: ${{ inputs.push }}
   150            tags: ${{ env.TAGS }}
   151            target: ${{ inputs.target }}
   152            provenance: false
   153            sbom: false
   154            build-args: |
   155              GIT_TAG=${{env.GIT_TAG}}
   156              GIT_COMMIT=${{env.GIT_COMMIT}}
   157              BUILD_DATE=${{env.BUILD_DATE}}
   158              GIT_TREE_STATE=${{env.GIT_TREE_STATE}}
   159  
   160        - name: Sign container images
   161          run: |
   162            for signing_tag in $SIGNING_TAGS; do
   163              cosign sign \
   164              -a "repo=${{ github.repository }}" \
   165              -a "workflow=${{ github.workflow }}" \
   166              -a "sha=${{ github.sha }}" \
   167              -y \
   168              "$signing_tag"@${{ steps.image.outputs.digest }}
   169            done
   170          if: ${{ inputs.push }}