forked from kubeflow/model-registry
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbuild-and-push-controller-image.yml
More file actions
102 lines (102 loc) · 3.88 KB
/
build-and-push-controller-image.yml
File metadata and controls
102 lines (102 loc) · 3.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Controller container image build and tag
on:
push:
branches:
- 'main'
tags:
- 'v*'
paths-ignore:
- 'LICENSE*'
- '**.gitignore'
- '**.md'
- '**.txt'
- '.github/ISSUE_TEMPLATE/**'
- '.github/dependabot.yml'
- 'docs/**'
permissions: # set contents: read at top-level, per OpenSSF ScoreCard rule TokenPermissionsID\
contents: read
env:
IMG_REGISTRY: ghcr.io
IMG_ORG: kubeflow
IMG_REPO: model-registry/controller
PUSH_IMAGE: true
DOCKER_USER: ${{ github.actor }}
DOCKER_PWD: ${{ secrets.GITHUB_TOKEN }}
PLATFORMS: linux/arm64,linux/amd64
jobs:
build-controller-image:
runs-on: ubuntu-latest
permissions:
actions: read # anchore/sbom-action for syft
contents: write # anchore/sbom-action for syft
packages: write
id-token: write # cosign
steps:
# Assign context variable for various action contexts (tag, main, CI)
- name: Assigning tag context
if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
- name: Assigning main context
if: github.head_ref == '' && github.ref == 'refs/heads/main'
run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
# checkout branch
- uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# set image version
- name: Set main-branch environment
if: env.BUILD_CONTEXT == 'main'
run: |
commit_sha=${{ github.event.after }}
tag=main-${commit_sha:0:7}
echo "VERSION=${tag}" >> $GITHUB_ENV
- name: Set tag environment
if: env.BUILD_CONTEXT == 'tag'
run: |
echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
# docker login
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.IMG_REGISTRY }}
username: ${{ env.DOCKER_USER }}
password: ${{ env.DOCKER_PWD }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}"
tags: |
type=raw,value=${{ env.VERSION }}
type=raw,value=latest,enable=${{ env.BUILD_CONTEXT == 'main' }}
type=raw,value=main,enable=${{ env.BUILD_CONTEXT == 'main' }}
- name: Build and push Docker image
id: build-push
uses: docker/build-push-action@v6
with:
context: .
file: ./cmd/controller/Dockerfile.controller
platforms: ${{ env.PLATFORMS }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: mode=max
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign image with cosign
run: |
cosign sign --yes "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"
format: spdx-json # default, but making sure of the format
artifact-name: "controller-${{ env.VERSION }}-sbom.spdx.json"
output-file: "controller-${{ env.VERSION }}-sbom.spdx.json" # pin the file to use it later below
- name: Attest SBOM to image
run: |
cosign attest --yes --predicate controller-${{ env.VERSION }}-sbom.spdx.json --type spdxjson "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"