Save digest in build and use for deploy

3lvia · Jan 22, 2025 · 1776854 · 1776854
1 parent d03de99
commit 1776854
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 16 deletions.
diff --git a/build/action.yml b/build/action.yml
@@ -6,7 +6,7 @@ description: |
   you must first add your GitHub repository to [github-repositories-terraform](https://github.com/3lvia/github-repositories-terraform).
 inputs:
   name:
-    description: 'Name of application. This will be used as the image name. For Elvia applications, do not include the namespace.'
+    description: 'Name of application. This will be used for the image name. For Elvia applications, do not include the namespace.'
     required: true
   namespace:
     description: 'Namespace or system of the application. Required for Elvia applications.'
@@ -106,12 +106,12 @@ inputs:
     required: false
 
 outputs:
-  image-name:
+  image-name-tag:
     description: 'Name of the Docker image that was built, with tag.'
-    value: ${{ steps.get-outputs.outputs.image-name }}
-  image-digest:
+    value: ${{ steps.get-outputs.outputs.image-name-tag }}
+  image-name-digest:
     description: 'Name of the Docker image that was built, with digest.'
-    value: ${{ steps.get-outputs.outputs.image-name }}
+    value: ${{ steps.get-outputs.outputs.image-name-digest }}
 
 runs:
   using: 'composite'
@@ -168,7 +168,7 @@ runs:
     - name: Install 3lv CLI
       uses: 3lvia/cli/setup@trunk
       with:
-        version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+        version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable
 
     - name: Install Cosign if not using Elvia runner
       if: ${{ !startsWith(runner.name, 'elvia-runner-') && inputs.sign-image == 'true' }}
@@ -217,17 +217,29 @@ runs:
       shell: bash
       id: get-outputs
       run: |
-        IMAGE_NAME=$(cat /tmp/3lv-cli-output/image-name)
+        IMAGE_NAME_TAG=$(cat /tmp/3lv-cli-output/image-name)
+        IMAGE_NAME_DIGEST="${IMAGE_NAME_TAG%%:*}@$(docker manifest inspect -v "$IMAGE_NAME_TAG" | jq -r '.Descriptor.digest')"
 
-        echo "image-name=$IMAGE_NAME" >> "$GITHUB_OUTPUT"
-        echo "image-digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" >> "$GITHUB_OUTPUT"
+        echo "image-name-tag=$IMAGE_NAME_TAG" >> "$GITHUB_OUTPUT"
+        echo "image-name-digest=$IMAGE_NAME_DIGEST" >> "$GITHUB_OUTPUT"
+
+        echo "$IMAGE_NAME_TAG" > /tmp/build-info-image-name-tag
+        echo "$IMAGE_NAME_DIGEST" > /tmp/build-info-image-name-digest
+
+    - name: Upload build information to artifact
+      uses: actions/upload-artifact@v4
+      continue-on-error: true # ignore error since we can always use default taag
+      with:
+        name: 'build-info-${{ inputs.name }}-${{ inputs.namespace }}'
+        path: '/tmp/build-info-*'
+        retention-days: 3
 
     - name: Sign image with Cosign using GitHub OIDC token
       if: ${{ inputs.sign-image == 'true' }}
       shell: bash
-      run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_DIGEST"
+      run: cosign sign -y --oidc-provider='github-actions' "$IMAGE_NAME_DIGEST"
       env:
-        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
+        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-name-digest }}
 
     - name: Verify image signatue
       if: ${{ inputs.sign-image == 'true' }}
@@ -236,10 +248,10 @@ runs:
         cosign verify \
           --certificate-identity "$CERTIFICATE_IDENTITY" \
           --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
-          "$IMAGE_DIGEST" | jq
+          "$IMAGE_NAME_DIGEST" | jq
       env:
         CERTIFICATE_IDENTITY: 'https://github.com/${{ github.workflow_ref }}'
-        IMAGE_DIGEST: ${{ steps.get-outputs.outputs.image-digest }}
+        IMAGE_NAME_DIGEST: ${{ steps.get-outputs.outputs.image-name-digest }}
 
     - name: Upload Trivy scan results to GitHub Advanced Security
       if: ${{ inputs.trivy-upload-report == 'true' && !cancelled() }}

diff --git a/deploy/action.yml b/deploy/action.yml
@@ -130,7 +130,20 @@ runs:
     - name: Install 3lv CLI
       uses: 3lvia/cli/setup@trunk
       with:
-        version: '0.28.1' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+        version: 'feat/use-full-image-deploy' # TODO: remove this (which will get latest version) when 3lv CLI is stable
+
+    - name: Download artifact with build information
+      uses: actions/download-artifact@v4
+      continue-on-error: true # ignore error since we can always use default taag
+      with:
+        name: 'build-info-${{ inputs.name }}-${{ inputs.namespace }}'
+
+    - name: Get image digest and tag from build information
+      shell: bash
+      continue-on-error: true # ignore error since we can always use default taag
+      run: |
+        echo "IMAGE_NAME_DIGEST=$(cat build-info-image-name-digest)" >> "$GITHUB_ENV"
+        echo "IMAGE_NAME_TAG=$(cat build-info-image-name-tag)" >> "$GITHUB_ENV"
 
     - name: Deploy
       shell: bash
@@ -139,19 +152,21 @@ runs:
           --system-name '${{ inputs.namespace }}' \
           --helm-values-file "$HELM_VALUES_FILE" \
           --environment '${{ inputs.environment }}' \
+          --image "$IMAGE" \
           --workload-type '${{ inputs.workload-type }}' \
           --runtime-cloud-provider '${{ inputs.runtime-cloud-provider }}' \
-          --image-tag "$IMAGE_TAG" \
           --add-deployment-annotation \
           --grafana-url "$GRAFANA_URL" \
           --grafana-api-key "$GRAFANA_API_KEY" \
           --run-id '${{ github.run_id }}' \
           '${{ inputs.name }}'
       env:
         HELM_VALUES_FILE: ${{ inputs.helm-values-path == '' && inputs.helm-values-file || inputs.helm-values-path }}
-        IMAGE_TAG: ${{ inputs.override-image-tag == '' && format('{0}-{1}', github.sha, github.run_number) || inputs.override-image-tag }}
+        # Order of precedence: digest if not empty, tag if not empty, finally default to '{sha}-{run_number}'
+        IMAGE: ${{ env.IMAGE_NAME_DIGEST != '' && env.IMAGE_NAME_DIGEST || (env.IMAGE_NAME_TAG != '' && env.IMAGE_NAME_TAG || format('{0}-{1}', github.sha, github.run_number)) }}
         # Pass optional inputs as environment variables, since they can be empty.
         # The CLI does not accept empty strings passed to the flags, e.g. `--gke-project-id ''` will cause an error.
+        3LV_IMAGE_DIGEST: ${{ env.IMAGE_DIGEST }}
         3LV_AZURE_TENANT_ID: ${{ inputs.AZURE_TENANT_ID }}
         3LV_AZURE_CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }}
         3LV_AZURE_FEDERATED_TOKEN: ${{ steps.get-federated-token.outputs.token }}