From 9ad141c92165226670e690646dde384aac30a78d Mon Sep 17 00:00:00 2001 From: Christian Cwienk Date: Fri, 8 Nov 2024 16:33:11 +0100 Subject: [PATCH] add and use ocm-oci-build action Add an opinionated action for building OCI-Images that will as an additional output expose a (customisable) OCM-Resource-Fragment (which can be used to generate an OCM-Component-Descriptor. --- .github/actions/ocm-oci-build/action.yaml | 104 ++++++++++++++++++++++ .github/workflows/build-and-test.yaml | 36 +++----- 2 files changed, 117 insertions(+), 23 deletions(-) create mode 100644 .github/actions/ocm-oci-build/action.yaml diff --git a/.github/actions/ocm-oci-build/action.yaml b/.github/actions/ocm-oci-build/action.yaml new file mode 100644 index 000000000..32e1818d4 --- /dev/null +++ b/.github/actions/ocm-oci-build/action.yaml @@ -0,0 +1,104 @@ +name: Build and Push OCI-Image / OCM-Resource +description: | + Builds an OCI Image using `docker/build-push-action@v6`, and exposes a (customisable) + OCM Resource fragment as output (for being added to OCM Component-Descriptor). + For convenience, the action tries to authenticate against target-OCI-Registry using + github.com/gardener/cc-utils/.github/actions/gar-auth. +inputs: + name: + description: | + resource-name (used in OCM Resource Fragment; must be unique within component) + required: true + repository: + description: | + OCI Repository to push to (including registry, but excluding tag) + For example: `europe-docker.pkg.dev/gardener-project/snapshots/my-image` + required: true + version: + description: | + Used for both image-tag, and OCM Resource fragment. + required: true + extra-tags: + description: | + An optional list of additional image-tags (for example: latest) + required: false + ocm_labels: + description: | + An optional list of OCM Labels to add into OCM Resource fragment. + required: false + target: + description: | + docker-build target (similar to `docker build --target`) + required: no + default: null + oci_platforms: + description: | + OCI Platforms to build (comma-separated) + required: false + default: linux/amd64 + dockerfile: + description: | + path to dockerfile to use; relative to `context` + required: false + default: Dockerfile + context: + description: | + passed to build-push-action's `context` + see: + - https://github.com/docker/build-push-action#git-context + - https://github.com/docker/build-push-action#path-context + required: false +outputs: + ocm_resource: + description: | + The OCM Resource fragment + value: ${{ steps.export.outputs.ocm_resource }} + image_reference: + description: | + The (default) target-image-reference + value: ${{ steps.preprocess.outputs.image_reference }} + +runs: + using: composite + steps: + - name: GAR-Auth + id: auth + uses: gardener/cc-utils/.github/actions/gar-auth@master + - name: Preprocess Parameters + shell: bash + id: preprocess + run: | + echo preparing.. + image_reference=${{ inputs.repository }}:${{ inputs.version }} + echo "image_reference=${image_reference}" >> "${GITHUB_OUTPUT}" + - name: Build and Push + uses: docker/build-push-action@v6 + with: + push: true + platforms: ${{ inputs.oci_platforms }} + tags: ${{ steps.preprocess.outputs.image_reference }} + context: ${{ inputs.context }} + - name: Write OCM Resource fragment + shell: bash + id: export + run: | + r=ocm-resource.yaml + cat << EOF > $r + name: ${{ inputs.name }} + version: ${{ inputs.version }} + type: ociImage + relation: local + access: + type: ociRegistry + imageReference: ${{ steps.preprocess.outputs.image_reference }} + EOF + labels="${{ inputs.ocm_labels }}" + if [ -n "${labels}" ]; then + echo -e "labels:\n${labels}" >> $r + fi + + ( + echo 'ocm_resource<> "${GITHUB_OUTPUT}" diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index 39b3239c2..891710cae 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -340,9 +340,8 @@ jobs: python3 -m ocm append resource \ --file component-descriptor.yaml - echo "${{ needs.images.outputs.ocm_resources }}" | base64 -d > oci_ocm_resources.yaml - - cat oci_ocm_resources.yaml | \ + echo "adding image-resource" + echo "${{ needs.images.outputs.ocm_resources }} " | \ python3 -m ocm append resource \ --file component-descriptor.yaml @@ -507,8 +506,8 @@ jobs: - package - params outputs: - oci_image_ref: ${{ steps.prepare.outputs.oci_image_ref }} - ocm_resources: ${{ steps.prepare.outputs.ocm_resources }} + oci_image_ref: ${{ steps.image-build.outputs.image_reference }} + ocm_resources: ${{ steps.image-build.outputs.ocm_resource }} runs-on: ubuntu-latest environment: build permissions: @@ -542,15 +541,16 @@ jobs: image_ref=${oci_repo}/cicd/job-image:${image_tag} echo "oci_image_ref=${image_ref}" >> ${GITHUB_OUTPUT} - cat << EOF > ocm_resources.yaml + - name: Build OCI Image (using ocm-oci-build-action) + uses: ./.github/actions/ocm-oci-build + id: image-build + with: name: job-image - version: ${image_tag} - type: ociImage - access: - type: ociRegistry - imageReference: ${image_ref} - relation: local - labels: + repository: ${{ needs.params.outputs.oci_repository }}/cicd/job-image + version: ${{ needs.version.outputs.effective_version }} + oci_platforms: ${{ needs.params.outputs.oci_platforms }} + context: . # pass modified path rather than clean checkout + ocm_labels: | - name: cloud.gardener.cnudie/dso/scanning-hints/package-versions value: - name: containerd @@ -563,16 +563,6 @@ jobs: integrity_requirement: high network_exposure: protected user_interaction: gardener-operator - EOF - echo "ocm_resources=$(cat ocm_resources.yaml | base64 -w0)" >> ${GITHUB_OUTPUT} - - - name: Build OCI Image - uses: docker/build-push-action@v6 - with: - push: true - platforms: ${{ needs.params.outputs.oci_platforms }} - tags: ${{ steps.prepare.outputs.oci_image_ref }} - context: . # pass modified path rather than clean checkout documentation: name: Generate Documentation