Build and Push Container #65
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Push Container | |
on: | |
workflow_dispatch: | |
inputs: | |
postgres-major-version: | |
description: "Postgres major version to use for release." | |
type: string | |
required: true | |
services: | |
description: "Json list with postgres services to upgrade." | |
type: string | |
required: true | |
version: | |
description: "Opensight-postgres version to release." | |
type: string | |
required: true | |
workflow_call: | |
inputs: | |
postgres-major-version: | |
description: "Postgres major version to release." | |
type: string | |
required: true | |
services: | |
description: "Json list with postgres services to upgrade." | |
type: string | |
required: true | |
version: | |
description: "Opensight-postgres version to release." | |
type: string | |
required: true | |
secrets: | |
COSIGN_KEY_OPENSIGHT: | |
required: true | |
COSIGN_KEY_PASSWORD_OPENSIGHT: | |
required: true | |
GREENBONE_BOT_TOKEN: | |
required: true | |
jobs: | |
push-postgres: | |
runs-on: self-hosted-generic | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build and Push Greenbone Registry | |
id: build | |
uses: greenbone/actions/container-build-push-generic@v3 | |
with: | |
build-args: "POSTGRES_VERSION=${{ inputs.postgres-major-version }}" | |
cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }} | |
cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }} | |
cosign-tlog-upload: "false" | |
image-url: opensight/opensight-postgres | |
image-labels: | | |
org.opencontainers.image.vendor=Greenbone | |
org.opencontainers.image.base.name=postgres:${{ inputs.postgres-major-version }} | |
org.opencontainers.image.version=${{ inputs.version }} | |
image-tags: | | |
type=raw,value=${{ inputs.postgres-major-version }} | |
type=raw,value=${{ inputs.version }} | |
type=raw,value=v${{ inputs.version }} | |
registry: ${{ vars.GREENBONE_REGISTRY }} | |
registry-username: ${{ secrets.GREENBONE_REGISTRY_USER }} | |
registry-password: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} | |
# For whatever reason, the native buildx doesn't build annotations! | |
buildx-container: 'true' | |
- name: Service upgrade matrix | |
id: upgrade | |
run: | | |
echo "matrix=$(echo '${{ inputs.services }}' | jq -r '{include:[.[] | {service: ., "image-url": "opensight/opensight-postgres", digest: "${{ steps.build.outputs.digest }}", version: "${{ inputs.version }}" }]} | @json')" >> $GITHUB_OUTPUT | |
outputs: | |
matrix: ${{ steps.upgrade.outputs.matrix }} | |
push-service: | |
needs: push-postgres | |
if: ${{ needs.push-postgres.outputs.matrix }} | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
# We have to run one workflow after the other here | |
# because our product compose Construction Process cannot handle multiple processes. | |
max-parallel: 1 | |
matrix: ${{ fromJSON(needs.push-postgres.outputs.matrix) }} | |
steps: | |
- name: Trigger product compose upgrade | |
uses: greenbone/actions/trigger-workflow@v3 | |
with: | |
token: ${{ secrets.GREENBONE_BOT_TOKEN }} | |
repository: "greenbone/automatix" | |
workflow: "push.yml" | |
inputs: '{"service": "${{ matrix.service }}", "image-url": "${{ matrix.image-url }}", "digest": "${{ matrix.digest }}", "version": "${{ matrix.version }}"}' |