Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add workflow to build images #11232

Merged
merged 1 commit into from
Sep 23, 2024
Merged

chore: add workflow to build images #11232

merged 1 commit into from
Sep 23, 2024

Conversation

HumairAK
Copy link
Collaborator

@HumairAK HumairAK commented Sep 20, 2024
edited
Loading

Resolve: #11208

This commit adds a github workflow that will build v2 images and push them to GHCR. It uses the GITHUB_TOKEN to authenticate and uses docker provisioned github actions to streamline the flow.

The workflow also creates attestations for the packages which can be used to verify provenance and integrity.

The workflow can be triggered manually or via another workflow call. The latter is to supplement future automation flows.

Here's a sample org imitating Kubeflow org, this is how we would expect the Github packages to look like: [1]

This is what a workflow run looks like: [1]

Here's what the attestations look like: [1]

Here's a sample page for a given kfp component's packages: [1]

Here are the configurable options when triggering this workflow:

image

Here's an example of how you can verify attestation:

$ gh attestation verify oci://ghcr.io/example-test-organization/kfp-driver:2.3.0 -R example-test-organization/pipelines   Loaded digest sha256:fb1f8646fe170a37bed6a9c7c4cb767589c90fdd615b76b130e108744c3ef353 for oci://ghcr.io/example-test-organization/kfp-driver:2.3.0
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:fb1f8646fe170a37bed6a9c7c4cb767589c90fdd615b76b130e108744c3ef353 was attested by:
REPO                                 PREDICATE_TYPE                  WORKFLOW                                            
example-test-organization/pipelines  https://slsa.dev/provenance/v1  .github/workflows/image-builds.yml@refs/heads/master

Here's an example of a failure:

$ gh attestation verify oci://ghcr.io/example-test-organization/kfp-driver:sha-e1ddfb9 -R example-test-organization/pipelines
Loaded digest sha256:e737db626f23f58ed52a9d2966eeeda1279a41b7dccef36aa6d36448ec40c484 for oci://ghcr.io/example-test-organization/kfp-driver:sha-e1ddfb9
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from example-test-organization/pipelines: HTTP 404: Not Found (https://api.github.com/repos/example-test-organization/pipelines/attestations/sha256:e737db626f23f58ed52a9d2966eeeda1279a41b7dccef36aa6d36448ec40c484?per_page=30)

Checklist:

@HumairAK
add workflow to build images
bd23078 
This commit adds a github workflow that will build v2 images and push
them to GHCR. It uses the GITHUB_TOKEN to authenticate and uses docker
provisioned github actions to streamline the flow. The workflow also
creates attestations for the packages which can be used to verify
provenance and integrity. The workflow can be triggered manually or via
another workflow call. The latter is to supplement future automation
flows.

Signed-off-by: Humair Khan <[email protected]>
@PaulinaPacyna
Copy link
Contributor

/lgtm

@google-oss-prow google-oss-prow bot added the lgtm label Sep 23, 2024
@PaulinaPacyna PaulinaPacyna removed their assignment Sep 23, 2024
@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chensun, PaulinaPacyna

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit ea8f37c into kubeflow:master Sep 23, 2024
2 checks passed
@HumairAK
Copy link
Collaborator Author

fyi there is a follow up pr that should be merged before running this workflow: #11238

VaniHaripriya pushed a commit to VaniHaripriya/data-science-pipelines that referenced this pull request Oct 1, 2024
@HumairAK @VaniHaripriya
chore: add workflow to build images (kubeflow#11232)
aeea426 
This commit adds a github workflow that will build v2 images and push
them to GHCR. It uses the GITHUB_TOKEN to authenticate and uses docker
provisioned github actions to streamline the flow. The workflow also
creates attestations for the packages which can be used to verify
provenance and integrity. The workflow can be triggered manually or via
another workflow call. The latter is to supplement future automation
flows.

Signed-off-by: Humair Khan <[email protected]>
boarder7395 pushed a commit to boarder7395/pipelines that referenced this pull request Oct 17, 2024
@HumairAK @boarder7395
chore: add workflow to build images (kubeflow#11232)
b368fad 
This commit adds a github workflow that will build v2 images and push
them to GHCR. It uses the GITHUB_TOKEN to authenticate and uses docker
provisioned github actions to streamline the flow. The workflow also
creates attestations for the packages which can be used to verify
provenance and integrity. The workflow can be triggered manually or via
another workflow call. The latter is to supplement future automation
flows.

Signed-off-by: Humair Khan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PaulinaPacyna PaulinaPacyna PaulinaPacyna approved these changes

@chensun chensun chensun approved these changes

@rimolive rimolive Awaiting requested review from rimolive

Assignees
No one assigned
Labels
approved lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Move away from Google Container registry, and cloud build system for image builds
3 participants
@HumairAK @PaulinaPacyna @chensun