[v1.14] Cherry picks #966

Workflow file for this run

.github/workflows/build-images-ci.yaml at 6d622e9

	name: Image CI Build

	# Any change in triggers needs to be reflected in the concurrency group.
	on:
	pull_request_target:
	types:
	- opened
	- synchronize
	- reopened
	push:
	branches:
	- v1.14
	- ft/v1.14/**

	permissions:
	# To be able to access the repository with `actions/checkout`
	contents: read
	# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
	id-token: write

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.event.after }}
	cancel-in-progress: true

	jobs:
	build-and-push-prs:
	name: Build and Push Images
	runs-on: ubuntu-22.04
	strategy:
	matrix:
	include:
	- name: cilium
	dockerfile: ./images/cilium/Dockerfile

	- name: operator-aws
	dockerfile: ./images/operator/Dockerfile

	- name: operator-azure
	dockerfile: ./images/operator/Dockerfile

	- name: operator-alibabacloud
	dockerfile: ./images/operator/Dockerfile

	- name: operator-generic
	dockerfile: ./images/operator/Dockerfile

	- name: hubble-relay
	dockerfile: ./images/hubble-relay/Dockerfile

	- name: clustermesh-apiserver
	dockerfile: ./images/clustermesh-apiserver/Dockerfile

	- name: kvstoremesh
	dockerfile: ./images/kvstoremesh/Dockerfile

	- name: docker-plugin
	dockerfile: ./images/cilium-docker-plugin/Dockerfile

	steps:
	- name: Checkout default branch (trusted)
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ github.event.repository.default_branch }}
	persist-credentials: false

	- name: Set Environment Variables
	uses: ./.github/actions/set-env-variables

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0

	- name: Login to quay.io for CI
	uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME_CI }}
	password: ${{ secrets.QUAY_PASSWORD_CI }}

	- name: Getting image tag
	id: tag
	run: \|
	if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then
	echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT
	else
	echo tag=${{ github.sha }} >> $GITHUB_OUTPUT
	fi

	# Warning: since this is a privileged workflow, subsequent workflow job
	# steps must take care not to execute untrusted code.
	- name: Checkout pull request branch (NOT TRUSTED)
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	persist-credentials: false
	ref: ${{ steps.tag.outputs.tag }}

	- name: Install Cosign
	uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0

	- name: Install Bom
	shell: bash
	env:
	# renovate: datasource=github-releases depName=kubernetes-sigs/bom
	BOM_VERSION: v0.6.0
	run: \|
	curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
	sudo mv ./bom /usr/local/bin/bom
	sudo chmod +x /usr/local/bin/bom

	# v1.14 branch pushes
	- name: CI Build ${{ matrix.name }}
	if: ${{ github.event_name != 'pull_request_target' }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_v1_14
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	# Only push when the event name was a GitHub push, this is to avoid
	# re-pushing the image tags when we only want to re-create the Golang
	# docker cache after the workflow "Image CI Cache Cleaner" was terminated.
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64,linux/arm64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.14
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	target: release
	build-args: \|
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI race detection Build ${{ matrix.name }}
	if: ${{ github.event_name != 'pull_request_target' }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_v1_14_detect_race_condition
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	# Only push when the event name was a GitHub push, this is to avoid
	# re-pushing the image tags when we only want to re-create the Golang
	# docker cache after the workflow "Image CI Cache Cleaner" was terminated.
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.14-race
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	target: release
	build-args: \|
	BASE_IMAGE=quay.io/cilium/cilium-runtime:f384debcdc15d46ae82b8a87fce359f1f2e31ae5@sha256:d14e0ca65b09c8e8d6786d2c7304a9f17517ef0b3fd5030f28b3fa4ebbfebf1f
	LOCKDEBUG=1
	RACE=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI Unstripped Binaries Build ${{ matrix.name }}
	if: ${{ github.event_name != 'pull_request_target' }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_v1_14_unstripped
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	# Only push when the event name was a GitHub push, this is to avoid
	# re-pushing the image tags when we only want to re-create the Golang
	# docker cache after the workflow "Image CI Cache Cleaner" was terminated.
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.14-unstripped
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
	target: release
	build-args: \|
	NOSTRIP=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: Sign Container Images
	if: ${{ github.event_name != 'pull_request_target' }}
	run: \|
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_14.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_14_detect_race_condition.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_14_unstripped.outputs.digest }}

	- name: Generate SBOM
	if: ${{ github.event_name != 'pull_request_target' }}
	shell: bash
	# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
	# To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
	run: \|
	bom generate -o sbom_ci_v1_14_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	bom generate -o sbom_ci_v1_14_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	bom generate -o sbom_ci_v1_14_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped

	- name: Attach SBOM to Container Images
	if: ${{ github.event_name != 'pull_request_target' }}
	run: \|
	cosign attach sbom --sbom sbom_ci_v1_14_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_14.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_v1_14_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_14_detect_race_condition.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_v1_14_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_14_unstripped.outputs.digest }}

	- name: Sign SBOM Images
	if: ${{ github.event_name != 'pull_request_target' }}
	run: \|
	docker_build_ci_v1_14_digest="${{ steps.docker_build_ci_v1_14.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_v1_14_digest/:/-}.sbom"
	docker_build_ci_v1_14_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_v1_14_sbom_digest}"

	docker_build_ci_v1_14_detect_race_condition_digest="${{ steps.docker_build_ci_v1_14_detect_race_condition.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_v1_14_detect_race_condition_digest/:/-}.sbom"
	docker_build_ci_v1_14_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_v1_14_detect_race_condition_sbom_digest}"

	docker_build_ci_v1_14_unstripped_digest="${{ steps.docker_build_ci_v1_14_unstripped.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_v1_14_unstripped_digest/:/-}.sbom"
	docker_build_ci_v1_14_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_v1_14_unstripped_sbom_digest}"

	- name: CI Image Releases digests
	if: ${{ github.event_name != 'pull_request_target' }}
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.14@${{ steps.docker_build_ci_v1_14.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.14-race@${{ steps.docker_build_ci_v1_14_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.14-unstripped@${{ steps.docker_build_ci_v1_14_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_v1_14.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_v1_14_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_v1_14_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt

	# PR updates
	- name: CI Build ${{ matrix.name }}
	if: ${{ github.event_name == 'pull_request_target' }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_pr
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64,linux/arm64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	target: release
	build-args: \|
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI race detection Build ${{ matrix.name }}
	if: ${{ github.event_name == 'pull_request_target' }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_pr_detect_race_condition
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	target: release
	build-args: \|
	BASE_IMAGE=quay.io/cilium/cilium-runtime:f384debcdc15d46ae82b8a87fce359f1f2e31ae5@sha256:d14e0ca65b09c8e8d6786d2c7304a9f17517ef0b3fd5030f28b3fa4ebbfebf1f
	LOCKDEBUG=1
	RACE=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI Unstripped Binaries Build ${{ matrix.name }}
	if: ${{ github.event_name == 'pull_request_target' }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_pr_unstripped
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
	target: release
	build-args: \|
	NOSTRIP=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: Sign Container Images
	if: ${{ github.event_name == 'pull_request_target' }}
	run: \|
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}

	- name: Generate SBOM
	if: ${{ github.event_name == 'pull_request_target' }}
	shell: bash
	# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
	# To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
	run: \|
	bom generate -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	bom generate -o sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	bom generate -o sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped

	- name: Attach SBOM to Container Images
	if: ${{ github.event_name == 'pull_request_target' }}
	run: \|
	cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}

	- name: Sign SBOM Images
	if: ${{ github.event_name == 'pull_request_target' }}
	run: \|
	docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom"
	docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}"

	docker_build_ci_pr_detect_race_condition_digest="${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_detect_race_condition_digest/:/-}.sbom"
	docker_build_ci_pr_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_detect_race_condition_sbom_digest}"

	docker_build_ci_pr_unstripped_digest="${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_unstripped_digest/:/-}.sbom"
	docker_build_ci_pr_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_unstripped_sbom_digest}"

	- name: CI Image Releases digests
	if: ${{ github.event_name == 'pull_request_target' }}
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt

	# Upload artifact digests
	- name: Upload artifact digests
	uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
	with:
	name: image-digest ${{ matrix.name }}
	path: image-digest
	retention-days: 1

	image-digests:
	if: ${{ always() }}
	name: Display Digests
	runs-on: ubuntu-22.04
	needs: build-and-push-prs
	steps:
	- name: Downloading Image Digests
	shell: bash
	run: \|
	mkdir -p image-digest/

	- name: Download digests of all images built
	uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
	with:
	path: image-digest/

	- name: Image Digests Output
	shell: bash
	run: \|
	cd image-digest/
	find -type f \| sort \| xargs -d '\n' cat

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v1.14] Cherry picks #966

Workflow file

[v1.14] Cherry picks #966

Jobs

Run details

Workflow file for this run