Skip to content

Commit

Permalink
Handle mixed case names in build-image workflows (#33)
Browse files Browse the repository at this point in the history
The container build workflows fail if the GitHub organization name or repository name use mixed case, since Docker only supports lower-cased image names.

Updated workflows to use the docker/metadata-action tags output since that action handles the normalization, and added normalization to the Makefile.
  • Loading branch information
danbarr authored Oct 9, 2024
1 parent c2bb970 commit 7920217
Show file tree
Hide file tree
Showing 11 changed files with 95 additions and 42 deletions.
11 changes: 6 additions & 5 deletions .github/workflows/build-image-signed-cosign-malicious.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ env:

jobs:
build:

runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -41,23 +40,25 @@ jobs:
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest
type=raw,value=daily
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max


- name: Sign the published Docker image
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign version
echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST}
echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST}
echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
11 changes: 6 additions & 5 deletions .github/workflows/build-image-signed-cosign-static-copied.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ env:

jobs:
build:

runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -37,20 +36,22 @@ jobs:
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=static
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
push: true
tags: ghcr.io/${{ github.repository }}:static
tags: ${{ steps.meta.outputs.tags }}
context: .
file : Dockerfile.static

file: Dockerfile.static

- name: Sign the published Docker image
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign version
echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST}
echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
11 changes: 6 additions & 5 deletions .github/workflows/build-image-signed-cosign-static.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ env:

jobs:
build:

runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -37,20 +36,22 @@ jobs:
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=static
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
push: true
tags: ghcr.io/${{ github.repository }}:static
tags: ${{ steps.meta.outputs.tags }}
context: .
file : Dockerfile.static

file: Dockerfile.static

- name: Sign the published Docker image
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign version
echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST}
echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
11 changes: 6 additions & 5 deletions .github/workflows/build-image-signed-cosign.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ env:

jobs:
build:

runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -37,23 +36,25 @@ jobs:
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest
type=raw,value=daily
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max


- name: Sign the published Docker image
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign version
echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST}
echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST}
echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
17 changes: 16 additions & 1 deletion .github/workflows/build-image-signed-ghat-malicious.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: image-signed-ghat(latest)-malicious
on:
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -16,6 +20,8 @@ jobs:
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

- name: The malicious step
env:
IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
run: |
make build-malicious-image
Expand All @@ -26,16 +32,25 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest
- name: Build and push image
id: push-step
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
push: true
tags: ghcr.io/${{ github.repository }}:latest
tags: ${{ steps.meta.outputs.tags }}
context: .

- name: Attest image
uses: actions/[email protected]
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}
push-to-registry: true
17 changes: 15 additions & 2 deletions .github/workflows/build-image-signed-ghat-static-copied.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: image-signed-ghat(static)-copied
on:
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -22,17 +26,26 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=static
- name: Build and push image
id: push-step
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
push: true
tags: ghcr.io/${{ github.repository }}:static
tags: ${{ steps.meta.outputs.tags }}
context: .
file : Dockerfile.static
file: Dockerfile.static

- name: Attest image
uses: actions/[email protected]
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}
push-to-registry: true
17 changes: 15 additions & 2 deletions .github/workflows/build-image-signed-ghat-static.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: image-signed-ghat(static)
on:
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -22,17 +26,26 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=static
- name: Build and push image
id: push-step
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
push: true
tags: ghcr.io/${{ github.repository }}:static
tags: ${{ steps.meta.outputs.tags }}
context: .
file : Dockerfile.static
file: Dockerfile.static

- name: Attest image
uses: actions/[email protected]
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}
push-to-registry: true
15 changes: 14 additions & 1 deletion .github/workflows/build-image-signed-ghat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: image-signed-ghat(latest)
on:
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -22,16 +26,25 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest
- name: Build and push image
id: push-step
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
push: true
tags: ghcr.io/${{ github.repository }}:latest
tags: ${{ steps.meta.outputs.tags }}
context: .

- name: Attest image
uses: actions/[email protected]
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}
push-to-registry: true
18 changes: 4 additions & 14 deletions .github/workflows/build-image-unsigned.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ env:

jobs:
build:

runs-on: ubuntu-latest
permissions:
contents: read
Expand All @@ -19,11 +18,6 @@ jobs:
- name: Checkout repository
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

# - name: Install Cosign
# uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
# with:
# cosign-release: 'v2.1.1'

- name: Setup Docker buildx
uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf

Expand All @@ -39,21 +33,17 @@ jobs:
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest
type=raw,value=daily
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

# - name: Sign the published Docker image
# env:
# DIGEST: ${{ steps.build-and-push.outputs.digest }}
# run: |
# echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST}
# echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST}
3 changes: 3 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Replace this with your image name, i.e. ghcr.io/<your-username>/demo-repo-go:latest
IMAGE_NAME?=ghcr.io/stacklok/demo-repo-go:latest

# Lowercase the image name to handle mixed-case GitHub org/repo names
IMAGE_NAME := $(shell echo $(IMAGE_NAME) | tr '[:upper:]' '[:lower:]')

# Replace this with your GitHub username and PAT.
# This is used to authenticate with GitHub Container Registry (GHCR)
# and push the image to your repository.
Expand Down
Loading

0 comments on commit 7920217

Please sign in to comment.