Skip to content

work on CI

work on CI #3

name: Release Retina Container Images
on:
push:
branches: [main]
tags: ["v*"]
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
jobs:
retina-images:
name: Build Agent Images
runs-on: ubuntu-latest
strategy:
matrix:
platform: ["linux"]
arch: ["amd64", "arm64"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- run: go version
- name: Install Cosign
uses: sigstore/[email protected]
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Log in to registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
- name: Build/Push Images
shell: bash
run: |
set -euo pipefail
echo "TAG=$(make version)" >> $GITHUB_ENV
make retina-image \
IMAGE_NAMESPACE=${{ github.repository }} \
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
BUILDX_ACTION=--push
- name: Sign container image
run: |
for image in retina-agent retina-init; do
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}"
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json)
cosign sign --yes ${IMAGE_PATH}@${DIGEST}
done
retina-win-images:
name: Build Agent Windows Images
runs-on: ubuntu-latest
strategy:
matrix:
platform: ["windows"]
arch: ["amd64"]
year: ["2019", "2022"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- run: go version
- name: Install Cosign
uses: sigstore/[email protected]
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Log in to registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
- name: Build/Push Images
shell: bash
run: |
set -euo pipefail
echo "TAG=$(make version)" >> $GITHUB_ENV
make retina-image-win \
IMAGE_NAMESPACE=${{ github.repository }} \
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
WINDOWS_YEARS=${{ matrix.year }} \
BUILDX_ACTION=--push
- name: Sign container image
run: |
for image in retina-agent ; do
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-windows-ltsc${{ matrix.year }}-${{ matrix.arch }}"
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-windows-ltsc${{ matrix.year }}-${{ matrix.arch }}.json)
cosign sign --yes ${IMAGE_PATH}@${DIGEST}
done
operator-images:
name: Build Operator Images
runs-on: ubuntu-latest
strategy:
matrix:
platform: ["linux"]
arch: ["amd64"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- run: go version
- name: Install Cosign
uses: sigstore/[email protected]
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Log in to registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
- name: Build/Push Images
shell: bash
run: |
set -euo pipefail
echo "TAG=$(make version)" >> $GITHUB_ENV
make retina-operator-image \
IMAGE_NAMESPACE=${{ github.repository }} \
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
BUILDX_ACTION=--push
- name: Sign container image
run: |
for image in retina-operator ; do
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}"
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json)
cosign sign --yes ${IMAGE_PATH}@${DIGEST}
done
retina-shell-images:
name: Build Retina Shell Images
runs-on: ubuntu-latest
strategy:
matrix:
platform: ["linux"]
arch: ["amd64", "arm64"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- run: go version
- name: Install Cosign
uses: sigstore/[email protected]
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Log in to registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
- name: Build/Push Images
shell: bash
run: |
set -euo pipefail
echo "TAG=$(make version)" >> $GITHUB_ENV
make retina-shell-image \
IMAGE_NAMESPACE=${{ github.repository }} \
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
BUILDX_ACTION=--push
- name: Sign container image
run: |
IMAGE_PATH="ghcr.io/${{ github.repository }}/retina-shell:$TAG-${{ matrix.platform }}-${{ matrix.arch }}"
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-retina-shell-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json)
cosign sign --yes ${IMAGE_PATH}@${DIGEST}
kubectl-retina-images:
name: Build Kubectl Retina Images
runs-on: ubuntu-latest
strategy:
matrix:
platform: ["linux"]
arch: ["amd64", "arm64"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- run: go version
- name: Install Cosign
uses: sigstore/[email protected]
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Log in to registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
- name: Build/Push Images
shell: bash
run: |
set -euo pipefail
echo "TAG=$(make version)" >> $GITHUB_ENV
make kubectl-retina-image \
IMAGE_NAMESPACE=${{ github.repository }} \
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
BUILDX_ACTION=--push
- name: Sign container image
run: |
IMAGE_PATH="ghcr.io/${{ github.repository }}/kubectl-retina:$TAG-${{ matrix.platform }}-${{ matrix.arch }}"
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-kubectl-retina-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json)
cosign sign --yes ${IMAGE_PATH}@${DIGEST}
manifests:
name: Generate Manifests
runs-on: ubuntu-latest
needs:
[
retina-images,
retina-win-images,
operator-images,
retina-shell-images,
kubectl-retina-images,
]
strategy:
matrix:
component: ["retina", "operator", "shell", "kubectl-retina"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Install Cosign
uses: sigstore/[email protected]
- name: Log in to registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
- name: Generate Manifests
shell: bash
run: |
set -euo pipefail
make manifest \
IMAGE_NAMESPACE=${{ github.repository }} \
COMPONENT=${{ matrix.component }}
- name: Sign manifest
run: |
export TAG="$(make version)"
images=("retina-agent" "retina-init")
if [[ ${{ matrix.component }} == "operator" ]]; then
images=("retina-operator")
elif [[ ${{ matrix.component }} == "shell" ]]; then
images=("retina-shell")
elif [[ ${{ matrix.component }} == "kubectl-retina" ]]; then
images=("kubectl-retina")
fi
for image in "${images[@]}"; do
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG"
DIGEST=$(docker buildx imagetools inspect $IMAGE_PATH --format "{{json .Manifest}}" | jq -r .digest)
cosign sign --yes ${IMAGE_PATH}@${DIGEST}
done