Merge pull request #1 from brooksn/slsa3-fix

fix builds
rancher · Oct 9, 2024 · 3a52e27 · 3a52e27
2 parents 3b41874 + 4cc624c
commit 3a52e27
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 55 deletions.
diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml
@@ -12,6 +12,8 @@ jobs:
       contents: read
       id-token: write
     runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }}
+    outputs:
+      digest: ${{ steps.digest.outputs.digest }}
     steps:
     - name: Check out code
       uses: actions/checkout@v4
@@ -33,7 +35,10 @@ jobs:
       with:
         secrets: |
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
-          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
 
     - name: Build and push container image
       id: build-amd64
@@ -43,24 +48,29 @@ jobs:
       with:
         image: hardened-calico
         tag: ${{ github.event.release.tag_name }}
+
         public-repo: rancher
         public-username: ${{ env.DOCKER_USERNAME }}
         public-password: ${{ env.DOCKER_PASSWORD }}
-        push-to-prime: false
 
-    - name: Upload digest
-      uses: actions/upload-artifact@v4
-      with:
-        name: digests-linux-amd64
-        path: /tmp/digests/*
-        if-no-files-found: error
-        retention-days: 1
+        prime-repo: rancher
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+
+    - name: Digest
+      id: digest
+      run: |
+        IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json)
+        echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
 
   build-arm64-digest:
     permissions:
       contents: read
       id-token: write
     runs-on: runs-on,runner=4cpu-linux-arm64,run-id=${{ github.run_id }}
+    outputs:
+      digest: ${{ steps.digest.outputs.digest }}
     steps:
     - name: Check out code
       uses: actions/checkout@v4
@@ -82,7 +92,10 @@ jobs:
       with:
         secrets: |
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
-          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
 
     - name: Build and push container image
       id: build-arm64
@@ -92,18 +105,21 @@ jobs:
       with:
         image: hardened-calico
         tag: ${{ github.event.release.tag_name }}
+
         public-repo: rancher
         public-username: ${{ env.DOCKER_USERNAME }}
         public-password: ${{ env.DOCKER_PASSWORD }}
-        push-to-prime: false
 
-    - name: Upload digest
-      uses: actions/upload-artifact@v4
-      with:
-        name: digests-linux-arm64
-        path: /tmp/digests/*
-        if-no-files-found: error
-        retention-days: 1
+        prime-repo: rancher
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+
+    - name: Digest
+      id: digest
+      run: |
+        IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json)
+        echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
 
   merge:
     permissions:
@@ -114,13 +130,6 @@ jobs:
       - build-amd64-digest
       - build-arm64-digest
     steps:
-      - name: Download digests
-        uses: actions/download-artifact@v4
-        with:
-          path: /tmp/digests
-          pattern: digests-*
-          merge-multiple: true
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -132,24 +141,32 @@ jobs:
         with:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
-            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
 
       - name: Create manifest list and push
-        working-directory: /tmp/digests
         id: push-manifest
         uses: rancher/ecm-distro-tools/actions/publish-image@master
         env: 
           DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }}
           REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }}
+          IMAGE_DIGESTS: ${{ needs.build-amd64-digest.outputs.digest }} ${{ needs.build-arm64-digest.outputs.digest }}
         with:
+          make-target: manifest-push
           image: hardened-calico
           tag: ${{ github.event.release.tag_name }}
+
           public-repo: rancher
           public-username: ${{ env.DOCKER_USERNAME }}
           public-password: ${{ env.DOCKER_PASSWORD }}
-          push-to-prime: false
-          make-target: manifest-push
-
+
+          prime-repo: rancher
+          prime-registry: ${{ env.PRIME_REGISTRY }}
+          prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+          prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+
       - name: Inspect image
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
diff --git a/Makefile b/Makefile
@@ -22,9 +22,9 @@ endif
 
 BUILD_META=-build$(shell date +%Y%m%d)
 ORG ?= rancher
+MACHINE := rancher
 TAG ?= ${GITHUB_ACTION_TAG}
 REGISTRY_IMAGE ?= $(ORG)/hardened-calico
-META_LABELS ?= ${META_LABELS}
 
 K3S_ROOT_VERSION ?= v0.14.0
 
@@ -34,10 +34,16 @@ endif
 
 IMAGE ?= $(REGISTRY_IMAGE):$(TAG)
 
+LABEL_ARGS = $(foreach label,$(META_LABELS),--label $(label))
+
 ifeq (,$(filter %$(BUILD_META),$(TAG)))
 $(error TAG $(TAG) needs to end with build metadata: $(BUILD_META))
 endif
 
+buildx-machine:
+	@docker buildx ls | grep $(MACHINE) || \
+		docker buildx create --name=$(MACHINE) --platform=linux/arm64,linux/amd64
+
 .PHONY: image-build
 image-build:
 	docker buildx build --no-cache \
@@ -51,43 +57,24 @@ image-build:
 		.
 
 .PHONY: push-image
-push-image:
+push-image: buildx-machine
 	docker buildx build \
+	    --builder=$(MACHINE) \
 		--sbom=true \
 		--attest type=provenance,mode=max \
 		--platform=$(TARGET_PLATFORMS) \
 		--build-arg TAG=$(TAG:$(BUILD_META)=) \
 		--build-arg K3S_ROOT_VERSION=$(K3S_ROOT_VERSION) \
-		--outputs type=image,name=$(REGISTRY_IMAGE),push-by-digest=true,name-canonical=true,push=true \
-		--tag $(IMAGE) \
-		--tag $(IMAGE)-$(ARCH) \
-		--label $(META_LABELS) \
+		--output type=image,name=$(REGISTRY_IMAGE),push-by-digest=true,name-canonical=true,push=true \
+		$(LABEL_ARGS) \
 		--push \
 		--iidfile /tmp/image.digest \
 		--metadata-file /tmp/metadata.json \
 		.
 
-	# Create directory for storing digests
-	@mkdir -p /tmp/digests
-
-	FULL_DIGEST := $(shell jq -r '.containerimage.digest' /tmp/metadata.json)
-	DIGEST_SHA := $(shell echo $(FULL_DIGEST) | sed 's/^sha256://')
-
-	@echo $(DIGEST_SHA) > "/tmp/digests/$(DIGEST_SHA)"
-
-
 .PHONY: manifest-push
 manifest-push:
-	TAGS := $(shell echo '$(DOCKER_METADATA_OUTPUT_JSON)' | jq -r '.tags | map("-t " + .) | join(" ")')
-
-	IMAGE_DIGESTS := $(shell for digest_file in *; do \
-		echo -n "$(REGISTRY_IMAGE)@sha256:$$digest_file "; \
-	done)
-
-	@echo "Tags to be used: $(TAGS)"
-	@echo "Image digests: $(IMAGE_DIGESTS)"
-
-	docker buildx imagetools create $(TAGS) $(IMAGE_DIGESTS)
+	docker buildx imagetools create -t $(IMAGE) -t $(REGISTRY_IMAGE):latest $(IMAGE_DIGESTS)
 
 .PHONY: image-push
 image-push:
@@ -106,3 +93,5 @@ log:
 	@echo "SRC=$(SRC)"
 	@echo "BUILD_META=$(BUILD_META)"
 	@echo "UNAME_M=$(UNAME_M)"
+	@echo "META_LABELS=$(META_LABELS)"
+	@echo "LABEL_ARGS=$(LABEL_ARGS)"