Build UBI Rust Builders (attempt #1) #1072
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build UBI Rust Builders | |
| run-name: | | |
| Build UBI Rust Builders (attempt #${{ github.run_attempt }}) | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - ubi9-rust-builder/** | |
| - ubi10-rust-builder/** | |
| - .github/actions/** | |
| - .github/workflows/ubi-rust-builder.yml | |
| - .github/workflows/reusable_build_image.yaml | |
| schedule: | |
| - cron: "30 4 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| permissions: | |
| id-token: write | |
| runs-on: ${{ matrix.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runner: ["ubuntu-latest", "ubicloud-standard-8-arm-ubuntu-2404"] | |
| ubi-version: ["ubi9", "ubi10"] | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Login to Stackable Harbor | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: oci.stackable.tech | |
| username: robot$sdp+github-action-build | |
| password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} | |
| - name: Set up Cosign | |
| uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 | |
| - name: Determine Architecture | |
| run: | | |
| echo "TAG=$(git rev-parse --short HEAD)-$(arch)" >> "$GITHUB_ENV" | |
| - name: Build and push | |
| id: build-and-push | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: . | |
| file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile | |
| push: true | |
| tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }} | |
| provenance: false | |
| - name: Sign the published builder image | |
| shell: bash | |
| env: | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| run: | | |
| # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...) | |
| # This generates a signature and publishes it to the registry, next to the image | |
| # Uses the keyless signing flow with Github Actions as identity provider | |
| cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@$DIGEST" | |
| publish_manifests: | |
| name: Build/Publish Image Index Manifest | |
| needs: ["build"] | |
| permissions: | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| ubi-version: ["ubi9", "ubi10"] | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Login to Stackable Harbor | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: oci.stackable.tech | |
| username: robot$sdp+github-action-build | |
| password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} | |
| - name: Set up Cosign | |
| uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 | |
| - name: Create and Push Image Index Manifest | |
| shell: bash | |
| run: | | |
| COMMIT_ID=$(git rev-parse --short HEAD) | |
| MANIFEST_LIST_NAME=oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder | |
| docker manifest create "$MANIFEST_LIST_NAME:latest" "$MANIFEST_LIST_NAME:$COMMIT_ID-x86_64" "$MANIFEST_LIST_NAME:$COMMIT_ID-aarch64" | |
| # `docker manifest push` directly returns the digest of the manifest list | |
| # As it is an experimental feature, this might change in the future | |
| # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/ | |
| DIGEST=$(docker manifest push "$MANIFEST_LIST_NAME:latest") | |
| # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...) | |
| # This generates a signature and publishes it to the registry, next to the image | |
| # Uses the keyless signing flow with Github Actions as identity provider | |
| cosign sign -y "$MANIFEST_LIST_NAME@$DIGEST" | |
| notify: | |
| name: Failure Notification | |
| needs: [build, publish_manifests] | |
| runs-on: ubuntu-latest | |
| if: failure() || (github.run_attempt > 1 && !cancelled()) | |
| steps: | |
| - name: Send Notification | |
| uses: stackabletech/actions/send-slack-notification@c34dbb4f27b274736c7d2edc6f6f30a03d03edf5 # v0.12.2 | |
| with: | |
| publish-manifests-result: ${{ needs.publish_manifests.result }} | |
| build-result: ${{ needs.build.result }} | |
| slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} | |
| channel-id: C07UG6JH44F # notifications-container-images | |
| type: container-image-build |