From 927105c7ff89397bcd351798d105a3928e581210 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Thu, 30 May 2024 16:09:21 +1200 Subject: [PATCH] feat: add image build to ghcr.io build image and publish on ghcr.io --- .alpine.pkgs | 1 + .github/workflows/push.yml | 25 ++++++++++++++++++ hack/image.yaml | 1 + hack/publish.sh | 52 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+) create mode 100644 .alpine.pkgs create mode 100644 hack/image.yaml create mode 100755 hack/publish.sh diff --git a/.alpine.pkgs b/.alpine.pkgs new file mode 100644 index 0000000..a10919c --- /dev/null +++ b/.alpine.pkgs @@ -0,0 +1 @@ +tar crane hugo git cosign bash openssl jq yq diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index dd17a04..5d9d425 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -3,6 +3,10 @@ on: branches: - main workflow_dispatch: {} +permissions: + id-token: write + contents: write + packages: write jobs: push-to-balena-cloud: runs-on: ubuntu-latest @@ -29,3 +33,24 @@ jobs: if: ${{ always() }} run: | rm -rfv .balena-key + publish-to-ghcr: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - id: run-info + name: collect job run info + env: + KO_DOCKER_REPO: ghcr.io/${{ github.repository }} + run: | + echo "ko-docker-repo=${KO_DOCKER_REPO,,}" >> $GITHUB_OUTPUT + - name: Setup Hugo + uses: peaceiris/actions-hugo@v3 + with: + hugo-version: 'latest' + extended: true + - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 + - name: build + env: + KO_DOCKER_REPO: ${{ steps.run-info.outputs.ko-docker-repo }} + run: ./hack/publish.sh --sign diff --git a/hack/image.yaml b/hack/image.yaml new file mode 100644 index 0000000..9ab18c2 --- /dev/null +++ b/hack/image.yaml @@ -0,0 +1 @@ +image: registry.gitlab.com/bobymcbobs/go-http-server:1.11.0 # {"$imagepolicy": "flux-system:registry-gitlab-com-bobymcbobs-go-http-server"} diff --git a/hack/publish.sh b/hack/publish.sh new file mode 100755 index 0000000..cd102f5 --- /dev/null +++ b/hack/publish.sh @@ -0,0 +1,52 @@ +#!/bin/bash -x + +set -o errexit +set -o nounset +set -o pipefail + +cd "$(git rev-parse --show-toplevel)" || exit 0 + +LOCAL_REGISTRY="localhost:5001/$(pwd | md5sum | head -c6)" +BASE_IMAGE="$(< ./hack/image.yaml yq e .image -P)" +TAG="${TAG:-v$(git show -s --format=%cd --date=format:'%s')-$(git rev-parse HEAD | head -c8)}" +SIGN=false + +# NOTE budget /bin/sh way +if echo "${@:-}" | grep -q '\-\-sign'; then + SIGN=true +fi + +cosign verify \ + --certificate-identity-regexp 'https://gitlab.com/BobyMCbobs/go-http-server//.gitlab-ci.yml@(refs/heads/main|refs/tags/.*)' \ + --certificate-oidc-issuer-regexp 'https://gitlab.com' \ + "$BASE_IMAGE" \ + -o text + +rm -rf public output +hugo + +# bit of a hack +# perhaps there's a way to say +# to tar to pack dir into a new dir? +mkdir -p output/var/run +mv public output/var/run/ko +chmod -R 0755 output/ + +IMAGE_ARM64="$(crane append --platform=linux/arm64 \ + --base="$BASE_IMAGE" \ + --new_layer=<(cd output && tar --exclude=".DS_Store" -f - -c .) \ + --new_tag="${CONTAINER_REPO:-$LOCAL_REGISTRY}")" +IMAGE_AMD64="$(crane append --platform=linux/amd64 \ + --base="$BASE_IMAGE" \ + --new_layer=<(cd output && tar --exclude=".DS_Store" -f - -c .) \ + --new_tag="${CONTAINER_REPO:-$LOCAL_REGISTRY}")" +IMAGE="$(crane index append \ + -m "${IMAGE_ARM64}" \ + -m "${IMAGE_AMD64}" \ + -t "${CONTAINER_REPO:-$LOCAL_REGISTRY}:$TAG")" + +if [ "$SIGN" = true ]; then + cosign sign -y --recursive "$IMAGE" +fi + +echo "Published image to: $IMAGE"