digest

rancher · Oct 4, 2024 · 1a25014 · 1a25014
1 parent 288f216
commit 1a25014
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 25 deletions.
diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml
@@ -35,12 +35,6 @@ jobs:
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
 
-    - name: Login to Container Registry
-      uses: docker/login-action@v3
-      with:
-        username: ${{ env.DOCKER_USERNAME }}
-        password: ${{ env.DOCKER_PASSWORD }}
-
     - name: Build and push container image
       id: build-amd64
       uses: rancher/ecm-distro-tools/actions/publish-image@master
@@ -57,8 +51,7 @@ jobs:
     - name: Export digest
       run: |
         mkdir -p /tmp/digests
-        digest="${{ steps.build-amd64.outputs.digest }}"
-        touch "/tmp/digests/${digest#sha256:}"
+        echo "${{ steps.build-amd64.outputs.DIGEST_SHA }}" > "/tmp/digests/${{ steps.build-amd64.outputs.DIGEST_SHA }}"
 
     - name: Upload digest
       uses: actions/upload-artifact@v4
@@ -96,12 +89,6 @@ jobs:
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
 
-    - name: Login to Container Registry
-      uses: docker/login-action@v3
-      with:
-        username: ${{ env.DOCKER_USERNAME }}
-        password: ${{ env.DOCKER_PASSWORD }}
-
     - name: Build and push container image
       id: build-arm64
       uses: rancher/ecm-distro-tools/actions/publish-image@master
@@ -118,8 +105,7 @@ jobs:
     - name: Export digest
       run: |
         mkdir -p /tmp/digests
-        digest="${{ steps.build-arm64.outputs.digest }}"
-        touch "/tmp/digests/${digest#sha256:}"
+        echo "${{ steps.build-arm64.outputs.DIGEST_SHA }}" > "/tmp/digests/${{ steps.build-arm64.outputs.DIGEST_SHA }}"
 
     - name: Upload digest
       uses: actions/upload-artifact@v4
@@ -128,6 +114,7 @@ jobs:
         path: /tmp/digests/*
         if-no-files-found: error
         retention-days: 1
+
   merge:
     permissions:
       contents: read
@@ -156,18 +143,22 @@ jobs:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
             secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
-    
-      - name: Login to Container Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ env.DOCKER_USERNAME }}
-          password: ${{ env.DOCKER_PASSWORD }}
 
       - name: Create manifest list and push
         working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)          
+        id: push-manifest
+        uses: rancher/ecm-distro-tools/actions/publish-image@master
+        env: 
+          DOCKER_METADATA_OUTPUT_JSON: ${{ steps.docker_meta.outputs.json }}
+          REGISTRY_IMAGEL: ${{ env.REGISTRY_IMAGE }}
+        with:
+          image: hardened-calico
+          tag: ${{ github.event.release.tag_name }}
+          public-repo: rancher
+          public-username: ${{ env.DOCKER_USERNAME }}
+          public-password: ${{ env.DOCKER_PASSWORD }}
+          push-to-prime: false
+          make-target: manifest-push
 
       - name: Inspect image
         run: |

diff --git a/Makefile b/Makefile
@@ -63,8 +63,25 @@ push-image:
 		--tag $(IMAGE)-$(ARCH) \
 		--label $(META_LABELS) \
 		--push \
+		--iidfile /tmp/image.digest \
 		.
 
+	@echo "DIGEST=$(shell cat /tmp/image.digest)" >> $(GITHUB_OUTPUT)
+	@echo "DIGEST_SHA=$(shell cat /tmp/image.digest | sed 's/^sha256://')" >> $(GITHUB_OUTPUT)
+
+
+.PHONY: manifest-push
+manifest-push:
+	@echo "Creating and pushing manifest list..."
+
+	# tag from Docker metadata JSON
+	$(eval TAGS := $(shell echo '$(DOCKER_METADATA_OUTPUT_JSON)' | jq -r '.tags | map("-t " + .) | join(" ")'))
+
+	# digest files and format them for docker buildx
+	$(eval DIGESTS := $(shell for file in *; do echo -n "$(REGISTRY_IMAGE)@sha256:$$file "; done))
+
+	docker buildx imagetools create $(TAGS) $(DIGESTS)
+
 .PHONY: image-push
 image-push:
 	docker push $(ORG)/hardened-calico:$(TAG)-$(ARCH)