diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index f82c04b..cc05a91 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -35,12 +35,6 @@ jobs: secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - username: ${{ env.DOCKER_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} - - name: Build and push container image id: build-amd64 uses: rancher/ecm-distro-tools/actions/publish-image@master @@ -57,8 +51,7 @@ jobs: - name: Export digest run: | mkdir -p /tmp/digests - digest="${{ steps.build-amd64.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" + echo "${{ steps.build-amd64.outputs.DIGEST_SHA }}" > "/tmp/digests/${{ steps.build-amd64.outputs.DIGEST_SHA }}" - name: Upload digest uses: actions/upload-artifact@v4 @@ -96,12 +89,6 @@ jobs: secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - username: ${{ env.DOCKER_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} - - name: Build and push container image id: build-arm64 uses: rancher/ecm-distro-tools/actions/publish-image@master @@ -118,8 +105,7 @@ jobs: - name: Export digest run: | mkdir -p /tmp/digests - digest="${{ steps.build-arm64.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" + echo "${{ steps.build-arm64.outputs.DIGEST_SHA }}" > "/tmp/digests/${{ steps.build-arm64.outputs.DIGEST_SHA }}" - name: Upload digest uses: actions/upload-artifact@v4 @@ -128,6 +114,7 @@ jobs: path: /tmp/digests/* if-no-files-found: error retention-days: 1 + merge: permissions: contents: read @@ -156,18 +143,22 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD - - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - username: ${{ env.DOCKER_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} - name: Create manifest list and push working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + id: push-manifest + uses: rancher/ecm-distro-tools/actions/publish-image@master + env: + DOCKER_METADATA_OUTPUT_JSON: ${{ steps.docker_meta.outputs.json }} + REGISTRY_IMAGEL: ${{ env.REGISTRY_IMAGE }} + with: + image: hardened-calico + tag: ${{ github.event.release.tag_name }} + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + push-to-prime: false + make-target: manifest-push - name: Inspect image run: | diff --git a/Makefile b/Makefile index f491f9c..1f52e2f 100644 --- a/Makefile +++ b/Makefile @@ -63,8 +63,25 @@ push-image: --tag $(IMAGE)-$(ARCH) \ --label $(META_LABELS) \ --push \ + --iidfile /tmp/image.digest \ . + @echo "DIGEST=$(shell cat /tmp/image.digest)" >> $(GITHUB_OUTPUT) + @echo "DIGEST_SHA=$(shell cat /tmp/image.digest | sed 's/^sha256://')" >> $(GITHUB_OUTPUT) + + +.PHONY: manifest-push +manifest-push: + @echo "Creating and pushing manifest list..." + + # tag from Docker metadata JSON + $(eval TAGS := $(shell echo '$(DOCKER_METADATA_OUTPUT_JSON)' | jq -r '.tags | map("-t " + .) | join(" ")')) + + # digest files and format them for docker buildx + $(eval DIGESTS := $(shell for file in *; do echo -n "$(REGISTRY_IMAGE)@sha256:$$file "; done)) + + docker buildx imagetools create $(TAGS) $(DIGESTS) + .PHONY: image-push image-push: docker push $(ORG)/hardened-calico:$(TAG)-$(ARCH)