diff --git a/.github/workflows/dockerhub_description.yml b/.github/workflows/dockerhub_description.yml index ae1485e0c..914350314 100644 --- a/.github/workflows/dockerhub_description.yml +++ b/.github/workflows/dockerhub_description.yml @@ -11,6 +11,7 @@ on: env: DOCKER_REPOSITORY: "zabbix" + IMAGES_PREFIX: "zabbix-" DOCKERFILES_DIRECTORY: "./Dockerfiles" jobs: @@ -62,5 +63,5 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - repository: ${{ env.DOCKER_REPOSITORY }}/zabbix-${{ matrix.component }} + repository: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} readme-filepath: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.component }}/README.md diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml new file mode 100644 index 000000000..0a1c5915c --- /dev/null +++ b/.github/workflows/nightly_build.yml @@ -0,0 +1,884 @@ +name: Build images (DockerHub) + +on: + schedule: + - cron: '5 2 * * *' + workflow_dispatch: + +defaults: + run: + shell: bash + +env: + AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} + + DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} + LATEST_BRANCH: ${{ github.event.repository.default_branch }} + GIT_BRANCH: "refs/heads/trunk" + IMAGES_PREFIX: "zabbix-" + + BASE_BUILD_NAME: "build-base" + + MATRIX_FILE: "build.json" + DOCKERFILES_DIRECTORY: "./Dockerfiles" + + OIDC_ISSUER: "https://token.actions.githubusercontent.com" + IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" + +jobs: + init_build: + name: Initialize build + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + os: ${{ steps.os.outputs.list }} + database: ${{ steps.database.outputs.list }} + components: ${{ steps.components.outputs.list }} + is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} + current_branch: ${{ steps.branch_info.outputs.current_branch }} + sha_short: ${{ steps.branch_info.outputs.sha_short }} + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + sparse-checkout: ${{ env.MATRIX_FILE }} + + - name: Check ${{ env.MATRIX_FILE }} file + id: build_exists + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" + exit 1 + fi + + - name: Prepare Operating System list + id: os + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Operating System List" + echo "$os_list" + echo "::endgroup::" + + echo "list=$os_list" >> $GITHUB_OUTPUT + + - name: Prepare Platform list + id: platform_list + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE") + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Prepare Database engine list + id: database + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Database List" + echo "$database_list" + echo "::endgroup::" + + echo "list=$database_list" >> $GITHUB_OUTPUT + + - name: Prepare Zabbix component list + id: components + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" + + echo "list=$component_list" >> $GITHUB_OUTPUT + + - name: Get branch info + id: branch_info + env: + LATEST_BRANCH: ${{ env.LATEST_BRANCH }} + github_ref: ${{ github.ref }} + run: | + result=false + sha_short=$(git rev-parse --short HEAD) + + if [[ "$github_ref" == "refs/tags/"* ]]; then + github_ref=${github_ref%.*} + fi + + github_ref=${github_ref##*/} + + if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then + result=true + fi + + echo "::group::Branch data" + echo "is_default_branch - $result" + echo "current_branch - $github_ref" + echo "sha_short - $sha_short" + echo "::endgroup::" + + echo "is_default_branch=$result" >> $GITHUB_OUTPUT + echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "sha_short=$sha_short" >> $GITHUB_OUTPUT + + build_base: + timeout-minutes: 30 + name: Build base on ${{ matrix.os }} + needs: init_build + strategy: + fail-fast: false + matrix: + os: ${{ fromJson(needs.init_build.outputs.os) }} + + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + archive.ubuntu.com:80 + atl.mirrors.knownhost.com:443 + atl.mirrors.knownhost.com:80 + auth.docker.io:443 + cdn03.quay.io:443 + centos-stream-distro.1gservers.com:443 + centos-stream-distro.1gservers.com:80 + dfw.mirror.rackspace.com:443 + dfw.mirror.rackspace.com:80 + dl-cdn.alpinelinux.org:443 + download.cf.centos.org:443 + download.cf.centos.org:80 + epel.mirror.constant.com:443 + ftp-nyc.osuosl.org:443 + ftp-nyc.osuosl.org:80 + ftp-osl.osuosl.org:443 + ftp-osl.osuosl.org:80 + ftp.plusline.net:443 + ftp.plusline.net:80 + ftpmirror.your.org:80 + fulcio.sigstore.dev:443 + github.com:443 + iad.mirror.rackspace.com:443 + iad.mirror.rackspace.com:80 + index.docker.io:443 + lesnet.mm.fcix.net:443 + mirror-mci.yuki.net.uk:443 + mirror-mci.yuki.net.uk:80 + mirror.arizona.edu:443 + mirror.arizona.edu:80 + mirror.dogado.de:443 + mirror.dogado.de:80 + mirror.facebook.net:443 + mirror.facebook.net:80 + mirror.fcix.net:443 + mirror.hoobly.com:443 + mirror.math.princeton.edu:443 + mirror.netzwerge.de:443 + mirror.pilotfiber.com:443 + mirror.pilotfiber.com:80 + mirror.rackspace.com:443 + mirror.rackspace.com:80 + mirror.scaleuptech.com:443 + mirror.scaleuptech.com:80 + mirror.servaxnet.com:443 + mirror.servaxnet.com:80 + mirror.siena.edu:80 + mirror.stream.centos.org:443 + mirror.stream.centos.org:80 + mirror.team-cymru.com:443 + mirror.team-cymru.com:80 + mirror1.hs-esslingen.de:443 + mirrors.centos.org:443 + mirrors.fedoraproject.org:443 + mirrors.fedoraproject.org:80 + mirrors.iu13.net:80 + mirrors.mit.edu:443 + mirrors.ocf.berkeley.edu:443 + mirrors.ocf.berkeley.edu:80 + mirrors.sonic.net:443 + mirrors.wcupa.edu:443 + mirrors.wcupa.edu:80 + mirrors.xtom.de:80 + na.edge.kernel.org:443 + nocix.mm.fcix.net:443 + oauth2.sigstore.dev:443 + objects.githubusercontent.com:443 + ports.ubuntu.com:80 + production.cloudflare.docker.com:443 + quay.io:443 + registry-1.docker.io:443 + rekor.sigstore.dev:443 + repo.ialab.dsu.edu:443 + repos.eggycrew.com:443 + repos.eggycrew.com:80 + security.ubuntu.com:80 + tuf-repo-cdn.sigstore.dev:443 + uvermont.mm.fcix.net:443 + yum.oracle.com:443 + ziply.mm.fcix.net:443 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + image: tonistiigi/binfmt:latest + platforms: all + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: image=moby/buildkit:master + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Prepare Platform list + id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") + platform_list="${platform_list%,}" + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_NAME }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} + flavor: | + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + + - name: Build and publish image + id: docker_build + uses: docker/build-push-action@v5 + with: + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} + file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ env.BASE_BUILD_NAME }}/${{ matrix.os }}/Dockerfile + platforms: ${{ steps.platform.outputs.list }} + push: ${{ env.AUTO_PUSH_IMAGES }} + tags: ${{ steps.meta.outputs.tags }} + labels: | + org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: | + type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }} + cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" + + - name: Image digest + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + run: | + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" + echo "::group::Cache file name" + echo "$CACHE_FILE_NAME" + echo "::endgroup::" + + echo "$DIGEST" > "$CACHE_FILE_NAME" + + - name: Cache image digest + uses: actions/cache@v4 + with: + path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + build_base_database: + timeout-minutes: 180 + needs: [ "build_base", "init_build"] + name: Build ${{ matrix.build }} base on ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + build: ${{ fromJson(needs.init_build.outputs.database) }} + os: ${{ fromJson(needs.init_build.outputs.os) }} + + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + git.zabbix.com:443 + github.com:443 + go.googlesource.com:443 + go.mongodb.org:443 + golang.org:443 + google.golang.org:443 + gopkg.in:443 + index.docker.io:443 + noto-website.storage.googleapis.com:443 + production.cloudflare.docker.com:443 + proxy.golang.org:443 + registry-1.docker.io:443 + storage.googleapis.com:443 + fulcio.sigstore.dev:443 + oauth2.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + image: tonistiigi/binfmt:latest + platforms: all + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: image=moby/buildkit:master + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Prepare Platform list + id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") + platform_list="${platform_list%,}" + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.build }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} + flavor: | + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + + - name: Download SHA256 tag of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} + uses: actions/cache@v4 + with: + path: ${{ env.BASE_BUILD_NAME }}_${{ matrix.os }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Retrieve ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} SHA256 tag + id: base_build + env: + MATRIX_OS: ${{ matrix.os }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + BASE_IMAGE: ${{ env.BASE_BUILD_NAME }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + BASE_TAG=$(cat "${BASE_IMAGE}_${MATRIX_OS}") + BUILD_BASE_IMAGE="${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BASE_IMAGE}@${BASE_TAG}" + + echo "::group::Base build image information" + echo "base_tag=${BASE_TAG}" + echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::endgroup::" + + echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT + echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + + - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + echo "::group::Image sign data" + echo "OIDC issuer=$OIDC_ISSUER" + echo "Identity=$IDENITY_REGEX" + echo "Image to verify=$BASE_IMAGE" + echo "::endgroup::" + + echo "::group::Verify signature" + cosign verify \ + --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ + --certificate-identity-regexp "$IDENITY_REGEX" \ + "$BASE_IMAGE" + echo "::endgroup::" + + - name: Build ${{ matrix.build }}/${{ matrix.os }} and push + id: docker_build + uses: docker/build-push-action@v5 + with: + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} + file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile + platforms: ${{ steps.platform.outputs.list }} + push: ${{ env.AUTO_PUSH_IMAGES }} + tags: ${{ steps.meta.outputs.tags }} + build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} + labels: | + org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: | + type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + type=registry,ref=docker.io/${{ fromJSON(steps.meta.outputs.json).tags[0] }} + cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" + + - name: Image digest + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ matrix.build }}_${{ matrix.os }} + run: | + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" + echo "::group::Cache file name" + echo "$CACHE_FILE_NAME" + echo "::endgroup::" + echo "$DIGEST" > $CACHE_FILE_NAME + + - name: Caching SHA256 tag of the image + uses: actions/cache@v4 + with: + path: ${{ matrix.build }}_${{ matrix.os }} + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} + + build_images: + timeout-minutes: 90 + needs: [ "build_base_database", "init_build"] + name: Build ${{ matrix.build }} on ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + build: ${{ fromJson(needs.init_build.outputs.components) }} + os: ${{ fromJson(needs.init_build.outputs.os) }} + + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + dl-cdn.alpinelinux.org:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + api.github.com:443 + atl.mirrors.knownhost.com:443 + atl.mirrors.knownhost.com:80 + auth.docker.io:443 + cdn03.quay.io:443 + centos-stream-distro.1gservers.com:443 + centos-stream-distro.1gservers.com:80 + d2lzkl7pfhq30w.cloudfront.net:443 + epel.mirror.constant.com:80 + forksystems.mm.fcix.net:80 + ftp-nyc.osuosl.org:443 + ftp-nyc.osuosl.org:80 + ftp-osl.osuosl.org:443 + ftp-osl.osuosl.org:80 + ftp.plusline.net:80 + ftpmirror.your.org:80 + github.com:443 + iad.mirror.rackspace.com:443 + index.docker.io:443 + ix-denver.mm.fcix.net:443 + mirror-mci.yuki.net.uk:443 + mirror.23m.com:80 + mirror.arizona.edu:80 + mirror.dal.nexril.net:80 + mirror.de.leaseweb.net:80 + mirror.dogado.de:80 + mirror.facebook.net:80 + mirror.hoobly.com:80 + mirror.math.princeton.edu:80 + mirror.netcologne.de:443 + mirror.netzwerge.de:443 + mirror.pilotfiber.com:443 + mirror.pilotfiber.com:80 + mirror.rackspace.com:443 + mirror.rackspace.com:80 + mirror.scaleuptech.com:443 + mirror.servaxnet.com:443 + mirror.servaxnet.com:80 + mirror.sfo12.us.leaseweb.net:80 + mirror.siena.edu:80 + mirror.steadfastnet.com:80 + mirror.team-cymru.com:443 + mirror.team-cymru.com:80 + mirror.umd.edu:443 + mirror1.hs-esslingen.de:443 + mirrors.centos.org:443 + mirrors.fedoraproject.org:443 + mirrors.iu13.net:443 + mirrors.iu13.net:80 + mirrors.ocf.berkeley.edu:443 + mirrors.sonic.net:80 + mirrors.syringanetworks.net:80 + mirrors.vcea.wsu.edu:80 + mirrors.wcupa.edu:80 + mirrors.xtom.de:80 + na.edge.kernel.org:443 + nnenix.mm.fcix.net:80 + ohioix.mm.fcix.net:80 + production.cloudflare.docker.com:443 + pubmirror1.math.uh.edu:443 + pubmirror3.math.uh.edu:80 + quay.io:443 + registry-1.docker.io:443 + repo.ialab.dsu.edu:80 + repos.eggycrew.com:80 + uvermont.mm.fcix.net:80 + ziply.mm.fcix.net:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + oauth2.sigstore.dev:443 + api.github.com:443 + auth.docker.io:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + yum.oracle.com:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + api.github.com:443 + archive.ubuntu.com:80 + auth.docker.io:443 + deb.debian.org:80 + github.com:443 + index.docker.io:443 + keyserver.ubuntu.com:11371 + nginx.org:443 + nginx.org:80 + ports.ubuntu.com:80 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + security.ubuntu.com:80 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + image: tonistiigi/binfmt:latest + platforms: all + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: image=moby/buildkit:master + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Prepare Platform list + id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_BUILD: ${{ matrix.build }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + # Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms + if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then + platform_list="linux/amd64,linux/arm64" + # Chromium on Ubuntu is not available on s390x platform + elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then + platform_list="linux/amd64,linux/arm/v7,linux/arm64" + else + platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE") + fi + + # Build only Agent and Agent2 on 386 + if [ "$MATRIX_BUILD" != "agent"* ]; then + platform_list="${platform_list#linux/386,}" + fi + + platform_list="${platform_list%,}" + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Detect Build Base Image + id: build_base_image + env: + MATRIX_BUILD: ${{ matrix.build }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\"" "$MATRIX_FILE") + + echo "::group::Base Build Image" + echo "$BUILD_BASE" + echo "::endgroup::" + + echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX}}${{ matrix.build }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ matrix.os }} + flavor: | + latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + + - name: Download SHA256 tag of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} + uses: actions/cache@v4 + if: ${{ matrix.build != 'snmptraps' }} + with: + path: ${{ steps.build_base_image.outputs.build_base }}_${{ matrix.os }} + key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Retrieve ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} SHA256 tag + id: base_build + if: ${{ matrix.build != 'snmptraps' }} + env: + BUILD_BASE: ${{ steps.build_base_image.outputs.build_base }} + MATRIX_OS: ${{ matrix.os }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + BASE_TAG=$(cat "${BUILD_BASE}_${MATRIX_OS}") + BUILD_BASE_IMAGE=${DOCKER_REPOSITORY}/${IMAGES_PREFIX}${BUILD_BASE}@${BASE_TAG} + + echo "::group::Base build image information" + echo "base_tag=${BASE_TAG}" + echo "base_build_image=${BUILD_BASE_IMAGE}" + echo "::endgroup::" + + echo "base_tag=${BASE_TAG}" >> $GITHUB_OUTPUT + echo "base_build_image=${BUILD_BASE_IMAGE}" >> $GITHUB_OUTPUT + + - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign + if: ${{ matrix.build != 'snmptraps' }} + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + echo "::group::Image sign data" + echo "OIDC issuer=$OIDC_ISSUER" + echo "Identity=$IDENITY_REGEX" + echo "Image to verify=$BASE_IMAGE" + echo "::endgroup::" + + echo "::group::Verify signature" + cosign verify \ + --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ + --certificate-identity-regexp "$IDENITY_REGEX" \ + "$BASE_IMAGE" + echo "::endgroup::" + + - name: Build and push image + id: docker_build + uses: docker/build-push-action@v5 + with: + context: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }} + file: ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/${{ matrix.os }}/Dockerfile + platforms: ${{ steps.platform.outputs.list }} + push: ${{ env.AUTO_PUSH_IMAGES }} + tags: ${{ steps.meta.outputs.tags }} + build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} + labels: | + org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: type=gha,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + cache-to: type=gha,mode=max,scope=${{ fromJSON(steps.meta.outputs.json).tags[0] }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" + + - name: Image digest + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + run: | + echo "::group::Image digest" + echo "$DIGEST" + echo "::endgroup::" diff --git a/.github/workflows/nightly_build_windows.yml b/.github/workflows/nightly_build_windows.yml new file mode 100644 index 000000000..411d0f6a6 --- /dev/null +++ b/.github/workflows/nightly_build_windows.yml @@ -0,0 +1,766 @@ +name: Build images (DockerHub, Windows) + +on: + schedule: + - cron: '5 2 * * *' + workflow_dispatch: + +defaults: + run: + shell: pwsh + +env: + AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} + + DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} + LATEST_BRANCH: ${{ github.event.repository.default_branch }} + GIT_BRANCH: "refs/heads/trunk" + IMAGES_PREFIX: "zabbix-" + + MSFT_BASE_BUILD_IMAGE: "mcr.microsoft.com/windows/servercore" + PWSH_BASE_IMAGE_NAME: "mcr.microsoft.com/powershell" + PWSH_BASE_IMAGE_PREFIX: "lts-nanoserver-" + + BASE_IMAGE_NAME: "build-base" + BASE_BUILD_IMAGE_NAME: "build-mysql" + + MATRIX_FILE: "build.json" + DOCKERFILES_DIRECTORY: "Dockerfiles" + + OIDC_ISSUER: "https://token.actions.githubusercontent.com" + IDENITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" + +jobs: + init_build: + name: Initialize build + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + os: ${{ steps.os.outputs.list }} + components: ${{ steps.components.outputs.list }} + is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} + current_branch: ${{ steps.branch_info.outputs.current_branch }} + sha_short: ${{ steps.branch_info.outputs.sha_short }} + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + sparse-checkout: ${{ env.MATRIX_FILE }} + + - name: Check ${{ env.MATRIX_FILE }} file + id: build_exists + shell: bash + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" + exit 1 + fi + + - name: Prepare Operating System list + id: os + shell: bash + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + os_list=$(jq -r '.["os-windows"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Operating System List" + echo "$os_list" + echo "::endgroup::" + + echo "list=$os_list" >> $GITHUB_OUTPUT + + - name: Prepare Zabbix component list + id: components + shell: bash + run: | + component_list='["agent","agent2"]' + + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" + + echo "list=$component_list" >> $GITHUB_OUTPUT + + - name: Get branch info + id: branch_info + shell: bash + env: + LATEST_BRANCH: ${{ env.LATEST_BRANCH }} + github_ref: ${{ github.ref }} + run: | + result=false + sha_short=$(git rev-parse --short HEAD) + + if [[ "$github_ref" == "refs/tags/"* ]]; then + github_ref=${github_ref%.*} + fi + + github_ref=${github_ref##*/} + + if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then + result=true + fi + + echo "::group::Branch data" + echo "is_default_branch - $result" + echo "current_branch - $github_ref" + echo "sha_short - $sha_short" + echo "::endgroup::" + + echo "is_default_branch=$result" >> $GITHUB_OUTPUT + echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "sha_short=$sha_short" >> $GITHUB_OUTPUT + + build_base: + name: Build ${{ matrix.component }} base on ${{ matrix.os }} + needs: init_build + runs-on: ${{ matrix.os }} + timeout-minutes: 70 + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + os: ${{ fromJson(needs.init_build.outputs.os) }} + component: ${{ fromJson(needs.init_build.outputs.components) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Base Windows OS tag + id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" + + echo "::group::Base Microsoft Windows OS tag" + echo "$os_tag" + echo "::endgroup::" + + echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + flavor: | + latest=false + + - name: Build and push image + id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_IMAGE: ${{ env.MSFT_BASE_BUILD_IMAGE }} + BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + BASE_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} + run: | + echo "::group::Docker version" + docker version + echo "::endgroup::" + echo "::group::Docker info" + docker info + echo "::endgroup::" + + $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_IMAGE_NAME\windows\" + $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT + $base_os_image= $Env:BASE_BUILD_IMAGE + ':' + $Env:BASE_OS_TAG + # Can not build on GitHub due existing symlink. Must be removed before build process + Remove-Item -ErrorAction Ignore -Force -Path $context\README.md + + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) + + echo "::group::Image tags" + echo "$Env:TAGS" + echo "::endgroup::" + echo "::group::Pull base image" + docker pull $base_os_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Build Image" + Write-Host @" + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION + --label org.opencontainers.image.created=$Env:LABEL_CREATED + --build-arg=BUILD_BASE_IMAGE=$base_os_image + --file=$dockerfile + $tags + $context + "@ + + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=$base_os_image ` + --file=$dockerfile ` + $tags ` + $context + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Publish Image" + if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { + Foreach ($tag in $tags_array) { + echo "docker image push $tag" + docker image push $tag + if (-not $?) {throw "Failed"} + } + + $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] + if (-not $?) {throw "Failed"} + echo "Image digest got from RepoDigests" + } + else { + $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") + if (-not $?) {throw "Failed"} + echo "Image digest got from Id" + } + echo "::endgroup::" + + echo "::group::Digest" + echo "$digest" + echo "::endgroup::" + echo "digest=$digest" >> $Env:GITHUB_OUTPUT + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tag_list=@() + + + foreach ($tag in $tags_array) { + $tag_name=$tag.Split(":")[0] + $tag_list+="$tag_name@$Env:DIGEST" + } + echo "::group::Images to sign" + echo "$tag_list" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $tag_list" + cosign sign --yes $tag_list + echo "::endgroup::" + + - name: Image digest + if: ${{ env.AUTO_PUSH_IMAGES }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + run: | + echo "::group::Image digest" + echo "$Env:DIGEST" + echo "::endgroup::" + + echo "::group::Cache file name" + echo "$Env:CACHE_FILE_NAME" + echo "::endgroup::" + + $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME + + - name: Cache image digest + uses: actions/cache@v4 + with: + path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + build_components: + name: Build ${{ matrix.component }} sources on ${{ matrix.os }} + needs: [ "build_base", "init_build"] + runs-on: ${{ matrix.os }} + timeout-minutes: 70 + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + os: ${{ fromJson(needs.init_build.outputs.os) }} + component: ${{ fromJson(needs.init_build.outputs.components) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Base OS tag + id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" + + echo "::group::Base Windows OS tag" + echo "$os_tag" + echo "::endgroup::" + + echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest,prefix=${{ matrix.component }}- + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }},prefix=${{ matrix.component }}- + flavor: | + latest=false + + - name: Download SHA256 tag of ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} + uses: actions/cache@v4 + with: + path: ${{ env.BASE_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Retrieve ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag + id: base_build + env: + BASE_IMAGE_NAME: ${{ env.BASE_IMAGE_NAME }} + MATRIX_OS: ${{ matrix.os }} + MATRIX_COMPONENT: ${{ matrix.component }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + $base_image_file=$Env:BASE_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT + $base_tag = Get-Content $base_image_file -Raw + $build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_IMAGE_NAME@" + $base_tag + + echo "::group::Base image Info" + echo "base_tag=$base_tag" + echo "base_build_image=$build_base_image" + echo "::endgroup::" + + echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT + echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT + + - name: Verify ${{ env.BASE_IMAGE_NAME }}:${{ matrix.os }} cosign + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + cosign verify ` + --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` + --certificate-identity-regexp "$Env:IDENITY_REGEX" ` + "$Env:BASE_IMAGE" + + - name: Build and push image + id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} + BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} + run: | + echo "::group::Docker version" + docker version + echo "::endgroup::" + echo "::group::Docker info" + docker info + echo "::endgroup::" + + $context="$Env:DOCKERFILES_DIRECTORY\$Env:BASE_BUILD_IMAGE_NAME\windows\" + $dockerfile= $context + 'Dockerfile.' + $Env:MATRIX_COMPONENT + $base_build_image= $Env:BASE_BUILD_IMAGE + # Can not build on GitHub due existing symlink. Must be removed before build process + Remove-Item -ErrorAction Ignore -Force -Path $context\README.md + + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) + + echo "::group::Image tags" + echo "$Env:TAGS" + echo "::endgroup::" + echo "::group::Pull base image" + docker pull $base_build_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Build Image" + Write-Host @" + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION + --label org.opencontainers.image.created=$Env:LABEL_CREATED + --build-arg=BUILD_BASE_IMAGE=$base_build_image + --file=$dockerfile + $tags + $context + "@ + + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=$base_build_image ` + --file=$dockerfile ` + $tags ` + $context + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Publish Image" + if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { + Foreach ($tag in $tags_array) { + echo "docker image push $tag" + docker image push $tag + if (-not $?) {throw "Failed"} + } + + $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] + if (-not $?) {throw "Failed"} + echo "Image digest got from RepoDigests" + } + else { + $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") + if (-not $?) {throw "Failed"} + echo "Image digest got from Id" + } + echo "::endgroup::" + + echo "::group::Digest" + echo "$digest" + echo "::endgroup::" + echo "digest=$digest" >> $Env:GITHUB_OUTPUT + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tag_list=@() + + + foreach ($tag in $tags_array) { + $tag_name=$tag.Split(":")[0] + $tag_list+="$tag_name@$Env:DIGEST" + } + echo "::group::Images to sign" + echo "$tag_list" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $tag_list" + cosign sign --yes $tag_list + echo "::endgroup::" + + - name: Image digest + if: ${{ env.AUTO_PUSH_IMAGES }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + CACHE_FILE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + run: | + echo "::group::Image digest" + echo "$Env:DIGEST" + echo "::endgroup::" + + echo "::group::Cache file name" + echo "$Env:CACHE_FILE_NAME" + echo "::endgroup::" + + $Env:DIGEST | Set-Content -Path $Env:CACHE_FILE_NAME + + - name: Cache image digest + uses: actions/cache@v4 + with: + path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + build_images: + name: Build ${{ matrix.component }} on ${{ matrix.os }} + needs: [ "build_components", "init_build"] + runs-on: ${{ matrix.os }} + timeout-minutes: 70 + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + os: ${{ fromJson(needs.init_build.outputs.os) }} + component: ${{ fromJson(needs.init_build.outputs.components) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GIT_BRANCH }} + fetch-depth: 1 + + - name: Install cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + run: cosign version + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Base OS tag + id: base_os_tag + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + $os_tag=$(Get-Content -Path $Env:MATRIX_FILE | ConvertFrom-Json).'os-windows'."$Env:MATRIX_OS" + + echo "::group::Base OS tag" + echo "$os_tag" + echo "::endgroup::" + + echo "os_tag=$os_tag" >> $Env:GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ steps.base_os_tag.outputs.os_tag }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{ steps.base_os_tag.outputs.os_tag }}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ steps.base_os_tag.outputs.os_tag }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,suffix=-${{ steps.base_os_tag.outputs.os_tag }} + flavor: | + latest=false + + - name: Download SHA256 tag of ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} + uses: actions/cache@v4 + with: + path: ${{ env.BASE_BUILD_IMAGE_NAME }}_${{ matrix.os }}_${{ matrix.component }} + key: ${{ env.BASE_BUILD_IMAGE_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Retrieve ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} SHA256 tag + id: base_build + env: + BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} + MATRIX_OS: ${{ matrix.os }} + MATRIX_COMPONENT: ${{ matrix.component }} + DOCKER_REPOSITORY: ${{ env.DOCKER_REPOSITORY }} + IMAGES_PREFIX: ${{ env.IMAGES_PREFIX }} + run: | + $base_image_file=$Env:BASE_BUILD_IMAGE_NAME + '_' + $Env:MATRIX_OS + '_' + $Env:MATRIX_COMPONENT + $base_tag = Get-Content $base_image_file -Raw + $build_base_image="$Env:DOCKER_REPOSITORY/$Env:IMAGES_PREFIX$Env:BASE_BUILD_IMAGE_NAME@" + $base_tag + + echo "::group::Base image Info" + echo "base_tag=$base_tag" + echo "base_build_image=$build_base_image" + echo "::endgroup::" + + echo "base_tag=$base_tag" >> $Env:GITHUB_OUTPUT + echo "base_build_image=$build_base_image" >> $Env:GITHUB_OUTPUT + + - name: Verify ${{ env.BASE_BUILD_IMAGE_NAME }}:${{ matrix.os }} cosign + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENITY_REGEX: ${{ env.IDENITY_REGEX }} + run: | + cosign verify ` + --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` + --certificate-identity-regexp "$Env:IDENITY_REGEX" ` + "$Env:BASE_IMAGE" + + - name: Build and push image + id: docker_build + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + BASE_BUILD_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + BASE_BUILD_IMAGE_NAME: ${{ env.BASE_BUILD_IMAGE_NAME }} + MATRIX_COMPONENT: ${{ matrix.component }} + TAGS: ${{ steps.meta.outputs.tags }} + BASE_BUILD_OS_TAG: ${{ steps.base_os_tag.outputs.os_tag }} + LABEL_REVISION: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + LABEL_CREATED: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + PWSH_BASE_IMAGE_NAME: ${{ env.PWSH_BASE_IMAGE_NAME }} + PWSH_BASE_IMAGE_PREFIX: ${{ env.PWSH_BASE_IMAGE_PREFIX }} + AUTO_PUSH_IMAGES: ${{ env.AUTO_PUSH_IMAGES }} + run: | + echo "::group::Docker version" + docker version + echo "::endgroup::" + echo "::group::Docker info" + docker info + echo "::endgroup::" + + $context="$Env:DOCKERFILES_DIRECTORY\$Env:MATRIX_COMPONENT\windows\" + $dockerfile= $context + 'Dockerfile' + $base_build_image= $Env:BASE_BUILD_IMAGE + # Can not build on GitHub due existing symlink. Must be removed before build process + Remove-Item -ErrorAction Ignore -Force -Path $context\README.md + + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tags=$( $tags_array | Foreach-Object { "--tag=$_" } ) + + # PowerShell images based on LTSC 2019 and LTSC 2016 do not have "ltsc" prefix + $os_tag_suffix=$Env:BASE_BUILD_OS_TAG + $os_tag_suffix=$os_tag_suffix -replace "ltsc2019",'1809' + $base_image=$Env:PWSH_BASE_IMAGE_NAME + ':' + $Env:PWSH_BASE_IMAGE_PREFIX + $os_tag_suffix + + echo "::group::Image tags" + echo "$Env:TAGS" + echo "::endgroup::" + echo "::group::Pull build base image" + docker pull $base_build_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + echo "::group::Pull Powershell base image" + docker pull $base_image + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Build Image" + Write-Host @" + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION + --label org.opencontainers.image.created=$Env:LABEL_CREATED + --build-arg=BUILD_BASE_IMAGE=$base_build_image + --build-arg=BASE_IMAGE=$base_image + --file=$dockerfile + $tags + $context + "@ + + docker build --label org.opencontainers.image.revision=$Env:LABEL_REVISION ` + --label org.opencontainers.image.created=$Env:LABEL_CREATED ` + --build-arg=BUILD_BASE_IMAGE=$base_build_image ` + --build-arg=BASE_IMAGE=$base_image ` + --file=$dockerfile ` + $tags ` + $context + if (-not $?) {throw "Failed"} + echo "::endgroup::" + + echo "::group::Publish Image" + if ( $Env:AUTO_PUSH_IMAGES -eq 'true' ) { + Foreach ($tag in $tags_array) { + echo "docker image push $tag" + docker image push $tag + if (-not $?) {throw "Failed"} + } + + $digest=$(docker inspect $tags_array[0] --format "{{ index .RepoDigests 0}}").Split('@')[-1] + if (-not $?) {throw "Failed"} + echo "Image digest got from RepoDigests" + } + else { + $digest=$(docker inspect $tags_array[0] --format "{{ index .Id}}") + if (-not $?) {throw "Failed"} + echo "Image digest got from Id" + } + echo "::endgroup::" + + echo "::group::Digest" + echo "$digest" + echo "::endgroup::" + echo "digest=$digest" >> $Env:GITHUB_OUTPUT + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + $tags_array=$( "$Env:TAGS".Split("`n") ) + $tag_list=@() + + + foreach ($tag in $tags_array) { + $tag_name=$tag.Split(":")[0] + $tag_list+="$tag_name@$Env:DIGEST" + } + echo "::group::Images to sign" + echo "$tag_list" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $tag_list" + cosign sign --yes $tag_list + echo "::endgroup::" + + - name: Image digest + if: ${{ env.AUTO_PUSH_IMAGES }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + run: | + echo "::group::Image digest" + echo "$Env:DIGEST" + echo "::endgroup::"