From 5c4da61417dc984a3e24c6ef61d5e72115c91ed5 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 8 Jul 2026 12:33:55 +0200 Subject: [PATCH 1/2] ci: switch to docker/github-builder to build and sign Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/.build.yml | 160 +++++++++++------- .github/workflows/build-agent.yml | 1 + .github/workflows/build-buildx.yml | 1 + .github/workflows/build-compose.yml | 1 + .github/workflows/build-containerd.yml | 1 + .../workflows/build-credential-helpers.yml | 1 + .github/workflows/build-docker.yml | 2 + .github/workflows/build-model.yml | 1 + .github/workflows/nightly.yml | 3 +- .github/workflows/release-agent.yml | 3 +- .github/workflows/release-buildx.yml | 3 +- .github/workflows/release-compose.yml | 3 +- .github/workflows/release-containerd.yml | 3 +- .../workflows/release-credential-helpers.yml | 3 +- .github/workflows/release-docker.yml | 6 +- .github/workflows/release-model.yml | 3 +- hack/release.Dockerfile | 5 +- 17 files changed, 130 insertions(+), 70 deletions(-) diff --git a/.github/workflows/.build.yml b/.github/workflows/.build.yml index 955cfdcb..8a0fc9ab 100644 --- a/.github/workflows/.build.yml +++ b/.github/workflows/.build.yml @@ -7,7 +7,7 @@ on: name: required: true type: string - envs: + vars: required: false type: string release: @@ -26,8 +26,6 @@ on: required: false dockerhub_token: required: false - ghtoken: - required: false env: REPO_SLUG: dockereng/packaging @@ -39,6 +37,7 @@ jobs: runs-on: ubuntu-24.04 outputs: includes: ${{ steps.matrix.outputs.includes }} + verifications: ${{ steps.matrix.outputs.verifications }} steps: - name: Checkout @@ -51,17 +50,17 @@ jobs: INPUT_NAME: ${{ inputs.name }} INPUT_RELEASE: ${{ inputs.release }} INPUT_DISTROS: ${{ inputs.distros }} + INPUT_VARS: ${{ inputs.vars }} with: script: | const inpName = core.getInput('name'); const inpRelease = core.getInput('release'); const inpDistros = core.getInput('distros'); + const inpVars = core.getMultilineInput('vars'); + let distroFilter = []; if (inpDistros) { - distroFilter = inpDistros - .split(',') - .map(d => d.trim()) - .filter(d => d !== ''); + distroFilter = inpDistros.split(',').map(d => d.trim()).filter(d => d !== ''); } if (inpRelease !== '' && !['pushonly', 'draft', 'prerelease', 'release'].includes(inpRelease)) { @@ -70,7 +69,12 @@ jobs: let def = {}; await core.group(`Parsing definition`, async () => { - const resPrint = await exec.getExecOutput('docker', ['buildx', 'bake', 'pkg', '--print'], { + const bakeArgs = ['buildx', 'bake']; + for (const v of inpVars) { + bakeArgs.push('--var', v); + } + bakeArgs.push('pkg', '--print'); + const resPrint = await exec.getExecOutput('docker', bakeArgs, { ignoreReturnCode: true }); if (resPrint.stderr.length > 0 && resPrint.exitCode != 0) { @@ -81,68 +85,95 @@ jobs: await core.group(`Generating matrix`, async () => { const includes = []; + const verifications = []; for (const targetName of Object.keys(def.target)) { - if (!targetName.startsWith(`pkg-${inpName}`)) { + if (!targetName.startsWith(`pkg-${inpName}-`)) { continue; } const match = targetName.match(/^pkg-(.+)-([^-]+)$/); if (!match) { throw new Error(`Invalid target name: ${targetName}`); } - const pkgName = match[1]; const distro = match[2]; - // Skip distros that don't match the input distro filter if (distroFilter.length > 0 && !distroFilter.includes(distro)) { core.info(`Skipping ${targetName} because it doesn't match the input distro filter`); continue; } const target = def.target[targetName]; if (target.platforms && target.platforms.length > 0) { + includes.push({ + distro: distro + }); target.platforms.forEach(platform => { - includes.push({ - distro: distro, - platform: platform, - runner: platform.startsWith('linux/arm') ? 'ubuntu-24.04-arm' : 'ubuntu-24.04', - // FIXME: we can't verify platforms not native to the runner as it would segfault through emulation - verify: platform.startsWith('linux/386') || platform.startsWith('linux/amd64') || platform.startsWith('linux/arm64') - }); + // FIXME: we can't verify platforms not native to the runner as it would segfault through emulation + if (platform.startsWith('linux/386') || platform.startsWith('linux/amd64') || platform.startsWith('linux/arm64')) { + verifications.push({ + distro: distro, + platform: platform, + runner: platform.startsWith('linux/arm') ? 'ubuntu-24.04-arm' : 'ubuntu-24.04' + }); + } }); } else { // if no platforms are returned, this means this package does // not support a distro so we skip it. } } + if (includes.length === 0) { + throw new Error(`No package targets found for ${inpName}`); + } core.info(JSON.stringify(includes, null, 2)); + core.info(JSON.stringify(verifications, null, 2)); core.setOutput('includes', JSON.stringify(includes)); + core.setOutput('verifications', JSON.stringify(verifications)); }); + # TODO: add RH_USER and RH_PASS to the build job once we have a way to pass secrets: https://github.com/docker/github-builder/pull/248 build: + uses: docker/github-builder/.github/workflows/bake.yml@c4a1b216d96a8c85b45a9974b37857828274c808 # v1.13.0 + permissions: + contents: read + id-token: write + needs: + - prepare + strategy: + fail-fast: false + matrix: + include: ${{ fromJson(needs.prepare.outputs.includes) }} + with: + job-name-prefix: ${{ matrix.distro }} + artifact-name: build-pkg-${{ inputs.name }}-${{ matrix.distro }} + artifact-upload: true + output: local + sbom: true + sign: ${{ github.event_name != 'pull_request' }} + target: pkg-${{ inputs.name }}-${{ matrix.distro }} + vars: | + ${{ inputs.vars }} + + verify: runs-on: ${{ matrix.runner }} timeout-minutes: 60 + if: ${{ needs.prepare.outputs.verifications != '[]' }} needs: - prepare + - build env: - INPUT_ENVS: ${{ inputs.envs }} INPUT_NAME: ${{ inputs.name }} strategy: fail-fast: false matrix: - include: ${{ fromJson(needs.prepare.outputs.includes) }} + include: ${{ fromJson(needs.prepare.outputs.verifications) }} steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - name: Environment variables - run: | - if [ -n "$INPUT_ENVS" ]; then - printf '%s\n' "$INPUT_ENVS" >> "$GITHUB_ENV" - fi - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + name: Download artifacts + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: build-pkg-${{ inputs.name }}-${{ matrix.distro }} + path: ./bin/pkg/${{ inputs.name }}/${{ matrix.distro }} - name: Set up QEMU uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0 @@ -151,57 +182,36 @@ jobs: uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 with: version: latest - - - name: Build - uses: docker/bake-action@d3418bd7d0e9324001bca92fa8ba175ea7e6dc9b # v7.3.0 - with: - source: . - targets: pkg-${{ inputs.name }}-${{ matrix.distro }} - set: | - *.platform=${{ matrix.platform }} - env: - RH_USER: ${{ secrets.rh_user }} - RH_PASS: ${{ secrets.rh_pass }} - name: List artifacts run: | tree -nh "./bin/pkg/${INPUT_NAME}" - name: Verify - if: ${{ matrix.verify }} uses: docker/bake-action@d3418bd7d0e9324001bca92fa8ba175ea7e6dc9b # v7.3.0 with: source: . targets: verify-${{ inputs.name }}-${{ matrix.distro }} + vars: | + ${{ inputs.vars }} set: | *.platform=${{ matrix.platform }} - - - name: Upload artifacts - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: build-pkg-${{ inputs.name }}-${{ matrix.distro }}-${{ env.PLATFORM_PAIR }} - path: ./bin/pkg/${{ inputs.name }}/* - if-no-files-found: error - retention-days: 1 release: runs-on: ubuntu-24.04 timeout-minutes: 10 + if: ${{ always() && needs.build.result == 'success' && (needs.verify.result == 'success' || needs.verify.result == 'skipped') }} needs: + - prepare - build + - verify env: - INPUT_ENVS: ${{ inputs.envs }} + INPUT_INCLUDES: ${{ needs.prepare.outputs.includes }} INPUT_NAME: ${{ inputs.name }} steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - - name: Environment variables - run: | - if [ -n "$INPUT_ENVS" ]; then - printf '%s\n' "$INPUT_ENVS" >> "$GITHUB_ENV" - fi - name: Set up Docker Buildx uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 @@ -211,9 +221,35 @@ jobs: name: Download artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - path: ./bin/pkg/${{ inputs.name }} + path: /tmp/build-pkg pattern: build-pkg-${{ inputs.name }}-* - merge-multiple: true + merge-multiple: false + - + name: Arrange artifacts + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + INPUT_INCLUDES: ${{ needs.prepare.outputs.includes }} + INPUT_NAME: ${{ inputs.name }} + with: + script: | + const fs = require('fs'); + const path = require('path'); + + const inputName = core.getInput('name'); + const includes = JSON.parse(core.getInput('includes')); + const destinationRoot = path.join('bin', 'pkg', inputName); + + fs.mkdirSync(destinationRoot, {recursive: true}); + for (const include of includes) { + const artifact = path.join('/tmp', 'build-pkg', `build-pkg-${inputName}-${include.distro}`); + if (!fs.existsSync(artifact) || !fs.statSync(artifact).isDirectory()) { + core.setFailed(`missing artifact: ${artifact}`); + return; + } + const destination = path.join(destinationRoot, include.distro); + fs.mkdirSync(destination, {recursive: true}); + fs.cpSync(artifact, destination, {recursive: true, force: true}); + } - name: List artifacts run: | @@ -224,6 +260,8 @@ jobs: with: source: . targets: metadata-${{ inputs.name }} + vars: | + ${{ inputs.vars }} provenance: false - name: Resolve metadata @@ -271,6 +309,8 @@ jobs: ${{ steps.meta.outputs.bake-file-tags }} ${{ steps.meta.outputs.bake-file-annotations }} targets: release-${{ inputs.name }} + vars: | + ${{ inputs.vars }} provenance: false set: | *.output=type=image,oci-mediatypes=true,push=${{ inputs.release != '' || github.event_name == 'schedule' }} @@ -368,4 +408,4 @@ jobs: $ undock --wrap --rm-dist --all ${{ env.REPO_SLUG }}:${{ steps.meta.outputs.version }} ./${{ inputs.name }}/${{ env.VERSION }} ``` env: - GITHUB_TOKEN: ${{ secrets.ghtoken || github.token }} + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/build-agent.yml b/.github/workflows/build-agent.yml index 04d7d664..68a9a57e 100644 --- a/.github/workflows/build-agent.yml +++ b/.github/workflows/build-agent.yml @@ -34,5 +34,6 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: agent diff --git a/.github/workflows/build-buildx.yml b/.github/workflows/build-buildx.yml index d3feaba1..aee7c1aa 100644 --- a/.github/workflows/build-buildx.yml +++ b/.github/workflows/build-buildx.yml @@ -34,5 +34,6 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: buildx diff --git a/.github/workflows/build-compose.yml b/.github/workflows/build-compose.yml index e82af79c..e38542d3 100644 --- a/.github/workflows/build-compose.yml +++ b/.github/workflows/build-compose.yml @@ -34,5 +34,6 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: compose diff --git a/.github/workflows/build-containerd.yml b/.github/workflows/build-containerd.yml index 73add8b0..d7fdd1e1 100644 --- a/.github/workflows/build-containerd.yml +++ b/.github/workflows/build-containerd.yml @@ -34,5 +34,6 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: containerd diff --git a/.github/workflows/build-credential-helpers.yml b/.github/workflows/build-credential-helpers.yml index 9165f83b..e7743127 100644 --- a/.github/workflows/build-credential-helpers.yml +++ b/.github/workflows/build-credential-helpers.yml @@ -34,5 +34,6 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: credential-helpers diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 9e18ab3c..92cb8bd6 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -36,6 +36,7 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: docker-engine @@ -43,5 +44,6 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: docker-cli diff --git a/.github/workflows/build-model.yml b/.github/workflows/build-model.yml index 47c1b214..070189fc 100644 --- a/.github/workflows/build-model.yml +++ b/.github/workflows/build-model.yml @@ -34,5 +34,6 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write with: name: model diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 15f6e0ce..442182ef 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -21,6 +21,7 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: read + id-token: write needs: - pkgs strategy: @@ -30,7 +31,7 @@ jobs: with: name: ${{ matrix.pkg }} release: pushonly - envs: | + vars: | NIGHTLY_BUILD=1 dockerhub_username: ${{ vars.DOCKERPUBLICBOT_USERNAME }} secrets: diff --git a/.github/workflows/release-agent.yml b/.github/workflows/release-agent.yml index c937a0c3..dca4f194 100644 --- a/.github/workflows/release-agent.yml +++ b/.github/workflows/release-agent.yml @@ -46,11 +46,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: agent release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.repo }} PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} diff --git a/.github/workflows/release-buildx.yml b/.github/workflows/release-buildx.yml index 2d2fdf38..b831e05d 100644 --- a/.github/workflows/release-buildx.yml +++ b/.github/workflows/release-buildx.yml @@ -46,11 +46,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: buildx release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.repo }} PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} diff --git a/.github/workflows/release-compose.yml b/.github/workflows/release-compose.yml index 09bc6a24..d65a9e78 100644 --- a/.github/workflows/release-compose.yml +++ b/.github/workflows/release-compose.yml @@ -46,11 +46,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: compose release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.repo }} PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} diff --git a/.github/workflows/release-containerd.yml b/.github/workflows/release-containerd.yml index 76335e2e..17467db9 100644 --- a/.github/workflows/release-containerd.yml +++ b/.github/workflows/release-containerd.yml @@ -56,11 +56,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: containerd release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.repo }} PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} diff --git a/.github/workflows/release-credential-helpers.yml b/.github/workflows/release-credential-helpers.yml index de4afe4b..2af54600 100644 --- a/.github/workflows/release-credential-helpers.yml +++ b/.github/workflows/release-credential-helpers.yml @@ -46,11 +46,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: credential-helpers release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.repo }} PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml index 669a3960..007dadc9 100644 --- a/.github/workflows/release-docker.yml +++ b/.github/workflows/release-docker.yml @@ -58,11 +58,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: docker-engine release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.engine-repo }} PKG_REF=${{ inputs.engine-ref }} PKG_DEB_REVISION=${{ inputs.revision }} @@ -77,11 +78,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: docker-cli release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.cli-repo }} PKG_REF=${{ inputs.cli-ref }} PKG_DEB_REVISION=${{ inputs.revision }} diff --git a/.github/workflows/release-model.yml b/.github/workflows/release-model.yml index cca2eb8b..bec485ea 100644 --- a/.github/workflows/release-model.yml +++ b/.github/workflows/release-model.yml @@ -46,11 +46,12 @@ jobs: uses: ./.github/workflows/.build.yml permissions: contents: write # needed to create release and upload artifacts + id-token: write # needed to sign attestations with: name: model release: ${{ inputs.release }} distros: ${{ inputs.distros }} - envs: | + vars: | PKG_REPO=${{ inputs.repo }} PKG_REF=${{ inputs.ref }} PKG_DEB_REVISION=${{ inputs.revision }} diff --git a/hack/release.Dockerfile b/hack/release.Dockerfile index fcd665d8..227851f6 100644 --- a/hack/release.Dockerfile +++ b/hack/release.Dockerfile @@ -49,7 +49,10 @@ RUN --mount=from=bin,source=.,target=/release < Date: Wed, 8 Jul 2026 14:55:11 +0200 Subject: [PATCH 2/2] release: name metadata files after package artifacts Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- hack/release.Dockerfile | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/hack/release.Dockerfile b/hack/release.Dockerfile index 227851f6..18e9168e 100644 --- a/hack/release.Dockerfile +++ b/hack/release.Dockerfile @@ -48,11 +48,18 @@ RUN --mount=from=bin,source=.,target=/release <