From fe956b3d25c72ff3df2967108ecb39e829dfdf2f Mon Sep 17 00:00:00 2001 From: bkellam Date: Fri, 9 Jan 2026 13:06:28 -0800 Subject: [PATCH 1/5] wip --- .github/workflows/publish-main-to-ghcr.yml | 147 +++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 .github/workflows/publish-main-to-ghcr.yml diff --git a/.github/workflows/publish-main-to-ghcr.yml b/.github/workflows/publish-main-to-ghcr.yml new file mode 100644 index 00000000..ecad9113 --- /dev/null +++ b/.github/workflows/publish-main-to-ghcr.yml @@ -0,0 +1,147 @@ +name: Publish to ghcr + +# This workflow is a modification of a example. +# @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners + +on: + push: + branches: ["main"] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot + +jobs: + build: + runs-on: ${{ matrix.runs-on}} + environment: oss + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + strategy: + matrix: + platform: [linux/amd64, linux/arm64] + include: + - platform: linux/amd64 + runs-on: ubuntu-latest + - platform: linux/arm64 + runs-on: ubuntu-24.04-arm + + steps: + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ github.ref_name }} + submodules: "true" + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + uses: sigstore/cosign-installer@v3.5.0 + with: + cosign-release: "v2.2.4" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Packages Docker Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build Docker image + id: build + uses: docker/build-push-action@v6 + with: + context: . + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }} + cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }} + platforms: ${{ matrix.platform }} + outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true,annotation.org.opencontainers.image.description=Blazingly fast code search + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + merge: + runs-on: ubuntu-latest + permissions: + packages: write + needs: + - build + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + + - name: Login to GitHub Packages Docker Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ No newline at end of file From 736d9f9c5d2a516c5b3aa9223df196c17d1314d3 Mon Sep 17 00:00:00 2001 From: bkellam Date: Sat, 10 Jan 2026 11:36:42 -0800 Subject: [PATCH 2/5] wip --- .../{publish-main-to-ghcr.yml => _build.yml} | 94 +++++----- .github/workflows/_merge.yml | 63 +++++++ .github/workflows/release-dev.yml | 23 +++ ...release-sourcebot.yml => release-prod.yml} | 165 +++--------------- 4 files changed, 153 insertions(+), 192 deletions(-) rename .github/workflows/{publish-main-to-ghcr.yml => _build.yml} (65%) create mode 100644 .github/workflows/_merge.yml create mode 100644 .github/workflows/release-dev.yml rename .github/workflows/{release-sourcebot.yml => release-prod.yml} (61%) diff --git a/.github/workflows/publish-main-to-ghcr.yml b/.github/workflows/_build.yml similarity index 65% rename from .github/workflows/publish-main-to-ghcr.yml rename to .github/workflows/_build.yml index ecad9113..458109bb 100644 --- a/.github/workflows/publish-main-to-ghcr.yml +++ b/.github/workflows/_build.yml @@ -1,14 +1,40 @@ -name: Publish to ghcr +# Internal reusable workflow for building multi-platform Docker images. +# +# This workflow builds Docker images for linux/amd64 and linux/arm64 platforms, +# pushes them by digest to GHCR, signs them with cosign/Sigstore for supply chain +# security, and uploads build artifacts for subsequent manifest creation. +# +# Used by: +# - publish-main-to-ghcr.yml (for main branch builds) +# - release-sourcebot.yml (for versioned releases) -# This workflow is a modification of a example. -# @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners +name: Build Multi-Platform Images on: - push: - branches: ["main"] + workflow_call: + inputs: + git_ref: + description: "Git ref to checkout" + required: true + type: string + docker_tags: + description: "Docker tags configuration (JSON array or raw tags)" + required: true + type: string + use_app_token: + description: "Whether to use GitHub App token for checkout" + required: false + type: boolean + default: false + secrets: + release_app_id: + description: "GitHub App ID (required if use_app_token is true)" + required: false + release_app_private_key: + description: "GitHub App private key (required if use_app_token is true)" + required: false env: - # Use docker.io for Docker Hub if empty REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot jobs: @@ -18,8 +44,8 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. + # Required for keyless signing with cosign/Sigstore. + # Allows workflow to obtain OIDC token for ephemeral certificate from Fulcio. id-token: write strategy: matrix: @@ -31,6 +57,14 @@ jobs: runs-on: ubuntu-24.04-arm steps: + - name: Generate GitHub App token + if: inputs.use_app_token + id: generate_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.release_app_id }} + private-key: ${{ secrets.release_app_private_key }} + - name: Prepare run: | platform=${{ matrix.platform }} @@ -39,8 +73,10 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - ref: ${{ github.ref_name }} + ref: ${{ inputs.git_ref }} submodules: "true" + fetch-depth: 0 + token: ${{ inputs.use_app_token && steps.generate_token.outputs.token || github.token }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action @@ -49,6 +85,7 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} + tags: ${{ inputs.docker_tags }} # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer @@ -105,43 +142,4 @@ jobs: # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - - merge: - runs-on: ubuntu-latest - permissions: - packages: write - needs: - - build - steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ No newline at end of file diff --git a/.github/workflows/_merge.yml b/.github/workflows/_merge.yml new file mode 100644 index 00000000..7e76f699 --- /dev/null +++ b/.github/workflows/_merge.yml @@ -0,0 +1,63 @@ +# Internal reusable workflow for merging platform-specific image digests into a +# single multi-platform manifest and pushing to GHCR. +# +# This workflow takes the individual platform image digests created by _build.yml, +# combines them into a multi-platform manifest, and pushes the final tagged images. +# +# Used by: +# - publish-main-to-ghcr.yml (for main branch builds) +# - release-sourcebot.yml (for versioned releases) + +name: Merge Multi-Platform Manifest + +on: + workflow_call: + inputs: + docker_tags: + description: "Docker tags configuration (JSON array or raw tags)" + required: true + type: string + +env: + REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot + +jobs: + merge: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: ${{ inputs.docker_tags }} + + - name: Login to GitHub Packages Docker Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} + diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml new file mode 100644 index 00000000..0ee2452f --- /dev/null +++ b/.github/workflows/release-dev.yml @@ -0,0 +1,23 @@ +name: Release Sourcebot (Development) + +# This workflow is a modification of a example. +# @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners + +on: + push: + branches: ["main"] + +jobs: + build: + uses: ./.github/workflows/_build.yml + with: + git_ref: ${{ github.ref_name }} + docker_tags: type=raw,value=main + use_app_token: false + secrets: inherit + + publish-to-registry: + needs: build + uses: ./.github/workflows/_merge.yml + with: + docker_tags: type=raw,value=main diff --git a/.github/workflows/release-sourcebot.yml b/.github/workflows/release-prod.yml similarity index 61% rename from .github/workflows/release-sourcebot.yml rename to .github/workflows/release-prod.yml index b303d16a..911cf092 100644 --- a/.github/workflows/release-sourcebot.yml +++ b/.github/workflows/release-prod.yml @@ -1,4 +1,4 @@ -name: Release Sourcebot +name: Release Sourcebot (Production) on: workflow_dispatch: @@ -143,117 +143,22 @@ jobs: build: needs: prepare-release - runs-on: ${{ matrix.runs-on}} - environment: oss - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - strategy: - matrix: - platform: [linux/amd64, linux/arm64] - include: - - platform: linux/amd64 - runs-on: ubuntu-latest - - platform: linux/arm64 - runs-on: ubuntu-24.04-arm - - steps: - - name: Generate GitHub App token - id: generate_token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.RELEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ needs.prepare-release.outputs.temp_branch }} - submodules: "true" - fetch-depth: 0 - token: ${{ steps.generate_token.outputs.token }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=raw,value=v${{ needs.prepare-release.outputs.version }} - type=raw,value=latest - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - uses: sigstore/cosign-installer@v3.5.0 - with: - cosign-release: "v2.2.4" - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build Docker image - id: build - uses: docker/build-push-action@v6 - with: - context: . - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }} - cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }} - platforms: ${{ matrix.platform }} - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true,annotation.org.opencontainers.image.description=Blazingly fast code search - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + uses: ./.github/workflows/_build.yml + with: + git_ref: ${{ needs.prepare-release.outputs.temp_branch }} + docker_tags: | + type=raw,value=v${{ needs.prepare-release.outputs.version }} + type=raw,value=latest + use_app_token: true + secrets: + release_app_id: ${{ secrets.RELEASE_APP_ID }} + release_app_private_key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} finalize-release: needs: [prepare-release, build] runs-on: ubuntu-latest permissions: contents: write - packages: write steps: - name: Generate GitHub App token @@ -315,42 +220,6 @@ jobs: git push origin main git push origin --tags echo "Pushed main branch and tags" - - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=raw,value=v${{ needs.prepare-release.outputs.version }} - type=raw,value=latest - - - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:v${{ needs.prepare-release.outputs.version }} - name: Create GitHub release env: @@ -362,15 +231,23 @@ jobs: --generate-notes \ --latest + publish-to-registry: + needs: [prepare-release, build, finalize-release] + uses: ./.github/workflows/_merge.yml + with: + docker_tags: | + type=raw,value=v${{ needs.prepare-release.outputs.version }} + type=raw,value=latest + update-helm-chart: - needs: finalize-release + needs: [finalize-release, publish-to-registry] permissions: contents: write pull-requests: write uses: sourcebot-dev/sourcebot-helm-chart/.github/workflows/update-sourcebot-version.yaml@main cleanup: - needs: [prepare-release, build, finalize-release, update-helm-chart] + needs: [prepare-release, build, publish-to-registry, finalize-release, update-helm-chart] if: always() && needs.prepare-release.outputs.temp_branch != '' runs-on: ubuntu-latest permissions: From 65be8e3f81982f7b19677c2d624702538e9caed9 Mon Sep 17 00:00:00 2001 From: bkellam Date: Sat, 10 Jan 2026 11:38:20 -0800 Subject: [PATCH 3/5] nits --- .github/workflows/_build.yml | 4 ---- .github/workflows/_merge.yml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 458109bb..9c594983 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -3,10 +3,6 @@ # This workflow builds Docker images for linux/amd64 and linux/arm64 platforms, # pushes them by digest to GHCR, signs them with cosign/Sigstore for supply chain # security, and uploads build artifacts for subsequent manifest creation. -# -# Used by: -# - publish-main-to-ghcr.yml (for main branch builds) -# - release-sourcebot.yml (for versioned releases) name: Build Multi-Platform Images diff --git a/.github/workflows/_merge.yml b/.github/workflows/_merge.yml index 7e76f699..b6ed0edb 100644 --- a/.github/workflows/_merge.yml +++ b/.github/workflows/_merge.yml @@ -3,10 +3,6 @@ # # This workflow takes the individual platform image digests created by _build.yml, # combines them into a multi-platform manifest, and pushes the final tagged images. -# -# Used by: -# - publish-main-to-ghcr.yml (for main branch builds) -# - release-sourcebot.yml (for versioned releases) name: Merge Multi-Platform Manifest From b6c0a48c8ce5f8bc3457790c28651272b28f6162 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Sat, 10 Jan 2026 18:53:10 -0800 Subject: [PATCH 4/5] Potential fix for code scanning alert no. 22: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/release-dev.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml index 0ee2452f..d81e2529 100644 --- a/.github/workflows/release-dev.yml +++ b/.github/workflows/release-dev.yml @@ -1,5 +1,8 @@ name: Release Sourcebot (Development) +permissions: + contents: read + # This workflow is a modification of a example. # @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners From 2eae6c3721987ab4d3ee155b7e3816fca13f2db9 Mon Sep 17 00:00:00 2001 From: bkellam Date: Sat, 10 Jan 2026 18:56:52 -0800 Subject: [PATCH 5/5] feedback --- .github/workflows/_build.yml | 2 ++ .github/workflows/release-dev.yml | 3 --- .github/workflows/release-prod.yml | 3 +++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 9c594983..cd6655bb 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -3,6 +3,8 @@ # This workflow builds Docker images for linux/amd64 and linux/arm64 platforms, # pushes them by digest to GHCR, signs them with cosign/Sigstore for supply chain # security, and uploads build artifacts for subsequent manifest creation. +# +# @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners name: Build Multi-Platform Images diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml index d81e2529..cf64b3c6 100644 --- a/.github/workflows/release-dev.yml +++ b/.github/workflows/release-dev.yml @@ -3,9 +3,6 @@ name: Release Sourcebot (Development) permissions: contents: read -# This workflow is a modification of a example. -# @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners - on: push: branches: ["main"] diff --git a/.github/workflows/release-prod.yml b/.github/workflows/release-prod.yml index 911cf092..2d4a71c5 100644 --- a/.github/workflows/release-prod.yml +++ b/.github/workflows/release-prod.yml @@ -1,5 +1,8 @@ name: Release Sourcebot (Production) +permissions: + contents: read + on: workflow_dispatch: inputs: