-
Notifications
You must be signed in to change notification settings - Fork 31
144 lines (127 loc) · 9.55 KB
/
build-docker-images.yml
File metadata and controls
144 lines (127 loc) · 9.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Docker Image Builder
on:
workflow_dispatch:
schedule:
# Run once a week on Fridays
- cron: "0 0 * * FRI"
pull_request:
paths:
- '.github/workflows/build-docker-images.yml'
- 'runners/**'
- 'cryptography-linux/**'
push:
branches:
- main
paths:
- '.github/workflows/build-docker-images.yml'
- 'runners/**'
- 'cryptography-linux/**'
jobs:
build:
runs-on: ${{ matrix.IMAGE.RUNNER }}
timeout-minutes: 10
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
fail-fast: false
matrix:
IMAGE:
# x86-64 distro images
- {TAG_NAME: "cryptography-runner-rhel8", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=redhat/ubi8", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-rhel8-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=redhat/ubi8", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-centos-stream9", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=quay.io/centos/centos:stream9", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-centos-stream9-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=quay.io/centos/centos:stream9", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-centos-stream10", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=quay.io/centos/centos:stream10", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-centos-stream10-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=quay.io/centos/centos:stream10", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-fedora", DOCKERFILE_PATH: "runners/fedora", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-alpine", DOCKERFILE_PATH: "runners/alpine", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-bullseye", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=bullseye", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-bookworm", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=bookworm", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-trixie", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=trixie", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-sid", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=sid", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-focal", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=focal", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-jammy", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=jammy", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-noble", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=noble", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-rolling", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=rolling", RUNNER: "ubuntu-latest"}
# x86-64 manylinux images
- {TAG_NAME: "cryptography-manylinux2014:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux2014_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-manylinux_2_28:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_28_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-manylinux_2_34:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_34_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-musllinux_1_1:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_1_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-musllinux_1_2:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_2_x86_64", RUNNER: "ubuntu-latest"}
# aarch64 distro images
- {TAG_NAME: "cryptography-runner-ubuntu-rolling:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=rolling", RUNNER: "ubuntu-24.04-arm"}
- {TAG_NAME: "cryptography-runner-alpine:aarch64", DOCKERFILE_PATH: "runners/alpine", RUNNER: "ubuntu-24.04-arm"}
# aarch64 manylinux images
- {TAG_NAME: "cryptography-manylinux2014_aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm"}
- {TAG_NAME: "cryptography-manylinux_2_28:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_28_aarch64", RUNNER: "ubuntu-24.04-arm"}
- {TAG_NAME: "cryptography-manylinux_2_34:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_34_aarch64", RUNNER: "ubuntu-24.04-arm"}
- {TAG_NAME: "cryptography-musllinux_1_1:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_1_aarch64", RUNNER: "ubuntu-24.04-arm"}
- {TAG_NAME: "cryptography-musllinux_1_2:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_2_aarch64", RUNNER: "ubuntu-24.04-arm"}
# armv7l distro images
- {TAG_NAME: "cryptography-runner-ubuntu-rolling:armv7l", DOCKERFILE_PATH: "runners/ubuntu", DOCKER_PLATFORM: "linux/arm/v7", BUILD_ARGS: "RELEASE=rolling", RUNNER: "ubuntu-24.04-arm"}
- {TAG_NAME: "cryptography-runner-alpine:armv7l", DOCKERFILE_PATH: "runners/alpine", DOCKER_PLATFORM: "linux/arm/v7", RUNNER: "ubuntu-24.04-arm"}
# armv7l manylinux images
- {TAG_NAME: "cryptography-manylinux_2_31:armv7l", DOCKERFILE_PATH: "cryptography-linux", DOCKER_PLATFORM: "linux/arm/v7", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_31_armv7l", RUNNER: "ubuntu-24.04-arm"}
- {TAG_NAME: "cryptography-musllinux_1_2:armv7l", DOCKERFILE_PATH: "cryptography-linux", DOCKER_PLATFORM: "linux/arm/v7", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_2_armv7l", RUNNER: "ubuntu-24.04-arm"}
# ppc64le distro images
- {TAG_NAME: "cryptography-runner-ubuntu-rolling:ppc64le", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=rolling", RUNNER: "ubuntu-24.04-ppc64le"}
# ppc64le manylinux images
- {TAG_NAME: "cryptography-manylinux_2_28:ppc64le", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_28_ppc64le", RUNNER: "ubuntu-24.04-ppc64le"}
- {TAG_NAME: "cryptography-manylinux_2_34:ppc64le", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_34_ppc64le", RUNNER: "ubuntu-24.04-ppc64le"}
name: "${{ matrix.IMAGE.TAG_NAME }}"
steps:
- uses: actions/[email protected]
with:
persist-credentials: false
- run: |
arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
NODE20_VERSION=$(cat staticnode/node-versions.json | jq -r '.[] | select(.version | startswith("v20")) | .version')
NODE24_VERSION=$(cat staticnode/node-versions.json | jq -r '.[] | select(.version | startswith("v24")) | .version')
echo "NODE20_ARCH_RELEASE=$arch:${NODE20_VERSION}" >> $GITHUB_ENV
echo "NODE24_ARCH_RELEASE=$arch:${NODE24_VERSION}" >> $GITHUB_ENV
# Pull the previous image, but if it fails return true anyway.
# Sometimes we add new docker images and if they've never been pushed
# they can't be pulled.
- name: Pull existing image
run: docker pull ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} || true
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
- name: Get image name
id: image-name
run: |
ATTEST_IMAGE=$(echo "${{ matrix.IMAGE.TAG_NAME }}" | cut -d ':' -f 1)
echo "ATTEST_IMAGE=${ATTEST_IMAGE}" | tee -a "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
with:
cache-binary: false
- name: Login to ghcr.io
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
- name: Build (and push if main) docker image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
id: docker-build
with:
context: ${{ matrix.IMAGE.DOCKERFILE_PATH }}
cache-from: ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }}
tags: ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }}
platforms: ${{ matrix.IMAGE.DOCKER_PLATFORM }}
pull: true
build-args: |
NODE20_ARCH_RELEASE=${{ env.NODE20_ARCH_RELEASE }}
NODE24_ARCH_RELEASE=${{ env.NODE24_ARCH_RELEASE }}
${{ matrix.IMAGE.BUILD_ARGS }}
push: ${{ (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' }}
- uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
with:
subject-name: "ghcr.io/pyca/${{ steps.image-name.outputs.ATTEST_IMAGE }}"
subject-digest: ${{ steps.docker-build.outputs.digest }}
push-to-registry: true
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'