diff options
| author | seth <[email protected]> | 2024-01-20 06:20:29 -0500 |
|---|---|---|
| committer | seth <[email protected]> | 2024-01-20 06:41:04 -0500 |
| commit | 1809becbe9e8e4ea065c1490b8d7f566abaf49bd (patch) | |
| tree | e40df9b61bed1a1bfa89405b511db932e6c26ee4 | |
| parent | 290a84e86b2f2c3cb1403f94eff416e74d536abd (diff) | |
ci: reuse image build steps
| -rw-r--r-- | .github/workflows/build-image.yaml | 103 | ||||
| -rw-r--r-- | .github/workflows/build.yaml | 299 |
2 files changed, 145 insertions, 257 deletions
diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml new file mode 100644 index 0000000..4271c37 --- /dev/null +++ b/.github/workflows/build-image.yaml @@ -0,0 +1,103 @@ +on: + workflow_call: + inputs: + image_name: + required: true + type: string + containerfile: + description: containerfile to build + required: true + type: string + context: + required: true + type: string + extra_tags: + description: extra tags to apply to image + required: true + type: string + build_args: + required: true + type: string + secrets: + akmods_key: + description: private akmods key for signing + required: false + +env: + REGISTRY: ghcr.io/${{ github.repository_owner }} + +jobs: + build: + name: Build and Publish + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Extract metadata + id: metadata + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.IMAGE_NAME }} + tags: | + type=sha + type=ref,event=branch + type=ref,event=pr + type=schedule,pattern={{date 'YYYYMMDD'}} + + - name: Get akmods signing key + if: github.event_name != 'pull_request' + env: + AKMODS_KEY: ${{ secrets.akmods_key }} + run: | + echo "$AKMODS_KEY" > akmods/certs/private_key.priv + + - name: Build image + id: build + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ${{ inputs.containerfile }} + image: ${{ inputs.image_name }} + context: ${{ inputs.context }} + tags: | + ${{ steps.metadata.outputs.tags }} + ${{ inputs.extra_tags }} + labels: ${{ steps.metadata.outputs.labels }} + build-args: ${{ inputs.build_args }} + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: redhat-actions/podman-login@v1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Push to registry + id: push + if: github.event_name != 'pull_request' + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build.outputs.image }} + tags: ${{ steps.build.outputs.tags }} + registry: ${{ env.REGISTRY }} + extra-args: | + --disable-content-trust + + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v3 + + - name: Sign image + if: github.event_name != 'pull_request' + env: + DIGEST: ${{ steps.push.outputs.digest }} + TAGS: ${{ steps.build.outputs.tags }} + run: | + images=() + for tag in ${TAGS}; do + images+=("${tag}@${DIGEST}") + done + cosign sign --yes "${images[@]}" diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d1ea842..c80ab65 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,4 +1,4 @@ -name: Build Images +name: Build images on: push: @@ -14,104 +14,27 @@ env: jobs: akmods: name: Akmods Image - runs-on: ubuntu-latest permissions: contents: read id-token: write packages: write - env: - IMAGE_NAME: akmods - FEDORA_VERSION: 39 - NVIDIA_VERSION: 535 - - steps: - - uses: actions/checkout@v4 - - - name: Extract metadata - id: metadata - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.IMAGE_NAME }} - tags: | - type=sha - type=ref,event=branch - type=ref,event=pr - type=schedule,pattern={{date 'YYYYMMDD'}} - - - name: Generate extra tags - id: extra-tags - run: | - timestamp="$(date +%Y%m%d)" - tag="$IMAGE_NAME:$FEDORA_VERSION-$NVIDIA_VERSION" - tags=("$tag" "$tag-$timestamp") - echo "tags=${tags[*]}" >> "$GITHUB_OUTPUT" - - - name: Get akmods signing key - if: github.event_name != 'pull_request' - env: - AKMODS_KEY: ${{ secrets.AKMODS_KEY }} - run: | - echo "$AKMODS_KEY" > akmods/certs/private_key.priv - - - name: Build image - id: build - uses: redhat-actions/buildah-build@v2 - with: - containerfiles: | - ./akmods/Containerfile - image: ${{ env.IMAGE_NAME }} - context: ./akmods - tags: | - ${{ steps.metadata.outputs.tags }} - ${{ steps.extra-tags.outputs.tags }} - labels: ${{ steps.metadata.outputs.labels }} - build-args: | - FEDORA_VERSION=${{ env.FEDORA_VERSION }} - NVIDIA_VERSION=${{ env.NVIDIA_VERSION }} - - - name: Push to registry - id: push - if: github.event_name != 'pull_request' - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build.outputs.image }} - tags: ${{ steps.build.outputs.tags }} - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ github.token }} - extra-args: | - --disable-content-trust - - - name: Login to registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ github.token }} - - - name: Install cosign - if: github.event_name == 'pull_request' - uses: sigstore/cosign-installer@v3 - - - name: Sign image - if: github.event_name == 'pull_request' - env: - DIGEST: ${{ steps.push.outputs.digest }} - TAGS: ${{ steps.build.outputs.tags }} - run: | - images=() - for tag in "${TAGS[@]}"; do - images+=("$tag@$DIGEST") - done - cosign sign --yes "${images[@]}" + uses: ./.github/workflows/build-image.yaml + with: + image_name: akmods + containerfile: ./akmods/Containerfile + context: ./akmods + extra_tags: | + 39-535 + build_args: | + FEDORA_VERSION=39 + NVIDIA_VERSION=535 + secrets: + akmods_key: ${{ secrets.AKMODS_KEY }} base: - name: Base Image - runs-on: ubuntu-latest + name: Base Images permissions: contents: read @@ -126,180 +49,42 @@ jobs: fedora_version: 39 image_flavor: silverblue - steps: - - uses: actions/checkout@v4 - - - name: Extract metadata - id: metadata - uses: docker/metadata-action@v5 - with: - images: | - ${{ matrix.image_name }} - tags: | - type=sha - type=ref,event=branch - type=ref,event=pr - type=schedule,pattern={{date 'YYYYMMDD'}} - - - name: Generate extra tags - id: extra-tags - env: - IMAGE_NAME: ${{ matrix.image_name }} - FEDORA_VERSION: ${{ matrix.fedora_version }} - run: | - timestamp="$(date +%Y%m%d)" - tag="$IMAGE_NAME:$FEDORA_VERSION" - tags=("$tag" "$tag-$timestamp") - echo "tags=${tags[*]}" >> "$GITHUB_OUTPUT" - - - name: Build image - id: build - uses: redhat-actions/buildah-build@v2 - with: - containerfiles: | - ./Containerfile - image: ${{ matrix.image_name }} - context: . - tags: | - ${{ steps.metadata.outputs.tags }} - ${{ steps.extra-tags.outputs.tags }} - labels: ${{ steps.metadata.outputs.labels }} - build-args: | - FEDORA_VERSION=${{ matrix.fedora_version }} - IMAGE_FLAVOR=${{ matrix.image_flavor }} - - - name: Push to registry - id: push - if: github.event_name != 'pull_request' - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build.outputs.image }} - tags: ${{ steps.build.outputs.tags }} - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ github.token }} - extra-args: | - --disable-content-trust - - - name: Login to registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ github.token }} - - - name: Install cosign - if: github.event_name == 'pull_request' - uses: sigstore/cosign-installer@v3 - - - name: Sign image - if: github.event_name == 'pull_request' - env: - DIGEST: ${{ steps.push.outputs.digest }} - TAGS: ${{ steps.build.outputs.tags }} - run: | - images=() - for tag in "${TAGS[@]}"; do - images+=("$tag@$DIGEST") - done - cosign sign --yes "${images[@]}" + uses: ./.github/workflows/build-image.yaml + with: + image_name: ${{ matrix.image_name }} + containerfile: ./Containerfile + context: . + extra_tags: | + ${{ matrix.fedora_version }} + build_args: | + FEDORA_VERSION=${{ matrix.fedora_version }} + IMAGE_FLAVOR=${{ matrix.image_flavor }} nvidia: - name: NVIDIA Image - runs-on: ubuntu-latest + name: NVIDIA Images needs: [akmods, base] + permissions: + contents: read + id-token: write + packages: write + strategy: fail-fast: false matrix: include: - - image_name: getchblue-nvidia + - image_flavor: getchblue fedora_version: 39 - image_flavor: getchblue nvidia_version: 535 - permissions: - contents: read - id-token: write - packages: write - - steps: - - uses: actions/checkout@v4 - - - name: Extract metadata - id: metadata - uses: docker/metadata-action@v5 - with: - images: | - ${{ matrix.image_name }} - tags: | - type=sha - type=ref,event=branch - type=ref,event=pr - type=schedule,pattern={{date 'YYYYMMDD'}} - - - name: Generate extra tags - id: extra-tags - env: - IMAGE_NAME: ${{ matrix.image_name }} - FEDORA_VERSION: ${{ matrix.fedora_version }} - NVIDIA_VERSION: ${{ matrix.nvidia_version }} - run: | - timestamp="$(date +%Y%m%d)" - tag="$IMAGE_NAME:$FEDORA_VERSION-$NVIDIA_VERSION" - tags=("$tag" "$tag-$timestamp") - echo "tags=${tags[*]}" >> "$GITHUB_OUTPUT" - - - name: Build image - id: build - uses: redhat-actions/buildah-build@v2 - with: - containerfiles: | - ./nvidia/Containerfile - image: ${{ matrix.image_name }} - context: ./nvidia - tags: | - ${{ steps.metadata.outputs.tags }} - ${{ steps.extra-tags.outputs.tags }} - labels: ${{ steps.metadata.outputs.labels }} - build-args: | - FEDORA_VERSION=${{ matrix.fedora_version }} - IMAGE_FLAVOR=${{ matrix.image_flavor }} - - - name: Push to registry - id: push - if: github.event_name != 'pull_request' - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build.outputs.image }} - tags: ${{ steps.build.outputs.tags }} - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ github.token }} - extra-args: | - --disable-content-trust - - - name: Login to registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ github.token }} - - - name: Install cosign - if: github.event_name == 'pull_request' - uses: sigstore/cosign-installer@v3 - - - name: Sign image - if: github.event_name == 'pull_request' - env: - DIGEST: ${{ steps.push.outputs.digest }} - TAGS: ${{ steps.build.outputs.tags }} - run: | - images=() - for tag in "${TAGS[@]}"; do - images+=("$tag@$DIGEST") - done - cosign sign --yes "${images[@]}" + uses: ./.github/workflows/build-image.yaml + with: + image_name: ${{ matrix.image_flavor }}-nvidia + containerfile: ./nvidia/Containerfile + context: ./nvidia + extra_tags: | + ${{ matrix.fedora_version }}-${{ matrix.nvidia_version }} + build_args: | + FEDORA_VERSION=${{ matrix.fedora_version }} + IMAGE_FLAVOR=${{ matrix.image_flavor }} + NVIDIA_VERSION=${{ matrix.nvidia_version }} |