--- name: Reusable workflow to test container images on: workflow_call: inputs: registry: description: The registry to pull the images to test from. type: string required: true username: description: The username for authentication with the registry. type: string required: true image: description: The name of the image to pull from the registry for testing. type: string required: true image-tag: description: The tag of the image to pull from the registry for testing. type: string required: true environment: description: The Github environment to run this workflow on. type: string required: false ref: description: The commit, tag or branch to checkout for testing scripts. type: string default: master required: false secrets: token: description: The Github token or similar to authenticate with for the registry. required: true cosign_key: description: The optional Cosign key to use for verifying the images. required: false jobs: call-test-images-cosign-verify: name: Cosign verification of container image environment: ${{ inputs.environment }} runs-on: ubuntu-latest steps: - name: Install cosign uses: sigstore/cosign-installer@v2 - name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ inputs.registry }} username: ${{ inputs.username }} password: ${{ secrets.token }} # There is currently no way to verify a local image, e.g. for a particular architecture # https://github.com/sigstore/cosign/issues/60 - name: Verify image with a key # Only key-based verification currently if: ${{ env.COSIGN_PUBLIC_KEY }} run: | echo -e "${COSIGN_PUBLIC_KEY}" > /tmp/my_cosign.pub cosign verify --key /tmp/my_cosign.pub "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG" rm -f /tmp/my_cosign.key shell: bash env: COSIGN_PUBLIC_KEY: ${{ secrets.cosign_key }} REGISTRY: ${{ inputs.registry }} IMAGE_NAME: ${{ inputs.image }} IMAGE_TAG: ${{ inputs.image-tag }} call-test-images-container-architecture: name: ${{ matrix.arch }} image architecture verification runs-on: ubuntu-latest environment: ${{ inputs.environment }} # Test as much as we can continue-on-error: true strategy: fail-fast: false matrix: arch: [ linux/amd64, linux/arm64, linux/arm/v7 ] include: # Rather than extract the specific central arch we just provide it - arch: linux/amd64 expected: amd64 - arch: linux/arm64 expected: arm64 - arch: linux/arm/v7 expected: arm steps: - name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ inputs.registry }} username: ${{ inputs.username }} password: ${{ secrets.token }} - name: Pull and extract architecture of image id: extract_arch run: | docker pull --platform=${{ matrix.arch }} "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG" ACTUAL_ARCH=$(docker image inspect --format '{{.Architecture}}' "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG") echo "ACTUAL_ARCH=$ACTUAL_ARCH" >> $GITHUB_OUTPUT docker image inspect "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG" shell: bash env: REGISTRY: ${{ inputs.registry }} IMAGE_NAME: ${{ inputs.image }} IMAGE_TAG: ${{ inputs.image-tag }} - name: Validate architecture of image run: | if [[ "$ACTUAL_ARCH" != "$EXPECTED_ARCH" ]]; then echo "Invalid architecture for $REGISTRY/$IMAGE_NAME: $ACTUAL_ARCH != $EXPECTED_ARCH" exit 1 fi env: EXPECTED_ARCH: ${{ matrix.expected }} ACTUAL_ARCH: ${{ steps.extract_arch.outputs.ACTUAL_ARCH }} shell: bash call-test-images-container-smoke: # Ensure each architecture container runs up correctly with default configuration. name: ${{ matrix.arch }} smoke test for local container images runs-on: ubuntu-latest environment: ${{ inputs.environment }} # No point running if the architecture is incorrect needs: [ call-test-images-container-architecture ] continue-on-error: true strategy: fail-fast: false # verify all matrix: arch: [ linux/amd64, linux/arm64, linux/arm/v7 ] steps: - name: Checkout repository uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} - name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ inputs.registry }} username: ${{ inputs.username }} password: ${{ secrets.token }} - name: Set up QEMU using standard action if: ${{ matrix.arch != 'linux/arm64' }} uses: docker/setup-qemu-action@v3 # Without this QEMU fails for ARM64 - name: Set up binary emulation for QEMU if: ${{ matrix.arch == 'linux/arm64' }} run: | docker run --privileged --rm tonistiigi/binfmt --install all - name: Verify platform is supported with Alpine container # We make sure there is not an inherent issue with this architecture on this runner run: | docker run --rm --platform=${{ matrix.arch }} alpine uname -a - name: Test the HTTP server is responding timeout-minutes: 10 run: | packaging/testing/smoke/container/container-smoke-test.sh shell: bash env: CONTAINER_NAME: local-smoke-${{ matrix.arch }} CONTAINER_ARCH: ${{ matrix.arch }} REGISTRY: ${{ inputs.registry }} IMAGE_NAME: ${{ inputs.image }} IMAGE_TAG: ${{ inputs.image-tag }} call-test-images-k8s-smoke: # No need to test every architecture here, that is covered by local container tests. # Testing helm chart deployment on KIND here. name: Helm chart test on KIND environment: ${{ inputs.environment }} runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} - name: Create k8s Kind Cluster uses: helm/kind-action@v1.8.0 - name: Set up Helm uses: azure/setup-helm@v3.5 with: version: v3.6.3 - name: Set up Kubectl uses: azure/setup-kubectl@v3.2 - name: Test the HTTP server is responding timeout-minutes: 5 run: | packaging/testing/smoke/k8s/k8s-smoke-test.sh shell: bash env: NAMESPACE: default REGISTRY: ${{ inputs.registry }} IMAGE_NAME: ${{ inputs.image }} IMAGE_TAG: ${{ inputs.image-tag }}