1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
---
name: Reusable workflow to build container images
on:
workflow_call:
inputs:
version:
description: The version of Fluent Bit to create.
type: string
required: true
ref:
description: The commit, tag or branch of Fluent Bit to checkout for building that creates the version above.
type: string
required: true
registry:
description: The registry to push container images to.
type: string
required: true
username:
description: The username for the registry.
type: string
required: true
image:
description: The name of the container image to push to the registry.
type: string
required: true
environment:
description: The Github environment to run this workflow on.
type: string
required: false
unstable:
description: Optionally add metadata to build to indicate an unstable build, set to the contents you want to add.
type: string
required: false
default: ""
secrets:
token:
description: The Github token or similar to authenticate with for the registry.
required: true
cosign_private_key:
description: The optional Cosign key to use for signing the images.
required: false
cosign_private_key_password:
description: If the Cosign key requires a password then specify here, otherwise not required.
required: false
jobs:
call-build-images-meta:
name: Extract any supporting metadata
outputs:
major-version: ${{ steps.determine-major-version.outputs.replaced }}
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
# For main branch/releases we want to tag with the major version.
# E.g. if we build version 1.9.2 we want to tag with 1.9.2 and 1.9.
- name: Determine major version tag
id: determine-major-version
uses: frabert/replace-string-action@v2.4
with:
pattern: '^(\d+\.\d+).*$'
string: ${{ inputs.version }}
replace-with: "$1"
flags: "g"
# This is the intended approach to multi-arch image and all the other checks scanning,
# signing, etc only trigger from this.
call-build-images:
needs:
- call-build-images-meta
name: Multiarch container images to GHCR
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
packages: write
outputs:
production-digest: ${{ steps.build_push.outputs.digest }}
debug-digest: ${{ steps.debug_build_push.outputs.digest }}
steps:
- name: Checkout code for modern style builds
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Extract metadata from Github
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ inputs.version }}
raw,${{ needs.call-build-images-meta.outputs.major-version }}
raw,latest
- name: Build the production images
id: build_push
uses: docker/build-push-action@v5
with:
file: ./dockerfiles/Dockerfile
context: .
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64, linux/arm64, linux/arm/v7
target: production
# Must be disabled to provide legacy format images from the registry
provenance: false
push: true
load: false
build-args: |
FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
RELEASE_VERSION=${{ inputs.version }}
- id: debug-meta
uses: docker/metadata-action@v5
with:
images: ${{ inputs.registry }}/${{ inputs.image }}
tags: |
raw,${{ inputs.version }}-debug
raw,${{ needs.call-build-images-meta.outputs.major-version }}-debug
raw,latest-debug
- name: Build the debug multi-arch images
id: debug_build_push
uses: docker/build-push-action@v5
with:
file: ./dockerfiles/Dockerfile
context: .
tags: ${{ steps.debug-meta.outputs.tags }}
labels: ${{ steps.debug-meta.outputs.labels }}
platforms: linux/amd64, linux/arm64, linux/arm/v7
# Must be disabled to provide legacy format images from the registry
provenance: false
target: debug
push: true
load: false
build-args: |
FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
RELEASE_VERSION=${{ inputs.version }}
call-build-images-generate-schema:
needs:
- call-build-images-meta
- call-build-images
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
packages: read
steps:
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Generate schema
run: |
docker run --rm -t ${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }} -J > fluent-bit-schema-${{ inputs.version }}.json
cat fluent-bit-schema-${{ inputs.version }}.json | jq -M > fluent-bit-schema-pretty-${{ inputs.version }}.json
shell: bash
- name: Upload the schema
uses: actions/upload-artifact@v3
with:
path: ./fluent-bit-schema*.json
name: fluent-bit-schema-${{ inputs.version }}
if-no-files-found: error
call-build-images-scan:
needs:
- call-build-images-meta
- call-build-images
name: Trivy + Dockle image scan
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
permissions:
contents: read
packages: read
steps:
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Trivy - multi-arch
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}"
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Dockle - multi-arch
uses: hands-lab/dockle-action@v1
with:
image: "${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}"
exit-code: "1"
exit-level: WARN
call-build-images-sign:
needs:
- call-build-images-meta
- call-build-images
name: Deploy and sign multi-arch container image manifests
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- name: Install cosign
uses: sigstore/cosign-installer@v2
- name: Cosign keyless signing using Rektor public transparency log
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance, and records it to the
# sigstore community Rekor transparency log.
#
# We use recursive signing on the manifest to cover all the images.
run: |
cosign sign --recursive \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-a "ref=${{ github.sha }}" \
-a "release=${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images.outputs.production-digest }}" \
"${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images.outputs.debug-digest }}"
shell: bash
# Ensure we move on to key-based signing as well
continue-on-error: true
env:
COSIGN_EXPERIMENTAL: true
- name: Cosign with a key
# Only run if we have a key defined
if: ${{ env.COSIGN_PRIVATE_KEY }}
# The key needs to cope with newlines
run: |
echo -e "${COSIGN_PRIVATE_KEY}" > /tmp/my_cosign.key
cosign sign --key /tmp/my_cosign.key --recursive \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-a "ref=${{ github.sha }}" \
-a "release=${{ inputs.version }}" \
"${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images.outputs.production-digest }}" \
"${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images.outputs.debug-digest }}"
rm -f /tmp/my_cosign.key
shell: bash
continue-on-error: true
env:
COSIGN_PRIVATE_KEY: ${{ secrets.cosign_private_key }}
COSIGN_PASSWORD: ${{ secrets.cosign_private_key_password }} # optional
# This takes a long time...
call-build-windows-container:
name: Windows container images
runs-on: windows-${{ matrix.windows-base-version }}
environment: ${{ inputs.environment }}
needs:
- call-build-images-meta
strategy:
fail-fast: true
matrix:
windows-base-version:
- '2019'
- '2022'
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Build the production images
run: |
docker build -t ${{ inputs.registry }}/${{ inputs.image }}:windows-${{ matrix.windows-base-version }}-${{ inputs.version }} --build-arg FLB_NIGHTLY_BUILD=${{ inputs.unstable }} --build-arg WINDOWS_VERSION=ltsc${{ matrix.windows-base-version }} -f ./dockerfiles/Dockerfile.windows .
docker push ${{ inputs.registry }}/${{ inputs.image }}:windows-${{ matrix.windows-base-version }}-${{ inputs.version }}
# We cannot use this action as it requires privileged mode
# uses: docker/build-push-action@v5
# with:
# file: ./dockerfiles/Dockerfile.windows
# context: .
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# platforms: windows/amd64
# target: runtime
# push: true
# load: false
# build-args: |
# FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
# WINDOWS_VERSION=ltsc2019
|
