diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e3a7817..6a31530 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,8 +11,7 @@ permissions: name: Build jobs: build-amd64: - runs-on: - labels: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }} + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 @@ -43,30 +42,3 @@ jobs: if: always() with: sarif_file: 'trivy-results.sarif' - - build-arm64: - runs-on: - labels: runs-on,runner=4cpu-linux-arm64,run-id=${{ github.run_id }} - steps: - - name: Check out code - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Set the TAG value - id: get-TAG - run: | - echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" - - name: Build container image - uses: docker/build-push-action@v6 - with: - context: . - push: false - tags: rancher/hardened-calico:${{ env.TAG }}-arm64 - file: Dockerfile - outputs: type=docker - platforms: linux/arm64 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b250453..124658b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,7 +10,7 @@ jobs: permissions: contents: read id-token: write - runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }} + runs-on: ubuntu-latest outputs: digest: ${{ steps.digest.outputs.digest }} steps: @@ -24,6 +24,11 @@ jobs: echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV" echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV" + - name: Print ENV values + id: print_Envs + run: | + echo "$GITHUB_ENV" + - name: Docker meta id: meta-amd64 uses: docker/metadata-action@v5 @@ -31,14 +36,13 @@ jobs: images: ${{ env.REGISTRY_IMAGE }} - name: "Read secrets" - uses: rancher-eio/read-vault-secrets@main - with: - secrets: | - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD + run: | + echo "DOCKER_USERNAME=mgfritch" >> $GITHUB_ENV + echo "DOCKER_PASSWORD=${{ secrets.DOCKER_PASSWORD }}" >> $GITHUB_ENV + echo "PRIME_REGISTRY_USERNAME=mgfritch" >> $GITHUB_ENV + echo "PRIME_REGISTRY_PASSWORD=${{ secrets.PRIME_REGISTRY_PASSWORD }}" >> $GITHUB_ENV + echo "PUBLIC_REGISTRY=docker.io" >> $GITHUB_ENV + echo "PRIME_REGISTRY=ghcr.io" >> $GITHUB_ENV - name: Build and push container image id: build-amd64 @@ -50,73 +54,15 @@ jobs: tag: ${{ github.event.release.tag_name }} platforms: linux/amd64 - public-repo: rancher + public-repo: mgfritch + public-registry: ${{ env.PUBLIC_REGISTRY }} public-username: ${{ env.DOCKER_USERNAME }} - public-password: ${{ env.DOCKER_PASSWORD }} + public-password: ${{ secrets.DOCKER_PASSWORD }} - prime-repo: rancher + prime-repo: mgfritch prime-registry: ${{ env.PRIME_REGISTRY }} prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} - prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} - - - name: Digest - id: digest - run: | - IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json) - echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT" - - build-arm64-digest: - permissions: - contents: read - id-token: write - runs-on: runs-on,runner=4cpu-linux-arm64,run-id=${{ github.run_id }} - outputs: - digest: ${{ steps.digest.outputs.digest }} - steps: - - name: Check out code - uses: actions/checkout@v4 - - - name: Set the ENV values - id: get-Envs - run: | - echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" - echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV" - echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV" - - - name: Docker meta - id: meta-arm64 - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: "Read secrets" - uses: rancher-eio/read-vault-secrets@main - with: - secrets: | - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD - - - name: Build and push container image - id: build-arm64 - uses: rancher/ecm-distro-tools/actions/publish-image@master - env: - META_LABELS: ${{ steps.meta-arm64.outputs.labels }} - with: - image: hardened-calico - tag: ${{ github.event.release.tag_name }} - platforms: linux/arm64 - - public-repo: rancher - public-username: ${{ env.DOCKER_USERNAME }} - public-password: ${{ env.DOCKER_PASSWORD }} - - prime-repo: rancher - prime-registry: ${{ env.PRIME_REGISTRY }} - prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} - prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + prime-password: ${{ secrets.PRIME_REGISTRY_PASSWORD }} - name: Digest id: digest @@ -131,7 +77,6 @@ jobs: runs-on: ubuntu-latest needs: - build-amd64-digest - - build-arm64-digest steps: - name: Check out code uses: actions/checkout@v4 @@ -141,21 +86,25 @@ jobs: run: | echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV" + - name: Print ENV values + id: print_Envs + run: | + echo "$GITHUB_ENV" + - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY_IMAGE }} + images: ${{ env.REGISTRY_IMAGE }} - name: "Read secrets" - uses: rancher-eio/read-vault-secrets@main - with: - secrets: | - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; - secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD + run: | + echo "DOCKER_USERNAME=mgfritch" >> $GITHUB_ENV + echo "DOCKER_PASSWORD=${{ secrets.DOCKER_PASSWORD }}" >> $GITHUB_ENV + echo "PRIME_REGISTRY_USERNAME=mgfritch" >> $GITHUB_ENV + echo "PRIME_REGISTRY_PASSWORD=${{ secrets.PRIME_REGISTRY_PASSWORD }}" >> $GITHUB_ENV + echo "PUBLIC_REGISTRY=docker.io" >> $GITHUB_ENV + echo "PRIME_REGISTRY=ghcr.io" >> $GITHUB_ENV - name: Create manifest list and push id: push-manifest @@ -163,20 +112,21 @@ jobs: env: DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }} REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }} - IMAGE_DIGESTS: ${{ needs.build-amd64-digest.outputs.digest }} ${{ needs.build-arm64-digest.outputs.digest }} + IMAGE_DIGESTS: ${{ needs.build-amd64-digest.outputs.digest }} with: make-target: manifest-push image: hardened-calico tag: ${{ github.event.release.tag_name }} - public-repo: rancher + public-repo: mgfritch + public-registry: ${{ env.PUBLIC_REGISTRY }} public-username: ${{ env.DOCKER_USERNAME }} - public-password: ${{ env.DOCKER_PASSWORD }} + public-password: ${{ secrets.DOCKER_PASSWORD }} - prime-repo: rancher + prime-repo: mgfritch prime-registry: ${{ env.PRIME_REGISTRY }} prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} - prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + prime-password: ${{ secrets.PRIME_REGISTRY_PASSWORD }} - name: Inspect image run: |