on: release: types: - published name: Publish OCI images permissions: read-all jobs: push-singlearch-image: name: Push single arch OCI images to GitHub Packages runs-on: ubuntu-22.04 permissions: contents: read packages: write strategy: matrix: os: [linux, freebsd] arch: [amd64, arm64] steps: - name: Setup base image run: | if [ ${{ matrix.os }} = 'freebsd' ]; then echo "BASE_IMAGE=freebsd/freebsd-static:14.3" >> "$GITHUB_ENV" else ARCH=${{ matrix.arch }} echo "BASE_IMAGE=gcr.io/distroless/base-nossl-debian13:latest-${ARCH}" >> "$GITHUB_ENV" fi - name: Check out the repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Log in to GitHub Docker Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push zot container image uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main with: version: v1.1.0-rc3 file: 'build/stacker.yaml' build-args: | RELEASE_TAG=${{ github.event.release.tag_name }} COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }} OS=${{ matrix.os }} ARCH=${{ matrix.arch }} REPO_NAME=zot-${{ matrix.os }}-${{ matrix.arch }} BASE_IMAGE=${{ env.BASE_IMAGE }} url: docker://ghcr.io/${{ github.repository_owner }} tags: ${{ github.event.release.tag_name }} latest username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push zot-minimal container image uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main with: version: v1.1.0-rc3 file: 'build/stacker-minimal.yaml' build-args: | RELEASE_TAG=${{ github.event.release.tag_name }} COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }} OS=${{ matrix.os }} ARCH=${{ matrix.arch }} EXT=-minimal REPO_NAME=zot-minimal-${{ matrix.os }}-${{ matrix.arch }} BASE_IMAGE=${{ env.BASE_IMAGE }} url: docker://ghcr.io/${{ github.repository_owner }} tags: ${{ github.event.release.tag_name }} latest username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push zot-exporter container image uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main with: version: v1.1.0-rc3 file: 'build/stacker-zxp.yaml' build-args: | RELEASE_TAG=${{ github.event.release.tag_name }} COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }} OS=${{ matrix.os }} ARCH=${{ matrix.arch }} REPO_NAME=zxp-${{ matrix.os }}-${{ matrix.arch }} BASE_IMAGE=${{ env.BASE_IMAGE }} url: docker://ghcr.io/${{ github.repository_owner }} tags: ${{ github.event.release.tag_name }} latest username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push zb container image uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main with: version: v1.1.0-rc3 file: 'build/stacker-zb.yaml' build-args: | RELEASE_TAG=${{ github.event.release.tag_name }} COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }} OS=${{ matrix.os }} ARCH=${{ matrix.arch }} REPO_NAME=zb-${{ matrix.os }}-${{ matrix.arch }} BASE_IMAGE=${{ env.BASE_IMAGE }} url: docker://ghcr.io/${{ github.repository_owner }} tags: ${{ github.event.release.tag_name }} latest username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} push-multiarch-image: name: Push multiarch OCI images to GitHub Packages needs: push-singlearch-image runs-on: ubuntu-22.04 permissions: contents: read packages: write strategy: matrix: image: [zot, zot-minimal, zxp, zb] steps: - name: Check out the repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Log in to GitHub Docker Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run build run: | echo "Building multiarch image for ${{ matrix.image }}" cd $GITHUB_WORKSPACE make check-blackbox-prerequisites export PATH=${PATH}:${GITHUB_WORKSPACE}/hack/tools/bin ./scripts/build_multiarch_image.sh --registry ghcr.io/${GITHUB_REPOSITORY_OWNER} \ --source-tag ${GITHUB_EVENT_RELEASE_TAG_NAME} \ --destination-tags "${GITHUB_EVENT_RELEASE_TAG_NAME} latest" \ --file build/multiarch-${{ matrix.image }}.json env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} test-image: name: Test OCI images published to GitHub Packages needs: push-multiarch-image runs-on: ubuntu-22.04 permissions: packages: read steps: - name: Log in to GitHub Docker Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run zot container image with docker run: | docker run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot:${GITHUB_EVENT_RELEASE_TAG_NAME} sleep 2 curl --connect-timeout 5 \ --max-time 10 \ --retry 12 \ --retry-max-time 360 \ --retry-connrefused \ 'http://localhost:5000/v2/' docker kill $(docker ps -q) env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Run zot container image with podman run: | podman run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot:${GITHUB_EVENT_RELEASE_TAG_NAME} sleep 2 curl --connect-timeout 5 \ --max-time 10 \ --retry 12 \ --retry-max-time 360 \ --retry-connrefused \ 'http://localhost:5000/v2/' podman kill --all env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Run zot-minimal container image with docker run: | docker run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot-minimal:${GITHUB_EVENT_RELEASE_TAG_NAME} sleep 2 curl --connect-timeout 5 \ --max-time 10 \ --retry 12 \ --retry-max-time 360 \ --retry-connrefused \ 'http://localhost:5000/v2/' docker kill $(docker ps -q) env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Run zot-minimal container image with podman run: | podman run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot-minimal:${GITHUB_EVENT_RELEASE_TAG_NAME} sleep 2 curl --connect-timeout 5 \ --max-time 10 \ --retry 12 \ --retry-max-time 360 \ --retry-connrefused \ 'http://localhost:5000/v2/' podman kill --all env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Run zot-exporter container image with docker run: | docker run -d -p 5001:5001 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zxp:${GITHUB_EVENT_RELEASE_TAG_NAME} sleep 2 curl --connect-timeout 5 \ --max-time 10 \ --retry 12 \ --retry-max-time 360 \ --retry-connrefused \ 'http://localhost:5001/metrics' docker kill $(docker ps -q) env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Run zot-exporter container image with podman run: | podman run -d -p 5001:5001 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zxp:${GITHUB_EVENT_RELEASE_TAG_NAME} sleep 2 curl --connect-timeout 5 \ --max-time 10 \ --retry 12 \ --retry-max-time 360 \ --retry-connrefused \ 'http://localhost:5001/metrics' podman kill --all env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Run zb container image with docker run: | docker run ghcr.io/${GITHUB_REPOSITORY_OWNER}/zb:${GITHUB_EVENT_RELEASE_TAG_NAME} --help env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Run zb container image with podman run: | podman run ghcr.io/${GITHUB_REPOSITORY_OWNER}/zb:${GITHUB_EVENT_RELEASE_TAG_NAME} --help env: GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} scan-image: name: Run Trivy scan on OCI images published to GitHub Packages needs: push-singlearch-image runs-on: ubuntu-22.04 permissions: security-events: write packages: read strategy: matrix: os: [linux, freebsd] arch: [amd64, arm64] steps: - name: Log in to GitHub Docker Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd with: image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}' format: 'sarif' output: 'trivy-results.sarif' env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Run Trivy vulnerability scanner (minimal) uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd with: image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}' format: 'sarif' output: 'trivy-results.sarif' env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: 'trivy-results.sarif' scan-multiarch-image: name: Run Trivy scan on OCI multiarch images published to GitHub Packages needs: push-multiarch-image runs-on: ubuntu-22.04 permissions: security-events: write packages: read steps: - name: Log in to GitHub Docker Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd with: image-ref: 'ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }}' format: 'sarif' output: 'trivy-results.sarif' env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Run Trivy vulnerability scanner (minimal) uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd with: image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }}' format: 'sarif' output: 'trivy-results.sarif' env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: 'trivy-results.sarif' update-helm-chart: if: ${{ github.event_name == 'release' && github.event.action == 'published' && !contains(github.event.release.tag_name, 'rc') }} needs: push-multiarch-image name: Update Helm Chart permissions: contents: write packages: write runs-on: ubuntu-22.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: main fetch-depth: '0' persist-credentials: false - name: Checkout project-zot/helm-charts uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: project-zot/helm-charts ref: main fetch-depth: '0' token: ${{ secrets.HELM_PUSH_TOKEN }} path: ./helm-charts persist-credentials: true - name: Configure Git run: | git config --global user.name 'github-actions' git config --global user.email 'github-actions@users.noreply.github.com' - name: Update appVersion uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2 with: cmd: yq -i '.appVersion = strenv(RELEASE_TAG)' 'helm-charts/charts/zot/Chart.yaml' env: RELEASE_TAG: ${{ github.event.release.tag_name }} - name: Update image tag uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2 with: cmd: | yq e '.image.tag = strenv(RELEASE_TAG)' 'helm-charts/charts/zot/values.yaml' > values-updated.yaml env: RELEASE_TAG: ${{ github.event.release.tag_name }} - name: Patch values.yaml file run: | diff -b 'helm-charts/charts/zot/values.yaml' values-updated.yaml > values.diff || true patch 'helm-charts/charts/zot/values.yaml' < values.diff rm values-updated.yaml values.diff - name: Update version run: | sudo apt-get install pip pip install pybump pybump bump --file helm-charts/charts/zot/Chart.yaml --level patch - name: Push changes to project-zot/helm-charts run: | cd ./helm-charts git commit -am "build: automated update of Helm Chart" git push