mirror of
https://github.com/project-zot/zot.git
synced 2026-06-15 11:37:56 +08:00
Ramkumar Chinchani
225e2fb96d
* chore: fix dependabot alerts Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * chore: fix dependabot alerts Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * fix: bump zui version Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> --------- Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
376 lines
15 KiB
YAML
376 lines
15 KiB
YAML
on:
|
|
release:
|
|
types:
|
|
- published
|
|
name: Publish OCI images
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
push-singlearch-image:
|
|
name: Push single arch OCI images to GitHub Packages
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
strategy:
|
|
matrix:
|
|
os: [linux, freebsd]
|
|
arch: [amd64, arm64]
|
|
steps:
|
|
- name: Setup base image
|
|
run: |
|
|
if [ ${{ matrix.os }} = 'freebsd' ]; then
|
|
echo "BASE_IMAGE=freebsd/freebsd-static:14.3" >> "$GITHUB_ENV"
|
|
else
|
|
ARCH=${{ matrix.arch }}
|
|
echo "BASE_IMAGE=gcr.io/distroless/base-nossl-debian13:latest-${ARCH}" >> "$GITHUB_ENV"
|
|
fi
|
|
- name: Check out the repo
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: Log in to GitHub Docker Registry
|
|
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Build and push zot container image
|
|
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
|
|
with:
|
|
version: v1.1.0-rc3
|
|
file: 'build/stacker.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
REPO_NAME=zot-${{ matrix.os }}-${{ matrix.arch }}
|
|
BASE_IMAGE=${{ env.BASE_IMAGE }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Build and push zot-minimal container image
|
|
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
|
|
with:
|
|
version: v1.1.0-rc3
|
|
file: 'build/stacker-minimal.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
EXT=-minimal
|
|
REPO_NAME=zot-minimal-${{ matrix.os }}-${{ matrix.arch }}
|
|
BASE_IMAGE=${{ env.BASE_IMAGE }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Build and push zot-exporter container image
|
|
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
|
|
with:
|
|
version: v1.1.0-rc3
|
|
file: 'build/stacker-zxp.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
REPO_NAME=zxp-${{ matrix.os }}-${{ matrix.arch }}
|
|
BASE_IMAGE=${{ env.BASE_IMAGE }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Build and push zb container image
|
|
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
|
|
with:
|
|
version: v1.1.0-rc3
|
|
file: 'build/stacker-zb.yaml'
|
|
build-args: |
|
|
RELEASE_TAG=${{ github.event.release.tag_name }}
|
|
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
|
|
OS=${{ matrix.os }}
|
|
ARCH=${{ matrix.arch }}
|
|
REPO_NAME=zb-${{ matrix.os }}-${{ matrix.arch }}
|
|
BASE_IMAGE=${{ env.BASE_IMAGE }}
|
|
url: docker://ghcr.io/${{ github.repository_owner }}
|
|
tags: ${{ github.event.release.tag_name }} latest
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
push-multiarch-image:
|
|
name: Push multiarch OCI images to GitHub Packages
|
|
needs: push-singlearch-image
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
strategy:
|
|
matrix:
|
|
image: [zot, zot-minimal, zxp, zb]
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: Log in to GitHub Docker Registry
|
|
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run build
|
|
run: |
|
|
echo "Building multiarch image for ${{ matrix.image }}"
|
|
cd $GITHUB_WORKSPACE
|
|
make check-blackbox-prerequisites
|
|
export PATH=${PATH}:${GITHUB_WORKSPACE}/hack/tools/bin
|
|
./scripts/build_multiarch_image.sh --registry ghcr.io/${GITHUB_REPOSITORY_OWNER} \
|
|
--source-tag ${GITHUB_EVENT_RELEASE_TAG_NAME} \
|
|
--destination-tags "${GITHUB_EVENT_RELEASE_TAG_NAME} latest" \
|
|
--file build/multiarch-${{ matrix.image }}.json
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
|
|
test-image:
|
|
name: Test OCI images published to GitHub Packages
|
|
needs: push-multiarch-image
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: read
|
|
steps:
|
|
- name: Log in to GitHub Docker Registry
|
|
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run zot container image with docker
|
|
run: |
|
|
docker run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot:${GITHUB_EVENT_RELEASE_TAG_NAME}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
docker kill $(docker ps -q)
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
- name: Run zot container image with podman
|
|
run: |
|
|
podman run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot:${GITHUB_EVENT_RELEASE_TAG_NAME}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
podman kill --all
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
- name: Run zot-minimal container image with docker
|
|
run: |
|
|
docker run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot-minimal:${GITHUB_EVENT_RELEASE_TAG_NAME}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
docker kill $(docker ps -q)
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
- name: Run zot-minimal container image with podman
|
|
run: |
|
|
podman run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot-minimal:${GITHUB_EVENT_RELEASE_TAG_NAME}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5000/v2/'
|
|
podman kill --all
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
- name: Run zot-exporter container image with docker
|
|
run: |
|
|
docker run -d -p 5001:5001 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zxp:${GITHUB_EVENT_RELEASE_TAG_NAME}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5001/metrics'
|
|
docker kill $(docker ps -q)
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
- name: Run zot-exporter container image with podman
|
|
run: |
|
|
podman run -d -p 5001:5001 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zxp:${GITHUB_EVENT_RELEASE_TAG_NAME}
|
|
sleep 2
|
|
curl --connect-timeout 5 \
|
|
--max-time 10 \
|
|
--retry 12 \
|
|
--retry-max-time 360 \
|
|
--retry-connrefused \
|
|
'http://localhost:5001/metrics'
|
|
podman kill --all
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
- name: Run zb container image with docker
|
|
run: |
|
|
docker run ghcr.io/${GITHUB_REPOSITORY_OWNER}/zb:${GITHUB_EVENT_RELEASE_TAG_NAME} --help
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
- name: Run zb container image with podman
|
|
run: |
|
|
podman run ghcr.io/${GITHUB_REPOSITORY_OWNER}/zb:${GITHUB_EVENT_RELEASE_TAG_NAME} --help
|
|
env:
|
|
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
|
|
|
|
scan-image:
|
|
name: Run Trivy scan on OCI images published to GitHub Packages
|
|
needs: push-singlearch-image
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
security-events: write
|
|
packages: read
|
|
strategy:
|
|
matrix:
|
|
os: [linux, freebsd]
|
|
arch: [amd64, arm64]
|
|
steps:
|
|
- name: Log in to GitHub Docker Registry
|
|
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd
|
|
with:
|
|
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
env:
|
|
TRIVY_USERNAME: ${{ github.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run Trivy vulnerability scanner (minimal)
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd
|
|
with:
|
|
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
env:
|
|
TRIVY_USERNAME: ${{ github.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
scan-multiarch-image:
|
|
name: Run Trivy scan on OCI multiarch images published to GitHub Packages
|
|
needs: push-multiarch-image
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
security-events: write
|
|
packages: read
|
|
steps:
|
|
- name: Log in to GitHub Docker Registry
|
|
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd
|
|
with:
|
|
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }}'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
env:
|
|
TRIVY_USERNAME: ${{ github.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Run Trivy vulnerability scanner (minimal)
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # ed142fd
|
|
with:
|
|
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }}'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
env:
|
|
TRIVY_USERNAME: ${{ github.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
update-helm-chart:
|
|
if: ${{ github.event_name == 'release' && github.event.action == 'published' && !contains(github.event.release.tag_name, 'rc') }}
|
|
needs: push-multiarch-image
|
|
name: Update Helm Chart
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: main
|
|
fetch-depth: '0'
|
|
persist-credentials: false
|
|
|
|
- name: Checkout project-zot/helm-charts
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
repository: project-zot/helm-charts
|
|
ref: main
|
|
fetch-depth: '0'
|
|
token: ${{ secrets.HELM_PUSH_TOKEN }}
|
|
path: ./helm-charts
|
|
persist-credentials: true
|
|
|
|
- name: Configure Git
|
|
run: |
|
|
git config --global user.name 'github-actions'
|
|
git config --global user.email 'github-actions@users.noreply.github.com'
|
|
- name: Update appVersion
|
|
uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2
|
|
with:
|
|
cmd: yq -i '.appVersion = strenv(RELEASE_TAG)' 'helm-charts/charts/zot/Chart.yaml'
|
|
env:
|
|
RELEASE_TAG: ${{ github.event.release.tag_name }}
|
|
- name: Update image tag
|
|
uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2
|
|
with:
|
|
cmd: |
|
|
yq e '.image.tag = strenv(RELEASE_TAG)' 'helm-charts/charts/zot/values.yaml' > values-updated.yaml
|
|
env:
|
|
RELEASE_TAG: ${{ github.event.release.tag_name }}
|
|
- name: Patch values.yaml file
|
|
run: |
|
|
diff -b 'helm-charts/charts/zot/values.yaml' values-updated.yaml > values.diff || true
|
|
patch 'helm-charts/charts/zot/values.yaml' < values.diff
|
|
rm values-updated.yaml values.diff
|
|
- name: Update version
|
|
run: |
|
|
sudo apt-get install pip
|
|
pip install pybump
|
|
pybump bump --file helm-charts/charts/zot/Chart.yaml --level patch
|
|
- name: Push changes to project-zot/helm-charts
|
|
run: |
|
|
cd ./helm-charts
|
|
git commit -am "build: automated update of Helm Chart"
|
|
git push
|