Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable multi-arch builds in GHA for the main branch #161

Merged
merged 2 commits into from
Jan 8, 2024
Merged

Enable multi-arch builds in GHA for the main branch #161

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
78a9040
Enable multi-arch builds in GHA for the main branch
rooftopcellist Jan 8, 2024
956957d
Store images built from main branch to ghcr.io first
rooftopcellist Jan 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions .github/workflows/build-operator-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,24 @@ jobs:
steps:
- uses: actions/checkout@v2

- name: Build Image
run: |
IMG=eda-server-operator:main make docker-build
- name: Log into registry ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of curiosity, why use the commit with a comment with the tag instead of just the tag?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Alex-Izquierdo that change was made by @jon-nfc , but my guess is that it was to pin to a particular known working version of the docker login action in case a new release breaks it. However, I do not know of a specific issue why this might have been done.

The commit is correct for v3.0.0:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Alex-Izquierdo

@rooftopcellist is correct it originated from myself. Code was copied directly from github action template. However the reason for keeping it this way is very simple, Security.

A word none of us like, but must deal with. Security in this case is the prevention (reduction in probability) of supply chain attack or more correctly put limiting attack surface.

A git hash in the context of a repository will always remain the same and always be in the same location in the git history. You can not change a git hash. Even if you submit the same code in the same location in the git history, the git hash will always be different.

A Git tag is tied to a git hash. The problem with a git tag for chain of custody is that the git tag can move hashes. You can delete an existing tag and attach it to another commit hash. This is problem when using it to reference a dependency.

A hash to reference the same work as a git tag is preferable. one would hope that the developer whom used the code had reviewed the dependent repo. This I suppose you could call now a dependency in a known and "approved" state. If the hash changes, which would make it not exist, then an error will occur.

Whilst it's not impossible for a hash collision to occur, the probability of it occurring is in the order of 2^40 which is significantly larger than the tag change which anyone with access to commit can do.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addendum.

the commented tag version exists next to the hash as we are humans, and readability is important.

with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push To Quay
uses: redhat-actions/push-to-registry@v2.1.1
- name: Log into registry quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
image: eda-server-operator
tags: main
registry: quay.io/ansible/
username: ${{ secrets.QUAY_USER }}
password: ${{ secrets.QUAY_TOKEN }}

- name: Build and Store Image @ghcr
run: |
IMG=ghcr.io/${{ github.repository_owner }}/eda-server-operator:${{ github.sha }} make docker-buildx

- name: Publish Image to quay.io/ansible/eda-server-operator:main
run: |
docker buildx imagetools create ghcr.io/${{ github.repository_owner }}/eda-server-operator:${{ github.sha }} --tag quay.io/ansible/eda-server-operator:main