update image patching to use new workflows (#5497)

nginxinc · May 3, 2024 · a1c16c6 · a1c16c6
1 parent 533ef48
commit a1c16c6
Show file tree

Hide file tree

Showing 5 changed files with 466 additions and 157 deletions.
diff --git a/.github/actions/certify-openshift-image/action.yml b/.github/actions/certify-openshift-image/action.yml
@@ -0,0 +1,57 @@
+name: Certify Openshift Image
+description: This action will attempt to certify an image for use in Openshift
+
+inputs:
+  image:
+    description: The image manifest to certify in the format <registry>/<repository>:<tag>
+    required: true
+  project_id:
+    description: The certification project id
+    required: true
+  pyxis_token:
+    description: The Pyxis API Token
+    required: true
+  preflight_version:
+    description: The version of the preflight utility to install
+    required: false
+    default: 1.9.1
+  platforms:
+    description: A comma separated list of architectures in the image manifest to certify
+    required: false
+    default: ""
+
+outputs:
+  result:
+    description: Did the certification succeed?
+    value: ${{ steps.result.outputs.result == 0 && true || false }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install openshift-preflight
+      run: |
+        curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/${{ inputs.preflight_version }}/preflight-linux-amd64 --output preflight
+        chmod +x preflight
+      shell: bash
+
+    - name: Certify Images
+      id: result
+      run: |
+        result=0
+        if [ -z "${{ inputs.platforms }}" ]; then
+          # list of platforms passed
+          IFS=',' read -ra arch_list <<< "${{ inputs.platforms }}"
+          for arch in "${arch_list[@]}"; do
+              architecture=("${arch#*/}")
+              ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --platform $architecture --submit
+              if [ $? -ne 0 ]; then
+                result=1
+              fi
+          done
+        else
+          # no platforms passed, this is either a manifest or a single platform image
+          ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --submit
+          result=$?
+        fi
+        echo "result=$result" >> $GITHUB_OUTPUT
+      shell: bash
diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml
@@ -0,0 +1,84 @@
+name: Patch Docker Image
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        description: The image name to patch
+        required: true
+        type: string
+      target_image:
+        description: The target name of the patched image
+        required: true
+        type: string
+      tag:
+        description: The image tag to patch
+        required: true
+        type: string
+      target_tag:
+        description: The target tag of the patched image
+        required: true
+        type: string
+      ic_version:
+        description: The IC version to label
+        required: true
+        type: string
+      platforms:
+        description: The platforms to patch
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  patch-image:
+    name: Patch image
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: arm,arm64,ppc64le,s390x
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Apply OS patches to Container
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          file: build/Dockerfile
+          context: "."
+          target: patched
+          tags: "${{ inputs.target_image }}:${{ inputs.target_tag }}"
+          platforms: ${{ inputs.platforms }}
+          pull: true
+          push: true
+          build-args: |
+            IMAGE_NAME=${{ inputs.image }}:${{ inputs.tag }}
+            IC_VERSION=${{ inputs.ic_version }}