feat(ci): Build copy of Bitnami images for vendorized charts (#2392)

javirln · web-flow · commit 1ea3ea26f4e9 · 2025-08-25T12:47:47.000+02:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/.github/workflows/build_external_container_images.yaml.yml b/.github/workflows/build_external_container_images.yaml.yml
@@ -0,0 +1,137 @@
+name: Build Bitnami Container Images
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build_and_push_images:
+    name: Build and Push ${{ matrix.image.name }} Image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image:
+          # On Ref we use the specific commit SHA to ensure reproducible builds
+          # It can be: branch, tag or SHA
+          # PostgreSQL version: 16.4.0
+          - name: PostgreSQL
+            image_name: chainloop-dev/chainloop/postgresql
+            path: bitnami/postgresql/16/debian-12
+            sparse_checkout: bitnami/postgresql/16/debian-12
+            ref: 5d351cc8a742d6a6f417f879ba2df9882b617676
+          # PostgreSQL Exporter version: 0.15.0
+          - name: PostgreSQL Exporter
+            image_name: chainloop-dev/chainloop/postgres-exporter
+            path: bitnami/postgres-exporter/0/debian-12
+            sparse_checkout: bitnami/postgres-exporter/0/debian-12
+            ref: 1d0408ccfbdc43b90bc6449227ce731079e42f6b
+          # OS Shell version: 12
+          - name: OS Shell
+            image_name: chainloop-dev/chainloop/os-shell
+            path: bitnami/os-shell/12/debian-12
+            sparse_checkout: bitnami/os-shell/12/debian-12
+            ref: dde1f3b2d7b271de64c6ce948a04716cb96199a1
+          # Dex version: 2.40.0
+          - name: Dex
+            image_name: chainloop-dev/chainloop/dex
+            path: bitnami/dex/2/debian-12
+            sparse_checkout: bitnami/dex/2/debian-12
+            ref: 19c7a5ade4364ff1b52c65004291203ff2096eb0
+          # Vault version: 1.17.3
+          - name: Vault
+            image_name: chainloop-dev/chainloop/vault
+            path: bitnami/vault/1/debian-12
+            sparse_checkout: bitnami/vault/1/debian-12
+            ref: 28d8f22ad6b7c3871c2f429c72e5ccf3344ae5bc
+          # Vault CSI Provider version: 1.4.3
+          - name: Vault CSI Provider
+            image_name: chainloop-dev/chainloop/vault-csi-provider
+            path: bitnami/vault-csi-provider/1/debian-12
+            sparse_checkout: bitnami/vault-csi-provider/1/debian-12
+            ref: 673c94210db93a8df808765b6b213661686aeb33
+          # Vault K8s version: 1.4.2
+          - name: Vault K8s
+            image_name: chainloop-dev/chainloop/vault-k8s
+            path: bitnami/vault-k8s/1/debian-12
+            sparse_checkout: bitnami/vault-k8s/1/debian-12
+            ref: 62cb6e1498e873dd9ab92880073a43896b470c4b
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ matrix.image.image_name }}
+      BITNAMI_PATH: bitnami-containers
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Checkout Bitnami containers repository
+        uses: actions/checkout@v4
+        with:
+          repository: bitnami/containers
+          path: ${{ env.BITNAMI_PATH }}
+          ref: ${{ matrix.image.ref }}
+          sparse-checkout: ${{ matrix.image.sparse_checkout }}
+          sparse-checkout-cone-mode: false
+
+      - name: Extract version from Bitnami Dockerfile
+        id: extract_version
+        run: |
+          VERSION=$(grep -E 'APP_VERSION=' ${{ env.BITNAMI_PATH }}/${{ matrix.image.path }}/Dockerfile | cut -d'"' -f2)
+          if [ -z "$VERSION" ]; then
+            echo "Failed to extract version from Dockerfile"
+            exit 1
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Extracted ${{ matrix.image.name }} version: $VERSION"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ steps.extract_version.outputs.version }}
+            type=raw,value=latest
+            type=sha,format=long
+
+      - name: Build and push Docker image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ env.BITNAMI_PATH }}/${{ matrix.image.path }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: "v2.4.1"
+
+      - name: Sign container image
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cosign sign --tlog-upload=false --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
+
+      - name: Output build information
+        run: |
+          echo "Successfully built and pushed ${{ matrix.image.name }} image"
+          echo "Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
+          echo "Version: ${{ steps.extract_version.outputs.version }}"
+          echo "Digest: ${{ steps.build.outputs.digest }}"
