Add OCI workflow

5kt · 5kt · commit 407e7a1e1832 · 2025-02-07T14:49:34.000Z
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -22,3 +22,9 @@ jobs:
     uses: gardenlinux/gardenlinux/.github/workflows/build.yml@main
     with:
       version: ${{ inputs.version || 'now' }}
+  upload_oci:
+    name: Run glcli to publish to OCI
+    needs: [ build ]
+    uses: ./.github/workflows/upload_oci.yml
+    with:
+      version: ${{ needs.build.outputs.version }}
diff --git a/.github/workflows/upload_oci.yml b/.github/workflows/upload_oci.yml
@@ -0,0 +1,118 @@
+name: upload to OCI
+on:
+  workflow_call:
+    inputs:
+      version:
+        type: string
+        default: today
+jobs:
+  generate_matrix_publish:
+    uses: ./.github/workflows/generate_matrix.yml
+    with: 
+      flags: '--exclude "bare-*" --no-arch --json-by-arch --build --test'
+  upload_gl_artifacts_to_oci:
+    name: upload to OCI
+    needs: [ generate_matrix_publish ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    permissions:
+      id-token: write
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate_matrix_publish.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1
+        with:
+          submodules: 'true'
+      # bin/garden-version reads and writes from and to ./VERSION which is read by ./build --resolve-cname 
+      - name: set VERSION=${{ inputs.version }}
+        run: |
+          bin/garden-version "${{ inputs.version }}" | tee VERSION
+          ls -la
+          ver=$(cat VERSION)
+          git update-index --assume-unchanged VERSION
+          # TODO: fix the sed from below
+          cname="$(./build --resolve-cname ${{ matrix.flavor }}-${{ matrix.arch }} | sed s/today/$ver/)"
+          echo "cname=$cname" | tee -a "$GITHUB_ENV"
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin@v4.1.8
+        with:
+          name: build-${{ env.cname }}
+      - name: Untar workflow artifact
+        run: |
+          mkdir ${{ env.cname }}
+          tar -C ${{ env.cname }} -xzv < "${{ env.cname }}.tar.gz"
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install glcli util
+        run: |
+          git clone --depth 1 --branch 0.6.2 https://github.com/gardenlinux/python-gardenlinux-cli.git
+          mv python-gardenlinux-cli /opt/glcli
+          pip install -r /opt/glcli/requirements.txt
+      - name: push using the glcli util
+        run: |
+          mkdir -p manifests
+          GLOCI_REGISTRY_TOKEN=${{ secrets.GITHUB_TOKEN }} GLOCI_REGISTRY_USERNAME=${{ github.repository_owner }} python /opt/glcli/src/glcli.py push-manifest --dir ${{ env.cname }} --container ghcr.io/${{ github.repository }} --arch ${{ matrix.arch }} --version ${{ inputs.version }} --cname ${{ env.cname }} --cosign_file digest --manifest_file manifests/oci_manifest_entry_${{ env.cname }}.json
+      - name: Upload oci manifest artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: oci_manifest_entry_${{ env.cname }}.json
+          path: manifests/
+      - name: Output digest to be signed
+        run: |
+          cat digest
+  
+  upload_manifests_entries:
+    needs: "upload_gl_artifacts_to_oci"
+    name: upload manifest entries into OCI index
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    permissions:
+      id-token: write
+      packages: write
+      actions: write
+    steps:
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install glcli util
+        run: |
+          git clone --depth 1 --branch 0.6.2 https://github.com/gardenlinux/python-gardenlinux-cli.git
+          mv python-gardenlinux-cli /opt/glcli
+          pip install -r /opt/glcli/requirements.txt
+      - name: Download OCI manifest artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: manifests
+          pattern: oci_manifest_entry_*
+          merge-multiple: true
+      - name: Update index using glcli tool
+        run: |
+          GLOCI_REGISTRY_TOKEN=${{ secrets.GITHUB_TOKEN }} GLOCI_REGISTRY_USERNAME=${{ github.repository_owner }} python /opt/glcli/src/glcli.py update-index --container ghcr.io/${{ github.repository }} --version ${{ inputs.version }} --manifest_folder manifests
+      - name: Delete temporary OCI manifest entry files
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const artifacts = await github.rest.actions.listArtifactsForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              per_page: 100
+            });
+            for (const artifact of artifacts.data.artifacts) {
+              if (artifact.name.startsWith('oci_manifest_entry_')) {
+                console.log(`Deleting artifact: ${artifact.name}`);
+                await github.rest.actions.deleteArtifact({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  artifact_id: artifact.id
+                });
+                console.log(`Successfully deleted artifact: ${artifact.name}`);
+              }
+            }
diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+today
