model-registry/.github/workflows/build-and-push-controller-image.yml at main · opendatahub-io/model-registry · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: Controller container image build and tag
on:
  workflow_dispatch: {}
  # FIXME: Re-enable when the repo exists in opendatahub
  #push:
  #  branches:
  #    - 'main'
  #  tags:
  #    - 'v*'
  #  paths-ignore:
  #    - 'LICENSE*'
  #    - '**.gitignore'
  #    - '**.md'
  #    - '**.txt'
  #    - '.github/ISSUE_TEMPLATE/**'
  #    - '.github/dependabot.yml'
  #    - 'docs/**'
permissions: read-all
env:
  IMG_REGISTRY: quay.io
  IMG_ORG: opendatahub
  IMG_REPO: model-registry-controller
  PUSH_IMAGE: true
  DOCKER_USER: ${{ secrets.QUAY_USERNAME }}
  DOCKER_PWD: ${{ secrets.QUAY_PASSWORD }}
  PLATFORMS: linux/arm64,linux/amd64
jobs:
  build-controller-image:
    runs-on: ubuntu-latest
    permissions:
      actions: read # anchore/sbom-action for syft
      contents: write # anchore/sbom-action for syft
      packages: write
      id-token: write # cosign
    steps:
      # Assign context variable for various action contexts (tag, main, CI)
      - name: Assigning tag context
        if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
        run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
      - name: Assigning main context
        if: github.head_ref == '' && github.ref == 'refs/heads/main'
        run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
      # checkout branch
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      # set image version
      - name: Set main-branch environment
        if: env.BUILD_CONTEXT == 'main'
        run: |
          commit_sha=${{ github.event.after }}
          tag=main-${commit_sha:0:7}
          echo "VERSION=${tag}" >> $GITHUB_ENV
      - name: Set tag environment
        if: env.BUILD_CONTEXT == 'tag'
        run: |
          echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
      # docker login
      - name: Log in to the Container registry
        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
        with:
          registry: ${{ env.IMG_REGISTRY }}
          username: ${{ env.DOCKER_USER }}
          password: ${{ env.DOCKER_PWD }}
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
        with:
          images: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}"
          tags: |
            type=raw,value=${{ env.VERSION }}
            type=raw,value=latest,enable=${{ env.BUILD_CONTEXT == 'main' }}
            type=raw,value=main,enable=${{ env.BUILD_CONTEXT == 'main' }}
      - name: Build and push Docker image
        id: build-push
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          file: ./cmd/controller/Dockerfile.controller
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: mode=max
      - name: Install Cosign
        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3
      - name: Sign image with cosign
        run: |
          cosign sign --yes "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"
      - name: Generate SBOM
        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
        with:
          image: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"
          format: spdx-json # default, but making sure of the format
          artifact-name: "controller-${{ env.VERSION }}-sbom.spdx.json"
          output-file: "controller-${{ env.VERSION }}-sbom.spdx.json" # pin the file to use it later below
      - name: Attest SBOM to image
        run: |
          cosign attest --yes --predicate controller-${{ env.VERSION }}-sbom.spdx.json --type spdxjson "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}"