build(deps): bump go.opentelemetry.io/otel/sdk from 1.38.0 to 1.40.0 #352
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Worker Images | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - 'releases/*' | |
| tags: | |
| - 'v[0-9]+.[0-9]+.*' | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - '.github/workflows/worker-images/matrix.json' | |
| - '.github/workflows/worker-images.yml' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| load-matrix: | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set matrix | |
| id: set-matrix | |
| run: | | |
| MATRIX=$(cat .github/workflows/worker-images/matrix.json) | |
| echo "matrix=$MATRIX" >> $GITHUB_OUTPUT | |
| build-worker-images: | |
| permissions: | |
| packages: write | |
| id-token: write # Required for cosign OIDC signing | |
| attestations: write # Required for GitHub attestations | |
| artifact-metadata: write # Required for certain parts of GitHub attestations (actions/attest complains if not set) | |
| needs: load-matrix | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.load-matrix.outputs.matrix) }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| fulcio.sigstore.dev:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| *.githubusercontent.com:443 | |
| proxy.golang.org:443 | |
| rekor.sigstore.dev:443 | |
| storage.googleapis.com:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install Cosign | |
| if: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }} | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| name: Login to GHCR | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: ./.github/actions/enable-containerd | |
| - name: Setup environment | |
| run: | | |
| echo MAIN_CACHE_SCOPE=main.${{ matrix.target }} >> $GITHUB_ENV | |
| tag="${{ github.ref_name }}" | |
| tag="${tag//\//-}" # Replace slashes with dashes | |
| tag="${tag%.*}" # Trim off patch version if it exists | |
| # Format repository name (lowercase) | |
| FORMATTED_REPO=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') | |
| BASE_REPO="${FORMATTED_REPO}/${{ matrix.target }}" | |
| echo "BASE_REPO=${BASE_REPO}" >> $GITHUB_ENV | |
| echo "IMAGE_REPO=${BASE_REPO}:${tag}" >> $GITHUB_ENV | |
| - if: ${{ github.event_name == 'pull_request' }} | |
| name: Setup up (PR) | |
| run: | | |
| set -eux | |
| # Here we try to build this as much like a release as possible, but we push to a local registry | |
| ref="localhost:5000/${IMAGE_REPO}" | |
| EXTRA_FLAGS="--set worker.cache-from=type=gha,scope=${MAIN_CACHE_SCOPE} --set worker.tags=${ref} --push" | |
| # Because we sometimes add an extra ref for ":latest", let's also do that here to validate that it works | |
| EXTRA_FLAGS+=" --set worker.tags=${ref}-latest" | |
| echo "EXTRA_FLAGS=${EXTRA_FLAGS}" >> $GITHUB_ENV | |
| # Format repository name (lowercase) for registry mirror | |
| FORMATTED_REPO=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') | |
| docker run -d --net=host ghcr.io/${FORMATTED_REPO}/mirror/dockerhub/library/registry:latest | |
| - if: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }} | |
| name: Setup (tagged) | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -eux | |
| ref="ghcr.io/${IMAGE_REPO}" | |
| # Don't need to care about cache-from in this case as this is the "prod" image, better to build it from scratch | |
| # Inline the cache with the image so others can use it as a cache-from for their own builds. | |
| EXTRA_FLAGS="--set worker.cache-to=type=inline,mode=max --set worker.tags=${ref} --push" | |
| latest="$(gh release view --json tagName -q .tagName)" | |
| if [ ${{ github.ref_name }} = "${latest}" ]; then | |
| # If this is the latest release, we also tag it as "latest" | |
| IMAGE_REPO_LATEST="${BASE_REPO}:latest" | |
| EXTRA_FLAGS+=" --set worker.tags=ghcr.io/${IMAGE_REPO_LATEST}" | |
| fi | |
| echo "EXTRA_FLAGS=${EXTRA_FLAGS}" >> $GITHUB_ENV | |
| - if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/') }} | |
| name: Setup (merged) | |
| run: | | |
| set -ex -o pipefail | |
| EXTRA_FLAGS="--set worker.cache-to=type=gha,scope=main.${{matrix.target}},mode=max --set worker.cache-from=type=gha,scope=${MAIN_CACHE_SCOPE}" | |
| echo "EXTRA_FLAGS=${EXTRA_FLAGS}" >> $GITHUB_ENV | |
| - name: Setup QEMU | |
| run: docker run --rm --privileged tonistiigi/binfmt:latest --install all | |
| - name: Expose GitHub tokens for caching | |
| uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 | |
| - name: Build worker images | |
| run: | | |
| set -eux | |
| docker buildx bake worker \ | |
| --set worker.platform=linux/amd64,linux/arm64 \ | |
| ${EXTRA_FLAGS} | |
| env: | |
| WORKER_TARGET: ${{ matrix.target }} | |
| - name: Sign and attest worker images | |
| if: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }} | |
| id: sign | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -eux | |
| ref="ghcr.io/${IMAGE_REPO}" | |
| # Get the digest of the pushed image | |
| DIGEST=$(docker buildx imagetools inspect ${ref} --format '{{json .Manifest.Digest}}' | tr -d '"') | |
| # Sign the image | |
| cosign sign --yes "${ref}@${DIGEST}" | |
| # Verify the signature | |
| cosign verify "${ref}@${DIGEST}" \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/worker-images.yml@${{ github.ref }}" | |
| # If there's a latest tag, sign that too | |
| latest="$(gh release view --json tagName -q .tagName || echo '')" | |
| if [ "${{ github.ref_name }}" = "${latest}" ]; then | |
| IMAGE_REPO_LATEST="${BASE_REPO}:latest" | |
| ref_latest="ghcr.io/${IMAGE_REPO_LATEST}" | |
| cosign sign --yes "${ref_latest}@${DIGEST}" | |
| fi | |
| echo "digest=${DIGEST}" >> $GITHUB_OUTPUT | |
| echo "image-name=ghcr.io/${BASE_REPO}" >> $GITHUB_OUTPUT | |
| - name: Attest build provenance | |
| if: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }} | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v2.0.0 | |
| with: | |
| subject-name: ${{ steps.sign.outputs.image-name }} | |
| subject-digest: ${{ steps.sign.outputs.digest }} | |
| push-to-registry: true |