stackabletech
diff --git a/‎.github/actions/build/action.yml
Lines changed: 65 additions & 0 deletions b/‎.github/actions/build/action.yml
Lines changed: 65 additions & 0 deletions
diff --git a/‎.github/actions/publish-image/action.yml
Lines changed: 126 additions & 0 deletions b/‎.github/actions/publish-image/action.yml
Lines changed: 126 additions & 0 deletions
diff --git a/‎.github/actions/publish-manifest/action.yml
Lines changed: 66 additions & 0 deletions b/‎.github/actions/publish-manifest/action.yml
Lines changed: 66 additions & 0 deletions
diff --git a/‎.github/actions/shard/action.yml
Lines changed: 48 additions & 0 deletions b/‎.github/actions/shard/action.yml
Lines changed: 48 additions & 0 deletions
@@ -0,0 +1,65 @@
+---
+name: Build Product Image
+description: This action builds a product Docker image with a specific version
+inputs:
+  product-name:
+    description: The name of the product to build via bake (directory name)
+    required: true
+  product-version:
+    description: The version of the product to build via bake
+    required: true
+  image-tools-version:
+    description: The Stackable image-tools version
+    default: 0.0.8
+outputs:
+  image-name:
+    description: This is the full image name before the tag (left of ':')
+    value: ${{ steps.image_info.outputs.IMAGE_NAME }}
+  image-version:
+    description: This is the container image end tag excluding the architecture information (right of ':')
+    value: ${{ steps.image_info.outputs.IMAGE_VERSION }}
+runs:
+  using: composite
+  steps:
+    - name: Setup Docker Buildx
+      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
+      # NOTE (@Techassi): Why do we install python via apt and not the setup-python action?
+    - name: Setup Python
+      shell: bash
+      run: |
+        set -euo pipefail
+        sudo apt update
+        sudo apt install -y python3
+
+    - name: Building ${{ inputs.product-name }}
+      shell: bash
+      run: echo ${{ inputs.product-name }}
+
+    - name: Install image-tools-stackabletech
+      shell: bash
+      run: pip install image-tools-stackabletech==${{ inputs.image-tools-version }}
+
+    - name: Build image using bake
+      shell: bash
+      run: |
+        set -euo pipefail
+        ARCH="$(uname -m | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')"
+        bake \
+        --product ${{ inputs.product-name }}=${{ inputs.product-version }} \
+        --image-version "0.0.0-dev-${ARCH}" \
+        --architecture "linux/${ARCH}" \
+        --export-tags-file bake-target-tags
+
+    - name: Setup Environment Variables
+      id: image_info
+      shell: bash
+      run: |
+        set -euo pipefail
+        echo "bake-target-tags: "$(< bake-target-tags)
+        # Strip the architecture from the version tag
+        IMAGE_VERSION=$(cat bake-target-tags | cut -d ":" -f 2 | sed -E 's/-(amd64|arm64)$//')
+        IMAGE_NAME=$(cat bake-target-tags | cut -d ":" -f 1)
+
+        echo "IMAGE_VERSION=$IMAGE_VERSION" >> $GITHUB_OUTPUT
+        echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_OUTPUT
@@ -0,0 +1,126 @@
+---
+name: Publish Product Image
+description: This action publishes a Docker image
+inputs:
+  product:
+    description: The name of the product to publish
+    required: true
+  image-name:
+    description: This is the full image name before the tag (left of ':')
+    required: true
+  image-version:
+    description: This is the container image end tag excluding the architecture information (right of ':')
+    required: true
+  nexus-username:
+    description: The username to login to Nexus
+    default: github
+  nexus-password:
+    description: The password to login to Nexus
+    required: true
+  harbor-username:
+    description: The username to login to Harbor
+    default: robot$sdp+github-action-build
+  harbor-secret:
+    description: The secret to login to Harbor
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Set up Cosign
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
+    - name: Set up syft
+      uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
+
+    - name: Login to Stackable Nexus
+      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+      with:
+        registry: docker.stackable.tech
+        username: ${{ inputs.nexus-username }}
+        password: ${{ inputs.nexus-password }}
+
+    - name: Login to Stackable Harbor
+      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+      with:
+        registry: oci.stackable.tech
+        username: ${{ inputs.harbor-username }}
+        password: ${{ inputs.harbor-secret }}
+
+    - name: Setup Environment Variables
+      shell: bash
+      run: |
+        set -euo pipefail
+        IMAGE_VERSION=${{ inputs.image-version }}
+        IMAGE_NAME=${{ inputs.image-name }}
+        ARCH="$(uname -m | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')"
+        TAG_NAME="${IMAGE_VERSION}-${ARCH}"
+
+        echo "IMAGE_VERSION=$IMAGE_VERSION" >> $GITHUB_ENV
+        echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
+        echo "TAG_NAME=$TAG_NAME" >> $GITHUB_ENV
+
+    - name: Push Image to repo.stackable.tech and sign via cosign
+      shell: bash
+      run: |
+        set -euo pipefail
+        # Store the output of `docker image push` into a variable, so we can
+        # parse it for the digest
+        PUSH_OUTPUT=$(docker image push "$(< bake-target-tags)" 2>&1)
+        echo "$PUSH_OUTPUT"
+        # Obtain the digest of the pushed image from the output of `docker image
+        # push`, because signing by tag is deprecated and will be removed from
+        # cosign in the future
+        DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
+        echo "DIGEST=$DIGEST" >> $GITHUB_ENV
+        # Refer to image via its digest (docker.stackable.tech/stackable/airflow@sha256:0a1b2c...)
+        # This generates a signature and publishes it to the registry, next to the image
+        # Uses the keyless signing flow with Github Actions as identity provider
+        cosign sign -y "$IMAGE_NAME@$DIGEST"
+
+    - name: Generate SBOM for the Nexus Image
+      shell: bash
+      run: |
+        set -euo pipefail
+        syft scan --output cyclonedx-json=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger" --scope all-layers --source-name "${{ inputs.product }}" --source-version "$TAG_NAME" "$IMAGE_NAME@$DIGEST";
+        # Determine the PURL for the image
+        PURL="pkg:docker/stackable/${{ inputs.product }}@$DIGEST?repository_url=docker.stackable.tech";
+        # Get metadata from the image
+        IMAGE_METADATA_DESCRIPTION=$(docker inspect --format='{{.Config.Labels.description}}' "$IMAGE_NAME@$DIGEST");
+        IMAGE_METADATA_NAME=$(docker inspect --format='{{.Config.Labels.name}}' "$IMAGE_NAME@$DIGEST");
+        # Merge the SBOM with the metadata for the image
+        jq -s '{"metadata":{"component":{"description":"'"$IMAGE_METADATA_NAME. $IMAGE_METADATA_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;
+        # Attest the SBOM to the image
+        cosign attest -y --predicate sbom.merged.json --type cyclonedx "$IMAGE_NAME@$DIGEST"
+
+    - name: Push Image to oci.stackable.tech and sign via cosign
+      shell: bash
+      run: |
+        set -euo pipefail
+        IMAGE_NAME=oci.stackable.tech/sdp/${{ inputs.product }}
+        echo "image: $IMAGE_NAME"
+        docker tag "$(< bake-target-tags)" "$IMAGE_NAME:$TAG_NAME"
+        # Store the output of `docker image push` into a variable, so we can parse it for the digest
+        PUSH_OUTPUT=$(docker image push "$IMAGE_NAME:$TAG_NAME" 2>&1)
+        echo "$PUSH_OUTPUT"
+        # Obtain the digest of the pushed image from the output of `docker image push`, because signing by tag is deprecated and will be removed from cosign in the future
+        DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
+        echo "DIGEST=$DIGEST" >> $GITHUB_ENV
+        # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
+        # This generates a signature and publishes it to the registry, next to the image
+        # Uses the keyless signing flow with Github Actions as identity provider
+        cosign sign -y "$IMAGE_NAME@$DIGEST"
+
+    - name: Generate SBOM for the Harbor Image
+      shell: bash
+      run: |
+        set -euo pipefail
+        syft scan --output cyclonedx-json=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger" --scope all-layers --source-name "${{ inputs.product }}" --source-version "$TAG_NAME" "$IMAGE_NAME@$DIGEST";
+        # Determine the PURL for the image
+        PURL="pkg:docker/sdp/${{ inputs.product }}@$DIGEST?repository_url=oci.stackable.tech";
+        # Get metadata from the image
+        IMAGE_METADATA_DESCRIPTION=$(docker inspect --format='{{.Config.Labels.description}}' "$IMAGE_NAME@$DIGEST");
+        IMAGE_METADATA_NAME=$(docker inspect --format='{{.Config.Labels.name}}' "$IMAGE_NAME@$DIGEST");
+        # Merge the SBOM with the metadata for the image
+        jq -s '{"metadata":{"component":{"description":"'"$IMAGE_METADATA_NAME. $IMAGE_METADATA_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;
+        # Attest the SBOM to the image
+        cosign attest -y --predicate sbom.merged.json --type cyclonedx "$IMAGE_NAME@$DIGEST"
@@ -0,0 +1,66 @@
+---
+name: Publish Product Image Manifest
+description: This action publishes a Docker image
+inputs:
+  product:
+    description: The name of the product to publish
+    required: true
+  image-version:
+    description: This is the container image end tag excluding the architecture information (right of ':')
+    required: true
+  nexus-password:
+    description: The password to login to Nexus
+    required: true
+  harbor-secret:
+    description: The secret to login to Harbor
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Set up Cosign
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
+    - name: Login to Stackable Nexus
+      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+      with:
+        registry: docker.stackable.tech
+        username: github
+        password: ${{ inputs.nexus-password }}
+
+    - name: Login to Stackable Harbor
+      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+      with:
+        registry: oci.stackable.tech
+        username: robot$sdp+github-action-build
+        password: ${{ inputs.harbor-secret }}
+
+    - name: Setup Environment Variables
+      shell: bash
+      run: |
+        set -euo pipefail
+        IMAGE_VERSION=${{ inputs.image-version }}
+        echo "IMAGE_VERSION=$IMAGE_VERSION" >> $GITHUB_ENV
+
+    - name: Create Manifest
+      shell: bash
+      run: |
+        set -euo pipefail
+        MANIFEST_NAME="docker.stackable.tech/stackable/${{ inputs.product }}:$IMAGE_VERSION"
+        # Create and push to Stackable Nexus
+        # `docker manifest push` directly returns the digest of the manifest list
+        # As it is an experimental feature, this might change in the future
+        # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/
+        # --amend because the manifest list would be updated since we use the same tag: 0.0.0-dev
+        docker manifest create "$MANIFEST_NAME" --amend "${MANIFEST_NAME}-amd64" --amend "${MANIFEST_NAME}-arm64"
+        DIGEST=$(docker manifest push $MANIFEST_NAME)
+
+        # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
+        # This generates a signature and publishes it to the registry, next to the image
+        # Uses the keyless signing flow with Github Actions as identity provider
+        cosign sign -y "$MANIFEST_NAME@$DIGEST"
+
+        # Push to oci.stackable.tech as well
+        MANIFEST_NAME="oci.stackable.tech/sdp/${{ inputs.product }}:$IMAGE_VERSION"
+        docker manifest create "$MANIFEST_NAME" --amend "${MANIFEST_NAME}-amd64" --amend "${MANIFEST_NAME}-arm64"
+        DIGEST=$(docker manifest push $MANIFEST_NAME)
+        cosign sign -y "$MANIFEST_NAME@$DIGEST"
@@ -0,0 +1,48 @@
+---
+name: Generate Shards
+description: This action builds list of shard indices for use in Github Actions Matrices
+inputs:
+  product:
+    description: The name of the product to build via bake (directory name)
+    required: true
+outputs:
+  versions:
+    description: A list of product versions
+    value: ${{ steps.generate_shards.outputs.VERSIONS }}
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      with:
+        python-version: '3.12'
+    - name: Generate Shards
+      id: generate_shards
+      shell: python
+      env:
+        PRODUCT_NAME: ${{ inputs.product }}
+      run: |
+        # Need to get the list of versions for the product
+        import sys
+        import os
+        sys.path.append(str(os.getcwd()))
+        import conf
+
+        product=os.environ['PRODUCT_NAME']
+        print(f"Generating version list for {product}")
+
+        # get the product config
+        product_conf = list(filter(lambda x: x["name"] == product, conf.products))[0]
+        # list the versions, eg: [1.0, 1.1, 2.0]
+        versions = [v["product"] for k,v in enumerate(product_conf["versions"])]
+        output_versions = f"VERSIONS={versions}\n"
+
+        github_outputs_file = os.environ['GITHUB_OUTPUT']
+        f = open(github_outputs_file, "w")
+        print(f"Writing to $GITHUB_OUTPUT: {output_versions}")
+        f.write(output_versions)
+        f.close()
+    - name: Print Shards
+      shell: bash
+      run: |
+        set -euo pipefail
+        echo versions=${{ steps.generate_shards.outputs.VERSIONS }}