Skip to content

fix(ci): SLSA3 support (#928) #504

fix(ci): SLSA3 support (#928)

fix(ci): SLSA3 support (#928) #504

Workflow file for this run

name: build
on:
push:
branches:
- master
- v*
pull_request:
env:
# Fake up DRONE_BRANCH so it's picked up when dapper gets to
# scripts/version. For branches, github.ref_name will be
# "master" or "v1.x", which is fine, but for PRs it will be
# something like "697/merge", which doesn't work as a version,
# so wet just set it to master in this case.
DRONE_BRANCH: ${{ endsWith(github.ref_name, '/merge') && 'master' || github.ref_name }}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' && !startsWith(github.ref, 'refs/heads/v') && !startsWith(github.ref, 'refs/tags/v') }}
jobs:
build-iso:
name: Build ISO Images
strategy:
matrix:
arch:
- amd64
- arm64
# hdd=50 is somewhat arbitrary here, but seems to give a
# 77G disk, which is sufficient for ISO builds.
# The VM runners are named "x64", not "amd64" like other docker things.
runs-on: runs-on,runner=4cpu-linux-${{ matrix.arch == 'amd64' && 'x64' || matrix.arch }},hdd=50,run-id=${{ github.run_id }}
permissions:
contents: read
id-token: write # for reading credential https://github.com/rancher-eio/read-vault-secrets
steps:
- name: Checkout code
uses: actions/checkout@v4
# Build ISO
- name: Run make ci
run: make ci
# Below is essentially duplicated from the main Harvester repo's
# .github/workflows/build.yml, except we're only publishing branches,
# not tags.
- name: Declare branch
run: |
echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_ENV"
- name: Read Secrets
if: ${{ startsWith(github.ref, 'refs/heads/') }}
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/harvester/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/harvester/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/google-auth-key/credentials credential | GOOGLE_AUTH ;
- name: Login to Docker Hub
if: ${{ startsWith(github.ref, 'refs/heads/') }}
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# rancher/harvester-cluster-repo image
- name: docker-publish-harvester-cluster-repo
if: ${{ startsWith(github.ref, 'refs/heads/') }}
uses: docker/build-push-action@v6
with:
context: dist/harvester-cluster-repo
push: true
platforms: linux/${{ matrix.arch }}
tags: rancher/harvester-cluster-repo:${{ env.branch }}-head-${{ matrix.arch }}
file: dist/harvester-cluster-repo/Dockerfile
sbom: true
provenance: mode=max
- name: Login to Google Cloud
if: ${{ startsWith(github.ref, 'refs/heads/') }}
uses: 'google-github-actions/auth@v2'
with:
credentials_json: '${{ env.GOOGLE_AUTH }}'
- name: upload-iso
uses: 'google-github-actions/upload-cloud-storage@v2'
if: ${{ startsWith(github.ref, 'refs/heads/') }}
with:
path: dist/artifacts
parent: false
destination: releases.rancher.com/harvester/${{ env.branch }}
predefinedAcl: publicRead
headers: |-
cache-control: public,no-cache,proxy-revalidate
manifest-cluster-repo-image:
name: Manifest harvester-cluster-repo image
runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }}
needs: build-iso
if: ${{ startsWith(github.ref, 'refs/heads/') }}
permissions:
contents: read
id-token: write # for reading credential https://github.com/rancher-eio/read-vault-secrets
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Declare branch
run: |
echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_ENV"
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Read Secrets
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/harvester/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/harvester/credentials password | DOCKER_PASSWORD ;
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
# rancher/harvester-cluster-repo image
- name: docker-pull-harvester-cluster-repo
if: ${{ startsWith(github.ref, 'refs/heads/') }}
run: |
docker pull --platform linux/amd64 rancher/harvester-cluster-repo:${{ env.branch }}-head-amd64
docker pull --platform linux/arm64 rancher/harvester-cluster-repo:${{ env.branch }}-head-arm64
docker buildx imagetools create -t rancher/harvester-cluster-repo:${{ env.branch }}-head \
rancher/harvester-cluster-repo:${{ env.branch }}-head-amd64 \
rancher/harvester-cluster-repo:${{ env.branch }}-head-arm64