WIP

.github/workflows/pipeline.yaml

@@ -63,6 +63,8 @@ env:
   HELM_VERSION: 3.16.2
   # https://github.com/oras-project/oras/releases
   ORAS_VERSION: 1.2.0
+  # https://github.com/docker/buildx/releases
+  BUILDX_VERSION: 0.17.1
   # https://github.com/hadolint/hadolint/releases
   HADOLINT_VERSION: 2.12.0
   # https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-history#fixed-version-bootstrappers
@@ -340,6 +342,17 @@ jobs:
         with:
           platforms: ${{ matrix.arch }}
 
+      # Required for "docker build" command
+      - name: Setup Docker Buildx
+        id: build-driver
+        uses: docker/[email protected]
+        with:
+          version: v${{ env.BUILDX_VERSION }}
+          driver-opts: |
+            env.BUILDKIT_AZURE_STORAGE_ACCOUNT_URL=https://${{ secrets.BUILDKIT_AZURE_STORAGE_ACCOUNT_NAME }}.blob.core.windows.net
+            env.BUILDKIT_AZURE_STORAGE_CONTAINER=${{ env.BUILDKIT_AZURE_STORAGE_CONTAINER }}
+            image=moby/buildkit:v${{ env.BUILDKIT_VERSION }}
+
       # Required for running "npx" CLI
       - name: Setup Node
         uses: actions/[email protected]
@@ -354,17 +367,30 @@ jobs:
         with:
           cosign-release: v${{ env.COSIGN_VERSION }}
 
-      # Required for buildx cache
-      - name: Setup Azure CLI
-        run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+      - uses: actions/github-script@v7
+        id: id-token
+        with:
+          script: |
+            const token = await core.getIDToken("api://AzureADTokenExchange");
+            core.setSecret(token);
+            core.setOutput('token', token);
 
       # Required for buildx cache
-      - name: Login to Azure
-        uses: azure/[email protected]
-        with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+      - name: Setup Azure CLI and login
+        run: |
+          docker exec -it ${{ steps.build-driver.outputs.name }} bash \
+            curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash \
+            && az login --federated-token ${{ steps.id-token.outputs.token }} \
+            && az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} \
+            && az account show
+
+      # # Required for buildx cache
+      # - name: Login to Azure
+      #   uses: azure/[email protected]
+      #   with:
+      #     client-id: ${{ secrets.AZURE_CLIENT_ID }}
+      #     subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      #     tenant-id: ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Login to registry - GitHub
         uses: docker/[email protected]
@@ -442,9 +468,9 @@ jobs:
             TINI_VERSION=${{ env.TINI_VERSION }}
             YQ_VERSION=${{ env.YQ_VERSION }}
           cache-from: |
-            type=azblob,account_url=https://${{ secrets.BUILDKIT_AZURE_STORAGE_ACCOUNT_NAME }}.blob.core.windows.net,container=${{ env.BUILDKIT_AZURE_STORAGE_CONTAINER }},name=${{ matrix.os }}-${{ github.ref_name }}
-            type=azblob,account_url=https://${{ secrets.BUILDKIT_AZURE_STORAGE_ACCOUNT_NAME }}.blob.core.windows.net,container=${{ env.BUILDKIT_AZURE_STORAGE_CONTAINER }},name=${{ matrix.os }}-${{ github.sha }}
-          cache-to: type=azblob,account_url=https://${{ secrets.BUILDKIT_AZURE_STORAGE_ACCOUNT_NAME }}.blob.core.windows.net,container=${{ env.BUILDKIT_AZURE_STORAGE_CONTAINER }},mode=max,name=${{ matrix.os }}-${{ github.ref_name }};${{ matrix.os }}-${{ github.sha }}
+            type=azblob,name=${{ matrix.os }}-${{ github.ref_name }}
+            type=azblob,name=${{ matrix.os }}-${{ github.sha }}
+          cache-to: type=azblob,mode=max,name=${{ matrix.os }}-${{ github.ref_name }};${{ matrix.os }}-${{ github.sha }}
           context: src/docker
           file: src/docker/Dockerfile-${{ matrix.os }}
           labels: ${{ steps.meta.outputs.labels }}