Upload image metadata files using actions/upload-artifact

The output from the last run metadata job contains the digeset of the public container image, which causes the manifest-push to fail when run against the prime container image Signed-off-by: Michael Fritch <[email protected]>
mgfritch · Dec 11, 2024 · 5547758 · 5547758
1 parent 0d353ac
commit 5547758
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 22 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,15 +11,14 @@ jobs:
       contents: read
       id-token: write
     runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }}
-    outputs:
-      digest: ${{ steps.digest.outputs.digest }}
     steps:
     - name: Check out code
       uses: actions/checkout@v4
 
     - name: Set the ENV values
       id: get-Envs
       run: |
+        echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"
@@ -59,26 +58,28 @@ jobs:
         prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
         prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
 
-    - name: Digest
-      id: digest
-      run: |
-        IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json)
-        echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
+    - name: Upload metadata files
+      uses: actions/upload-artifact@v4
+      with:
+        name: metadata-files
+        path: ${{ env.BUILDDIR}}
+        if-no-files-found: error
+        retention-days: 1
+
 
   build-arm64-digest:
     permissions:
       contents: read
       id-token: write
     runs-on: runs-on,runner=4cpu-linux-arm64,run-id=${{ github.run_id }}
-    outputs:
-      digest: ${{ steps.digest.outputs.digest }}
     steps:
     - name: Check out code
       uses: actions/checkout@v4
 
     - name: Set the ENV values
       id: get-Envs
       run: |
+        echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"
@@ -118,11 +119,13 @@ jobs:
         prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
         prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
 
-    - name: Digest
-      id: digest
-      run: |
-        IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json)
-        echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
+    - name: Upload metadata files
+      uses: actions/upload-artifact@v4
+      with:
+        name: metadata-files
+        path: ${{ env.BUILDDIR}}
+        if-no-files-found: error
+        retention-days: 1
 
   merge:
     permissions:
@@ -139,8 +142,15 @@ jobs:
       - name: Set the ENV values
         id: get-Envs
         run: |
+          echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV"
           echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV"
 
+      - name: Download metadata dir
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.BUILDDIR }}
+          merge-multiple: true
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -163,7 +173,6 @@ jobs:
         env: 
           DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }}
           REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }}
-          IMAGE_DIGESTS: ${{ needs.build-amd64-digest.outputs.digest }} ${{ needs.build-arm64-digest.outputs.digest }}
         with:
           make-target: manifest-push
           image: hardened-calico

diff --git a/Makefile b/Makefile
@@ -1,5 +1,7 @@
 SEVERITIES = HIGH,CRITICAL
 
+BUILDDIR ?= $(CURDIR)/build
+
 UNAME_M = $(shell uname -m)
 ARCH=
 ifeq ($(UNAME_M), x86_64)
@@ -20,7 +22,6 @@ ifndef TARGET_PLATFORMS
 	endif
 endif
 
-IMAGE_DIGESTS ?=
 IID_FILE_FLAG ?=
 IID_FILE_PATH := $(if $(IID_FILE_FLAG),$(word 2, $(IID_FILE_FLAG)))
 
@@ -34,15 +35,21 @@ TAG := v3.29.1$(BUILD_META)
 endif
 
 REPO ?= rancher
-REGISTRY_IMAGE = $(REPO)/hardened-calico
+IMAGE_NAME = hardened-calico
+REGISTRY_IMAGE = $(REPO)/$(IMAGE_NAME)
 IMAGE = $(REGISTRY_IMAGE):$(TAG)
 
+METADATA_FILE ?= $(BUILDDIR)/$(subst /,-,$(REGISTRY_IMAGE))-$(ARCH).metadata.json
+
 LABEL_ARGS = $(foreach label,$(META_LABELS),--label $(label))
 
 ifeq (,$(filter %$(BUILD_META),$(TAG)))
 $(error TAG $(TAG) needs to end with build metadata: $(BUILD_META))
 endif
 
+$(BUILDDIR):
+	mkdir $(BUILDDIR)
+
 buildx-machine:
 	docker buildx inspect $(MACHINE) > /dev/null 2>&1 || \
 		docker buildx create --name=$(MACHINE) --platform=linux/arm64,linux/amd64
@@ -60,9 +67,9 @@ image-build:
 		.
 
 .PHONY: push-image
-push-image: buildx-machine
+push-image: $(BUILDDIR) | buildx-machine
 	docker buildx build \
-	    --builder=$(MACHINE) \
+		--builder=$(MACHINE) \
 		$(IID_FILE_FLAG) \
 		--sbom=true \
 		--attest type=provenance,mode=max \
@@ -72,12 +79,16 @@ push-image: buildx-machine
 		--output type=image,name=$(REGISTRY_IMAGE),push-by-digest=true,name-canonical=true,push=true \
 		$(LABEL_ARGS) \
 		--push \
-		--metadata-file /tmp/metadata.json \
+		--metadata-file $(METADATA_FILE) \
 		.
 
 .PHONY: manifest-push
-manifest-push: buildx-machine
-	docker buildx imagetools create --builder=$(MACHINE) -t $(IMAGE) -t $(REGISTRY_IMAGE):latest $(IMAGE_DIGESTS)
+manifest-push: $(BUILDDIR) | buildx-machine
+	docker buildx imagetools create \
+		--builder=$(MACHINE) \
+		-t $(IMAGE) -t $(REGISTRY_IMAGE):latest \
+		$$(jq -r '.["containerimage.digest"]' $(METADATA_FILE))
+
 ifneq ($(strip $(IID_FILE_PATH)),)
 	docker buildx imagetools inspect --format "{{json .Manifest}}" $(IMAGE) | jq -r '.digest' > "$(IID_FILE_PATH)"
 endif
@@ -88,10 +99,12 @@ image-scan:
 
 PHONY: log
 log:
+	@echo "BUILDDIR=$(BUILDDIR)"
 	@echo "ARCH=$(ARCH)"
 	@echo "TAG=$(TAG:$(BUILD_META)=)"
 	@echo "REPO=$(REPO)"
 	@echo "REGISTRY_IMAGE=$(REGISTRY_IMAGE)"
+	@echo "METADATA_FILE=$(METADATA_FILE)"
 	@echo "PKG=$(PKG)"
 	@echo "SRC=$(SRC)"
 	@echo "BUILD_META=$(BUILD_META)"