diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b250453..44f9511 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,8 +11,6 @@ jobs: contents: read id-token: write runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }} - outputs: - digest: ${{ steps.digest.outputs.digest }} steps: - name: Check out code uses: actions/checkout@v4 @@ -20,6 +18,7 @@ jobs: - name: Set the ENV values id: get-Envs run: | + echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV" echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV" echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV" @@ -59,19 +58,20 @@ jobs: prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} - - name: Digest - id: digest - run: | - IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json) - echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT" + - name: Upload metadata files + uses: actions/upload-artifact@v4 + with: + name: metadata-files + path: ${{ env.BUILDDIR}} + if-no-files-found: error + retention-days: 1 + build-arm64-digest: permissions: contents: read id-token: write runs-on: runs-on,runner=4cpu-linux-arm64,run-id=${{ github.run_id }} - outputs: - digest: ${{ steps.digest.outputs.digest }} steps: - name: Check out code uses: actions/checkout@v4 @@ -79,6 +79,7 @@ jobs: - name: Set the ENV values id: get-Envs run: | + echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV" echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV" echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV" @@ -118,11 +119,13 @@ jobs: prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} - - name: Digest - id: digest - run: | - IMAGE_DIGEST=$(jq -r '.["containerimage.digest"]' /tmp/metadata.json) - echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT" + - name: Upload metadata files + uses: actions/upload-artifact@v4 + with: + name: metadata-files + path: ${{ env.BUILDDIR}} + if-no-files-found: error + retention-days: 1 merge: permissions: @@ -139,8 +142,15 @@ jobs: - name: Set the ENV values id: get-Envs run: | + echo "$(make -s log | grep BUILDDIR)" >> "$GITHUB_ENV" echo "$(make -s log | grep REGISTRY_IMAGE)" >> "$GITHUB_ENV" + - name: Download metadata dir + uses: actions/download-artifact@v4 + with: + path: ${{ env.BUILDDIR }} + merge-multiple: true + - name: Docker meta id: meta uses: docker/metadata-action@v5 @@ -163,7 +173,6 @@ jobs: env: DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }} REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }} - IMAGE_DIGESTS: ${{ needs.build-amd64-digest.outputs.digest }} ${{ needs.build-arm64-digest.outputs.digest }} with: make-target: manifest-push image: hardened-calico diff --git a/Makefile b/Makefile index eb9d711..276da97 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,7 @@ SEVERITIES = HIGH,CRITICAL +BUILDDIR ?= $(CURDIR)/build + UNAME_M = $(shell uname -m) ARCH= ifeq ($(UNAME_M), x86_64) @@ -20,7 +22,6 @@ ifndef TARGET_PLATFORMS endif endif -IMAGE_DIGESTS ?= IID_FILE_FLAG ?= IID_FILE_PATH := $(if $(IID_FILE_FLAG),$(word 2, $(IID_FILE_FLAG))) @@ -34,15 +35,21 @@ TAG := v3.29.1$(BUILD_META) endif REPO ?= rancher -REGISTRY_IMAGE = $(REPO)/hardened-calico +IMAGE_NAME = hardened-calico +REGISTRY_IMAGE = $(REPO)/$(IMAGE_NAME) IMAGE = $(REGISTRY_IMAGE):$(TAG) +METADATA_FILE ?= $(BUILDDIR)/$(subst /,-,$(REGISTRY_IMAGE))-$(ARCH).metadata.json + LABEL_ARGS = $(foreach label,$(META_LABELS),--label $(label)) ifeq (,$(filter %$(BUILD_META),$(TAG))) $(error TAG $(TAG) needs to end with build metadata: $(BUILD_META)) endif +$(BUILDDIR): + mkdir $(BUILDDIR) + buildx-machine: docker buildx inspect $(MACHINE) > /dev/null 2>&1 || \ docker buildx create --name=$(MACHINE) --platform=linux/arm64,linux/amd64 @@ -60,9 +67,9 @@ image-build: . .PHONY: push-image -push-image: buildx-machine +push-image: $(BUILDDIR) | buildx-machine docker buildx build \ - --builder=$(MACHINE) \ + --builder=$(MACHINE) \ $(IID_FILE_FLAG) \ --sbom=true \ --attest type=provenance,mode=max \ @@ -72,12 +79,16 @@ push-image: buildx-machine --output type=image,name=$(REGISTRY_IMAGE),push-by-digest=true,name-canonical=true,push=true \ $(LABEL_ARGS) \ --push \ - --metadata-file /tmp/metadata.json \ + --metadata-file $(METADATA_FILE) \ . .PHONY: manifest-push -manifest-push: buildx-machine - docker buildx imagetools create --builder=$(MACHINE) -t $(IMAGE) -t $(REGISTRY_IMAGE):latest $(IMAGE_DIGESTS) +manifest-push: $(BUILDDIR) | buildx-machine + docker buildx imagetools create \ + --builder=$(MACHINE) \ + -t $(IMAGE) -t $(REGISTRY_IMAGE):latest \ + $$(jq -r '.["containerimage.digest"]' $(METADATA_FILE)) + ifneq ($(strip $(IID_FILE_PATH)),) docker buildx imagetools inspect --format "{{json .Manifest}}" $(IMAGE) | jq -r '.digest' > "$(IID_FILE_PATH)" endif @@ -88,10 +99,12 @@ image-scan: PHONY: log log: + @echo "BUILDDIR=$(BUILDDIR)" @echo "ARCH=$(ARCH)" @echo "TAG=$(TAG:$(BUILD_META)=)" @echo "REPO=$(REPO)" @echo "REGISTRY_IMAGE=$(REGISTRY_IMAGE)" + @echo "METADATA_FILE=$(METADATA_FILE)" @echo "PKG=$(PKG)" @echo "SRC=$(SRC)" @echo "BUILD_META=$(BUILD_META)"