feat: Sign Atlantis containers before release (bonus points: speed up x86 builds) #7427
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: atlantis-image | |
on: | |
push: | |
branches: | |
- 'main' | |
- 'release-**' | |
tags: | |
- v*.*.* | |
pull_request: | |
branches: | |
- 'main' | |
- 'release-**' | |
types: | |
- opened | |
- reopened | |
- synchronize | |
- ready_for_review | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
changes: | |
outputs: | |
should-run-build: ${{ steps.changes.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/') }} | |
if: github.event.pull_request.draft == false | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 | |
id: changes | |
with: | |
filters: | | |
src: | |
- 'Dockerfile' | |
- 'docker-entrypoint.sh' | |
- '.github/workflows/atlantis-image.yml' | |
- '**.go' | |
- 'go.*' | |
build: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'true' | |
name: Build Image | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
attestations: write | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
platform: [linux/arm64/v8, linux/amd64, linux/arm/v7] | |
runs-on: ubuntu-24.04 | |
env: | |
# Set docker repo to either the fork or the main repo where the branch exists | |
DOCKER_REPO: ghcr.io/${{ github.repository }} | |
# Push if not a pull request and references the main branch | |
PUSH: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
# Lint the Dockerfile first before setting anything up | |
- name: Lint Dockerfile | |
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
with: | |
dockerfile: "Dockerfile" | |
- name: Set up Go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: "go.mod" | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 | |
with: | |
image: tonistiigi/binfmt:latest | |
platforms: arm64,arm | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 | |
# https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515 | |
with: | |
driver-opts: | | |
image=moby/buildkit:v0.14.0 | |
- name: "Install cosign" | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
if: env.PUSH == 'true' && github.event_name != 'pull_request' | |
# release version is the name of the tag i.e. v0.10.0 | |
# release version also has the image type appended i.e. v0.10.0-alpine | |
# release tag is either pre-release or latest i.e. latest | |
# release tag also has the image type appended i.e. latest-alpine | |
# if it's v0.10.0 and alpine, it will do v0.10.0, v0.10.0-alpine, latest, latest-alpine | |
# if it's v0.10.0 and debian, it will do v0.10.0-debian, latest-debian | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 | |
env: | |
SUFFIX: ${{ format('-{0}', matrix.image_type) }} | |
with: | |
images: | | |
${{ env.DOCKER_REPO }} | |
labels: | | |
org.opencontainers.image.authors="@runatlantis Github Org" | |
org.opencontainers.image.licenses=Apache-2.0 | |
tags: | | |
# semver | |
type=semver,pattern={{version}},prefix=v,suffix=${{ env.SUFFIX }} | |
type=semver,pattern={{version}},prefix=v,enable=${{ matrix.image_type == 'alpine' }} | |
type=semver,pattern={{major}}.{{minor}},prefix=v,suffix=${{ env.SUFFIX }} | |
# dev | |
type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }} | |
type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }}-{{ sha }} | |
type=raw,event=push,value=dev,enable=${{ github.ref == format('refs/heads/{0}', 'main') && matrix.image_type == 'alpine' }},suffix= | |
# prerelease | |
type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= | |
type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} | |
# latest | |
type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= | |
type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} | |
# pr | |
type=ref,event=pr,suffix=${{ env.SUFFIX }} | |
flavor: | | |
# This is disabled here so we can use the raw form above | |
latest=false | |
# Suffix is not used here since there's no way to disable it above | |
- name: Login to Packages Container registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Publish release to container registry | |
- name: Populate release version | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV | |
- name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image" | |
id: build | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 | |
with: | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
context: . | |
build-args: | | |
ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} | |
ATLANTIS_VERSION=${{ env.RELEASE_VERSION }} | |
ATLANTIS_COMMIT=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
ATLANTIS_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
platforms: ${{ matrix.platform }} | |
push: ${{ env.PUSH }} | |
tags: ${{ steps.meta.outputs.tags }} | |
target: ${{ matrix.image_type }} | |
labels: ${{ steps.meta.outputs.labels }} | |
outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} | |
- name: "Create Image Attestation" | |
if: env.PUSH == 'true' && github.event_name != 'pull_request' | |
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
with: | |
subject-digest: ${{ steps.build.outputs.digest }} | |
subject-name: ghcr.io/${{ github.repository }} | |
push-to-registry: true | |
- name: "Sign images with environment annotations" | |
# no key needed, we're using the GitHub OIDC flow | |
# Only run on alpine/amd64 build to avoid signing multiple times | |
if: env.PUSH == 'true' && github.event_name != 'pull_request' && matrix.image_type == 'alpine' && matrix.platform == 'linux/amd64' | |
run: | | |
# Sign dev tags, version tags, and latest tags | |
echo "${TAGS}" | xargs -I {} cosign sign \ | |
--yes \ | |
--recursive=true \ | |
-a actor=${{ github.actor}} \ | |
-a ref_name=${{ github.ref_name}} \ | |
-a ref=${{ github.sha }} \ | |
{}@${DIGEST} | |
env: | |
TAGS: ${{ steps.meta.outputs.tags }} | |
DIGEST: ${{ steps.build.outputs.digest }} | |
test: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'true' | |
name: Test Image With Goss | |
runs-on: ubuntu-24.04 | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
platform: [linux/arm64/v8, linux/amd64, linux/arm/v7] | |
env: | |
# Set docker repo to either the fork or the main repo where the branch exists | |
DOCKER_REPO: ghcr.io/${{ github.repository }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 | |
# https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515 | |
with: | |
driver-opts: | | |
image=moby/buildkit:v0.14.0 | |
- name: "Build and load into Docker" | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 | |
with: | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
context: . | |
build-args: | | |
ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} | |
push: false | |
load: true | |
tags: "${{ env.DOCKER_REPO }}:goss-test" | |
target: ${{ matrix.image_type }} | |
- name: "Setup Goss" | |
uses: e1himself/goss-installation-action@fbb6fb55d3e59c96045b2500eeb8ce0995d99ac1 # v1.2.1 | |
with: | |
version: "v0.4.7" | |
- name: Execute Goss tests | |
run: | | |
dgoss run --rm ${{ env.DOCKER_REPO }}:goss-test bash -c 'while true; do sleep 1; done;' | |
skip-build: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'false' | |
name: Build Image | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
runs-on: ubuntu-24.04 | |
steps: | |
- run: 'echo "No build required"' | |