Disable caching to avoid any possibility of cache poisoning (#658) #817
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Image Builder | |
on: | |
workflow_dispatch: | |
schedule: | |
# Run once a week on Fridays | |
- cron: "0 0 * * FRI" | |
pull_request: | |
paths: | |
- '.github/workflows/build-docker-images.yml' | |
- 'runners/**' | |
- 'cryptography-linux/**' | |
push: | |
branches: | |
- main | |
paths: | |
- '.github/workflows/build-docker-images.yml' | |
- 'runners/**' | |
- 'cryptography-linux/**' | |
jobs: | |
build: | |
runs-on: ${{ matrix.IMAGE.RUNNER }} | |
timeout-minutes: 10 | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
attestations: write | |
strategy: | |
fail-fast: false | |
matrix: | |
IMAGE: | |
- {TAG_NAME: "cryptography-runner-rhel8", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=redhat/ubi8", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-rhel8-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=redhat/ubi8", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-centos-stream9", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=quay.io/centos/centos:stream9", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-centos-stream9-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=quay.io/centos/centos:stream9", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-centos-stream10", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=quay.io/centos/centos:stream10", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-centos-stream10-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=quay.io/centos/centos:stream10", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-fedora", DOCKERFILE_PATH: "runners/fedora", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-alpine", DOCKERFILE_PATH: "runners/alpine", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-bullseye", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=bullseye", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-bookworm", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=bookworm", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-trixie", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=trixie", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-sid", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=sid", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-ubuntu-focal", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=focal", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-ubuntu-jammy", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=jammy", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-ubuntu-noble", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=noble", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-runner-ubuntu-rolling", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=rolling", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-manylinux2014:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux2014_x86_64", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-manylinux_2_28:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_28_x86_64", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-manylinux_2_34:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_34_x86_64", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-musllinux_1_1:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_1_x86_64", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-musllinux_1_2:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_2_x86_64", RUNNER: "ubuntu-latest"} | |
- {TAG_NAME: "cryptography-manylinux2014_aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} | |
- {TAG_NAME: "cryptography-manylinux_2_28:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_28_aarch64", RUNNER: [self-hosted, Linux, ARM64]} | |
- {TAG_NAME: "cryptography-manylinux_2_34:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_34_aarch64", RUNNER: [self-hosted, Linux, ARM64]} | |
- {TAG_NAME: "cryptography-musllinux_1_1:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_1_aarch64", RUNNER: [self-hosted, Linux, ARM64]} | |
- {TAG_NAME: "cryptography-musllinux_1_2:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_2_aarch64", RUNNER: [self-hosted, Linux, ARM64]} | |
- {TAG_NAME: "cryptography-runner-ubuntu-rolling:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=rolling", RUNNER: [self-hosted, Linux, ARM64]} | |
- {TAG_NAME: "cryptography-runner-alpine:aarch64", DOCKERFILE_PATH: "runners/alpine", RUNNER: [self-hosted, Linux, ARM64]} | |
name: "${{ matrix.IMAGE.TAG_NAME }}" | |
steps: | |
- uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
- run: | | |
source ./staticnode/node-version.sh | |
arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]') | |
echo "NODE_ARCH_RELEASE=$arch:$NODE_VERSION" >> $GITHUB_ENV | |
# Pull the previous image, but if it fails return true anyway. | |
# Sometimes we add new docker images and if they've never been pushed | |
# they can't be pulled. | |
- name: Pull existing image | |
run: docker pull ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} || true | |
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' | |
- name: Get image name | |
id: image-name | |
run: | | |
ATTEST_IMAGE=$(echo "${{ matrix.IMAGE.TAG_NAME }}" | cut -d ':' -f 1) | |
echo "ATTEST_IMAGE=${ATTEST_IMAGE}" | tee -a "$GITHUB_OUTPUT" | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
with: | |
cache-binary: false | |
- name: Login to ghcr.io | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' | |
- name: Build (and push if main) docker image | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
id: docker-build | |
with: | |
context: ${{ matrix.IMAGE.DOCKERFILE_PATH }} | |
cache-from: ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} | |
tags: ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} | |
pull: true | |
build-args: | | |
NODE_ARCH_RELEASE=${{ env.NODE_ARCH_RELEASE }} | |
${{ matrix.IMAGE.BUILD_ARGS }} | |
push: ${{ (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' }} | |
- uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
with: | |
subject-name: "ghcr.io/pyca/${{ steps.image-name.outputs.ATTEST_IMAGE }}" | |
subject-digest: ${{ steps.docker-build.outputs.digest }} | |
push-to-registry: true | |
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' |