chore: disable fail-fast for concurrent jobs #255
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE refs | |
| # - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions | |
| # - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script | |
| name: build | |
| on: | |
| push: | |
| paths: | |
| - .github/workflows/build.yml | |
| - "images/**" | |
| - config.yaml | |
| schedule: | |
| - cron: "0 0 * * MON" | |
| workflow_dispatch: {} | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: write | |
| concurrency: | |
| group: ${{ github.run_id }} | |
| cancel-in-progress: false | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix-docker: ${{ steps.set.outputs.matrix-docker }} | |
| matrix-apko: ${{ steps.set.outputs.matrix-apko }} | |
| steps: | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
| - uses: GeoNet/yq@bbe305500687a5fe8498d74883c17f0f06431ac4 # master | |
| - id: set | |
| run: | | |
| echo "matrix-docker=$(jq -rMc '.build[] | select(.source | contains("Dockerfile")) | . as $config | .destination | capture("(?<registry>.*)/(?<imageName>.*):(?<tag>.*)") | . as $imgSplit | $config | .source | capture("(?<context>.*)/Dockerfile") | . as $context | $config + $imgSplit + $context' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT | |
| echo "matrix-apko=$(jq -rMc '.build[] | select(.source | contains("image.yaml"))' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT | |
| - name: check output | |
| run: | | |
| jq . <<< '${{ steps.set.outputs.matrix-docker }}' | |
| jq . <<< '${{ steps.set.outputs.matrix-apko }}' | |
| build-docker: | |
| needs: prepare | |
| if: fromJSON(needs.prepare.outputs.matrix-docker) != null | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.prepare.outputs.matrix-docker) }} | |
| uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main | |
| with: | |
| context: ${{ fromJSON(toJSON(matrix)).context }} | |
| dockerfile: ${{ fromJSON(toJSON(matrix)).source }} | |
| imageName: ${{ fromJSON(toJSON(matrix)).imageName }} | |
| tags: ${{ fromJSON(toJSON(matrix)).tag }} | |
| platforms: linux/amd64 | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| build-apko: | |
| needs: prepare | |
| if: fromJSON(needs.prepare.outputs.matrix-apko) != null | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.prepare.outputs.matrix-apko) }} | |
| steps: | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
| - uses: GeoNet/yq@bbe305500687a5fe8498d74883c17f0f06431ac4 # master | |
| - uses: GeoNet/chainguard-dev-actions/setup-melange@c1773c35e73af78f72f606c002e9819cd737984d # main | |
| if: ${{ fromJSON(toJSON(matrix)).melangeConfigs != null }} | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
| - uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main | |
| # apko + Melange build | |
| - name: melange generate snapshot date | |
| id: snapshot-date | |
| run: | | |
| echo name=date::$(date -u +%Y%m%d) >> $GITHUB_OUTPUT | |
| echo name=epoch::$(date -u +%s) >> $GITHUB_OUTPUT | |
| shell: bash | |
| - uses: GeoNet/chainguard-dev-actions/melange-keygen@c1773c35e73af78f72f606c002e9819cd737984d # main | |
| name: melange generate signing keypair | |
| if: ${{ fromJSON(toJSON(matrix)).melangeConfigs != null }} | |
| with: | |
| signing-key-path: ${{ github.workspace }}/melange.rsa | |
| - id: apko-options | |
| env: | |
| DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
| REF: ${{ github.ref }} | |
| run: | | |
| TAG="$DESTINATION" | |
| if [ ! "$REF" = "refs/heads/main" ]; then | |
| TAG="${DESTINATION//ghcr.io\/geonet/localhost}" | |
| fi | |
| echo "tag=$TAG" >> $GITHUB_OUTPUT | |
| - uses: GeoNet/chainguard-dev-actions/melange-build-pkg@c1773c35e73af78f72f606c002e9819cd737984d # main | |
| name: melange apk build | |
| if: ${{ fromJSON(toJSON(matrix)).melangeConfigs != null }} | |
| with: | |
| multi-config: ${{ join(fromJSON(toJSON(matrix)).melangeConfigs, ',') }} | |
| signing-key-path: ${{ github.workspace }}/melange.rsa | |
| sign-with-key: true | |
| empty-workspace: true | |
| - uses: GeoNet/chainguard-images-actions/apko-publish@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main | |
| id: build-with-signing-key | |
| name: apko build-with-signing-key | |
| if: ${{ fromJSON(toJSON(matrix)).melangeConfigs != null && github.ref == 'refs/heads/main' }} | |
| with: | |
| tag: ${{ fromJSON(toJSON(matrix)).destination }} | |
| config: ${{ fromJSON(toJSON(matrix)).source }} | |
| source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }} | |
| keyring-append: ${{ github.workspace }}/melange.rsa.pub | |
| - uses: GeoNet/chainguard-images-actions/apko-build@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main | |
| id: build-with-signing-key-local | |
| name: apko build-with-signing-key local | |
| if: ${{ fromJSON(toJSON(matrix)).melangeConfigs != null && github.ref != 'refs/heads/main' }} | |
| with: | |
| tag: ${{ steps.apko-options.outputs.tag }} | |
| config: ${{ fromJSON(toJSON(matrix)).source }} | |
| source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }} | |
| keyring-append: ${{ github.workspace }}/melange.rsa.pub | |
| # TODO fix temp hack to conditionally pass keyring-append to apko | |
| - uses: GeoNet/chainguard-images-actions/apko-publish@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main | |
| if: ${{ fromJSON(toJSON(matrix)).melangeConfigs == null && github.ref == 'refs/heads/main' }} | |
| id: build | |
| name: apko build | |
| with: | |
| tag: ${{ fromJSON(toJSON(matrix)).destination }} | |
| config: ${{ fromJSON(toJSON(matrix)).source }} | |
| source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }} | |
| - uses: GeoNet/chainguard-images-actions/apko-build@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main | |
| if: ${{ fromJSON(toJSON(matrix)).melangeConfigs == null && github.ref != 'refs/heads/main' }} | |
| id: build-local | |
| name: apko build local | |
| with: | |
| tag: ${{ steps.apko-options.outputs.tag }} | |
| config: ${{ fromJSON(toJSON(matrix)).source }} | |
| source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }} | |
| - name: crane get-digests | |
| id: get-digests | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| env: | |
| DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
| run: | | |
| DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
| ( | |
| echo "DESTINATION_DIGEST" | |
| echo "${DESTINATION_DIGEST}" | |
| ) | column -t | |
| echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
| - name: cosign sign image with a key | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| env: | |
| COSIGN_YES: "true" | |
| run: | | |
| cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y | |
| - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
| name: sbom generate | |
| if: ${{ steps.determine-type.outputs.typeIsDocker == 'true' && github.ref == 'refs/heads/main' }} | |
| with: | |
| image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} | |
| artifact-name: sbom-spdx.json | |
| output-file: /tmp/sbom-spdx.json | |
| - name: cosign download unsigned sbom | |
| if: ${{ steps.determine-type.outputs.typeIsDocker != 'true' && github.ref == 'refs/heads/main' }} | |
| run: | | |
| cosign download sbom ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} > /tmp/sbom-spdx.json | |
| - name: cosign publish sbom blob as blob | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| env: | |
| COSIGN_YES: "true" | |
| run: | | |
| cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y |