Skip to content

Commit

Permalink
fix: Fix docker login for oauth logins
Browse files Browse the repository at this point in the history
  • Loading branch information
gmpinder committed Sep 11, 2024
1 parent 1177a6d commit 26c2460
Show file tree
Hide file tree
Showing 3 changed files with 159 additions and 43 deletions.
71 changes: 71 additions & 0 deletions .github/workflows/build-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,77 @@ jobs:
grep -q 'ARG IMAGE_REGISTRY=ghcr.io/blue-build' Containerfile || exit 1
bluebuild build --retry-push -S sigstore --push -vv recipes/recipe.yml recipes/recipe-39.yml
docker-build-oauth-login:
timeout-minutes: 60
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
needs:
- build
if: needs.build.outputs.push == 'true'

steps:
- name: Google Auth
id: auth
uses: "google-github-actions/auth@v2"
with:
token_format: "access_token"
service_account: ${{ secrets.SERVICE_ACCOUNT }}
project_id: bluebuild-oidc
create_credentials_file: false
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY }}

- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v6

- uses: sigstore/[email protected]

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true

- uses: actions-rust-lang/setup-rust-toolchain@v1

- name: Docker Auth
id: docker-auth
uses: "docker/login-action@v3"
with:
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
registry: us-east1-docker.pkg.dev

- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}

- name: Install bluebuild
run: |
cargo install --path . --debug --all-features
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v3

- name: Run Build
env:
GH_PR_EVENT_NUMBER: ${{ github.event.number }}
COSIGN_PRIVATE_KEY: ${{ secrets.TEST_SIGNING_SECRET }}
BB_BUILDKIT_CACHE_GHA: true
run: |
cd integration-tests/test-repo
bluebuild template -vv | tee Containerfile
bluebuild build \
--registry us-east1-docker.pkg.dev \
--registry-namespace bluebuild-oidc/bluebuild \
--retry-push \
--push \
-vv \
recipes/recipe.yml recipes/recipe-39.yml
podman-build:
timeout-minutes: 60
runs-on: ubuntu-latest
Expand Down
69 changes: 69 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,75 @@ jobs:
grep -q 'ARG IMAGE_REGISTRY=ghcr.io/blue-build' Containerfile || exit 1
bluebuild build --retry-push -S sigstore --push -vv recipes/recipe.yml recipes/recipe-39.yml
docker-build-oauth-login:
timeout-minutes: 60
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
needs:
- build
if: github.repository == 'blue-build/cli'

steps:
- name: Google Auth
id: auth
uses: "google-github-actions/auth@v2"
with:
token_format: "access_token"
service_account: ${{ secrets.SERVICE_ACCOUNT }}
project_id: bluebuild-oidc
create_credentials_file: false
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY }}

- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v6

- uses: sigstore/[email protected]

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true

- uses: actions-rust-lang/setup-rust-toolchain@v1

- name: Docker Auth
id: docker-auth
uses: "docker/login-action@v3"
with:
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
registry: us-east1-docker.pkg.dev

- uses: actions/checkout@v4
with:
ref: main

- name: Install bluebuild
run: |
cargo install --path . --debug --all-features
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v3

- name: Run Build
env:
GH_PR_EVENT_NUMBER: ${{ github.event.number }}
COSIGN_PRIVATE_KEY: ${{ secrets.TEST_SIGNING_SECRET }}
BB_BUILDKIT_CACHE_GHA: true
run: |
cd integration-tests/test-repo
bluebuild template -vv | tee Containerfile
bluebuild build \
--registry us-east1-docker.pkg.dev \
--registry-namespace bluebuild-oidc/bluebuild \
--retry-push \
--push \
-vv \
recipes/recipe.yml recipes/recipe-39.yml
podman-build:
timeout-minutes: 60
runs-on: ubuntu-latest
Expand Down
62 changes: 19 additions & 43 deletions utils/src/credentials.rs
Original file line number Diff line number Diff line change
Expand Up @@ -55,58 +55,34 @@ static ENV_CREDENTIALS: LazyLock<Option<Credentials>> = LazyLock::new(|| {
env::var(CI_REGISTRY).ok(),
env::var(GITHUB_ACTIONS).ok(),
) {
(Some(registry), _, _) if !registry.is_empty() => registry,
(None, Some(ci_registry), None) if !ci_registry.is_empty() => ci_registry,
(None, None, Some(_)) => string!("ghcr.io"),
(Some(registry), _, _) | (_, Some(registry), _) if !registry.is_empty() => registry,
(_, _, Some(_)) => string!("ghcr.io"),
_ => return None,
};
trace!("Registry: {registry:?}");

let docker_creds = docker_credential::get_credential(&registry).ok();
let podman_creds = docker_credential::get_podman_credential(&registry).ok();

let username = match (
username,
env::var(CI_REGISTRY_USER).ok(),
env::var(GITHUB_ACTOR).ok(),
&docker_creds,
&podman_creds,
) {
(Some(username), _, _, _, _) if !username.is_empty() => username,
(_, _, _, Some(DockerCredential::UsernamePassword(username, _)), _)
| (_, _, _, _, Some(DockerCredential::UsernamePassword(username, _)))
if !username.is_empty() =>
{
username.clone()
}
(None, Some(ci_registry_user), None, _, _) if !ci_registry_user.is_empty() => {
ci_registry_user
}
(None, None, Some(github_actor), _, _) if !github_actor.is_empty() => github_actor,
_ => return None,
};
trace!("Username: {username:?}");

let password = match (
password,
env::var(CI_REGISTRY_PASSWORD).ok(),
env::var(GITHUB_TOKEN).ok(),
&docker_creds,
&podman_creds,
let (username, password) = match (
(username, password),
docker_credential::get_credential(&registry).ok(),
docker_credential::get_podman_credential(&registry).ok(),
(
env::var(CI_REGISTRY_USER).ok(),
env::var(CI_REGISTRY_PASSWORD).ok(),
),
(env::var(GITHUB_ACTOR).ok(), env::var(GITHUB_TOKEN).ok()),
) {
(Some(password), _, _, _, _) if !password.is_empty() => password,
(_, _, _, Some(DockerCredential::UsernamePassword(_, password)), _)
| (_, _, _, _, Some(DockerCredential::UsernamePassword(_, password)))
if !password.is_empty() =>
((Some(username), Some(password)), _, _, _, _)
| (_, Some(DockerCredential::UsernamePassword(username, password)), _, _, _)
| (_, _, Some(DockerCredential::UsernamePassword(username, password)), _, _)
| (_, _, _, (Some(username), Some(password)), _)
| (_, _, _, _, (Some(username), Some(password)))
if !username.is_empty() && !password.is_empty() =>
{
password.clone()
}
(None, Some(ci_registry_password), None, _, _) if !ci_registry_password.is_empty() => {
ci_registry_password
(username, password)
}
(None, None, Some(registry_token), _, _) if !registry_token.is_empty() => registry_token,
_ => return None,
};
trace!("Username: {username}");

Some(
Credentials::builder()
Expand Down

0 comments on commit 26c2460

Please sign in to comment.