feat: add new ansible build matrix #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build docker images | |
on: | |
push: | |
# TODO Enable schedule | |
#schedule: | |
# At 00:00 every Sunday | |
#- cron: 0 0 * * 0 | |
concurrency: | |
group: docker-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
matrix: | |
name: Compute build matrix from pypi API | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.matrix.outputs.matrix }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: './build-matrix/go.mod' | |
cache-dependency-path: './build-matrix/go.mod' | |
- name: Run matrix generator tests | |
working-directory: build-matrix | |
run: go test ./ | |
# TODO Remove the fake matrix | |
- id: matrix | |
working-directory: build-matrix | |
run: | | |
MATRIX=$(go run ./) | |
echo ${MATRIX} | jq | |
echo 'matrix=[{"ansible":"10.2","additional_tags":["10"]},{"ansible":"10.1","additional_tags":[]}]' >> $GITHUB_OUTPUT | |
#echo "matrix=${MATRIX}" >> $GITHUB_OUTPUT | |
build: | |
needs: [ matrix ] | |
runs-on: ubuntu-latest | |
name: Build ansible ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | |
permissions: | |
packages: write | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
if: matrix.platform == 'linux/arm64' | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Log in to Github Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build Docker images | |
uses: docker/build-push-action@v6 | |
id: build | |
with: | |
pull: true | |
target: ${{ matrix.target }} | |
build-args: | | |
ANSIBLE_VERSION=${{ matrix.versions.ansible }} | |
platforms: ${{ matrix.platform }} | |
outputs: type=docker,dest=/tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
tags: ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}-${{ github.sha }} | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | |
path: /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
retention-days: 1 | |
if-no-files-found: error | |
test: | |
name: Test image ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | |
needs: [ matrix, build ] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
platform: | |
- linux/amd64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
export PLATFORM_PAIR=${platform//\//-} | |
echo "PLATFORM_PAIR=${PLATFORM_PAIR}" >> $GITHUB_ENV | |
echo "IMAGE=ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${PLATFORM_PAIR}-${{ github.sha }}" >> $GITHUB_ENV | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | |
path: /tmp | |
- name: Load image | |
run: | | |
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
docker image ls -a | |
- name: Test ansible version | |
run: docker run --rm ${{ env.IMAGE }} ansible-community --version | grep 'Ansible community version ${{ matrix.versions.ansible }}' | |
- name: Test aws flavor | |
if: matrix.target == 'aws' | |
run: | | |
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import boto3; print(boto3.__version__)\"" | |
- name: Test gcp flavor | |
if: matrix.target == 'gcp' | |
run: | | |
docker run --rm ${{ env.IMAGE_NAME }} sh -c "python3 -c \"import google.auth; print(google.auth.__version__)\"" | |
deploy: | |
name: Push image ${{ matrix.versions.ansible }} | |
needs: [ matrix, test ] | |
runs-on: ubuntu-latest | |
env: | |
AWS_REGION: "us-east-1" | |
strategy: | |
fail-fast: false | |
matrix: | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/ansible_build_matrix' }} # TODO(eliecharra): Remove condition | |
permissions: | |
id-token: write | |
packages: write | |
contents: read | |
steps: | |
- name: Download base/amd64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-base-linux-amd64 | |
path: /tmp | |
- name: Download gcp/amd64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
path: /tmp | |
- name: Download aws/amd64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-aws-linux-amd64 | |
path: /tmp | |
- name: Download base/arm64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-base-linux-arm64 | |
path: /tmp | |
- name: Download gcp/arm64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
path: /tmp | |
- name: Download aws/arm64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-aws-linux-arm64 | |
path: /tmp | |
- name: Load image | |
run: | | |
docker load --input /tmp/${{ matrix.versions.ansible }}-base-linux-amd64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-gcp-linux-amd64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-aws-linux-amd64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-base-linux-arm64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-gcp-linux-arm64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-aws-linux-arm64.tar | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ env.AWS_REGION }} | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-duration-seconds: 900 | |
- name: Login to Amazon ECR | |
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${REPOSITORY_PATH} | |
env: | |
REPOSITORY_PATH: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }} | |
- name: Log in to Github Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push images | |
env: | |
ECR_IMAGE: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }}/${{ github.repository }} | |
run: | | |
echo "Pushing ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64 | |
docker push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64 | |
echo "Pushing ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-amd64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
docker push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
echo "Pushing ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-amd64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
docker push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
echo "Pushing ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-arm64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-arm64 | |
docker push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-arm64 | |
echo "Pushing ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-arm64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
docker push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
echo "Pushing ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-arm64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-arm64 | |
docker push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-arm64 | |
echo "Pushing ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-amd64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-amd64 | |
docker push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-amd64 | |
echo "Pushing ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
docker push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
echo "Pushing ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
docker push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
echo "Pushing ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-arm64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-arm64 | |
docker push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-arm64 | |
echo "Pushing ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
docker push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
echo "Pushing ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64" | |
docker tag ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64 | |
docker push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64 | |
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}" | |
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }} \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }} | |
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp" | |
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp | |
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws" | |
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws | |
echo "Create manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}" | |
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }} \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }} | |
echo "Create manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp" | |
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp | |
echo "Create manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws" | |
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws | |
security: | |
name: Security scan | |
needs: [ matrix, deploy ] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- name: Run Trivy vulnerability scanner for base image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ env.PLATFORM_PAIR }}" | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "base.sarif" | |
severity: "CRITICAL,HIGH" | |
- name: Run Trivy vulnerability scanner for gcp image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-${{ env.PLATFORM_PAIR }}" | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "gcp.sarif" | |
severity: "CRITICAL,HIGH" | |
- name: Run Trivy vulnerability scanner for aws image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-${{ env.PLATFORM_PAIR }}" | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "aws.sarif" | |
severity: "CRITICAL,HIGH" | |
- name: Upload base image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "base.sarif" | |
- name: Upload gcp image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "gcp.sarif" | |
- name: Upload aws image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "aws.sarif" |