feat: add new ansible build matrix #64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build docker images | |
on: | |
push: | |
# TODO Enable schedule | |
#schedule: | |
# At 00:00 every Sunday | |
#- cron: 0 0 * * 0 | |
concurrency: | |
group: docker-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
matrix: | |
name: Compute build matrix from pypi API | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.matrix.outputs.matrix }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: './build-matrix/go.mod' | |
cache-dependency-path: './build-matrix/go.mod' | |
- name: Run matrix generator tests | |
working-directory: build-matrix | |
run: go test ./ | |
# TODO Remove the fake matrix | |
- id: matrix | |
working-directory: build-matrix | |
run: | | |
MATRIX=$(go run ./) | |
echo ${MATRIX} | jq | |
echo 'matrix=[{"ansible":"10.2","additional_tags":["10"]},{"ansible":"10.1","additional_tags":[]}]' >> $GITHUB_OUTPUT | |
#echo "matrix=${MATRIX}" >> $GITHUB_OUTPUT | |
build: | |
needs: [ matrix ] | |
runs-on: ubuntu-latest | |
name: Build ansible ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | |
permissions: | |
packages: write | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
if: matrix.platform == 'linux/arm64' | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build Docker images | |
uses: docker/build-push-action@v6 | |
id: build | |
with: | |
pull: true | |
target: ${{ matrix.target }} | |
build-args: | | |
ANSIBLE_VERSION=${{ matrix.versions.ansible }} | |
platforms: ${{ matrix.platform }} | |
outputs: type=docker,dest=/tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
tags: ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}-${{ github.sha }} | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | |
path: /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
retention-days: 1 | |
if-no-files-found: error | |
test: | |
name: Test image ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | |
needs: [ matrix, build ] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- base | |
- aws | |
- gcp | |
platform: | |
- linux/amd64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
export PLATFORM_PAIR=${platform//\//-} | |
echo "PLATFORM_PAIR=${PLATFORM_PAIR}" >> $GITHUB_ENV | |
echo "IMAGE=ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${PLATFORM_PAIR}-${{ github.sha }}" >> $GITHUB_ENV | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | |
path: /tmp | |
- name: Load image | |
run: | | |
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | |
docker image ls -a | |
- name: Test ansible version | |
run: docker run --rm ${{ env.IMAGE }} ansible-community --version | grep 'Ansible community version ${{ matrix.versions.ansible }}' | |
- name: Test aws flavor | |
if: matrix.target == 'aws' | |
run: | | |
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import boto3; print(boto3.__version__)\"" | |
- name: Test gcp flavor | |
if: matrix.target == 'gcp' | |
run: | | |
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import google.auth; print(google.auth.__version__)\"" | |
deploy: | |
name: Push image ${{ matrix.versions.ansible }} | |
needs: [ matrix, test ] | |
runs-on: ubuntu-latest | |
env: | |
AWS_REGION: "us-east-1" | |
strategy: | |
fail-fast: false | |
matrix: | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/ansible_build_matrix' }} # TODO(eliecharra): Remove condition | |
permissions: | |
id-token: write | |
packages: write | |
contents: read | |
steps: | |
- name: Download base/amd64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-base-linux-amd64 | |
path: /tmp | |
- name: Download gcp/amd64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
path: /tmp | |
- name: Download aws/amd64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-aws-linux-amd64 | |
path: /tmp | |
- name: Download base/arm64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-base-linux-arm64 | |
path: /tmp | |
- name: Download gcp/arm64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
path: /tmp | |
- name: Download aws/arm64 artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-aws-linux-arm64 | |
path: /tmp | |
- name: Load image | |
run: | | |
docker load --input /tmp/${{ matrix.versions.ansible }}-base-linux-amd64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-gcp-linux-amd64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-aws-linux-amd64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-base-linux-arm64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-gcp-linux-arm64.tar | |
docker load --input /tmp/${{ matrix.versions.ansible }}-aws-linux-arm64.tar | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ env.AWS_REGION }} | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-duration-seconds: 900 | |
- name: Login to Amazon ECR | |
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${REPOSITORY_PATH} | |
env: | |
REPOSITORY_PATH: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }} | |
- name: Log in to Github Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Push images | |
working-directory: .github/scripts | |
env: | |
ECR_IMAGE: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }} | |
run: | | |
# Push ECR amd64 tags | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
# Push ECR amd64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64\ | |
${{ env.ECR_IMAGE }}:$tag-linux-amd64 | |
./retag-and-push.sh ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-amd64\ | |
${{ env.ECR_IMAGE }}:$tag-gcp-linux-amd64 | |
./retag-and-push.sh ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-amd64\ | |
${{ env.ECR_IMAGE }}:$tag-aws-linux-amd64 | |
done | |
# Push ECR arm64 tags | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-arm64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64-${{ github.sha }}\ | |
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-arm64 | |
# Push ECR amd64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-arm64\ | |
${{ env.ECR_IMAGE }}:$tag-linux-arm64 | |
./retag-and-push.sh ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-arm64\ | |
${{ env.ECR_IMAGE }}:$tag-gcp-linux-arm64 | |
./retag-and-push.sh ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-arm64\ | |
${{ env.ECR_IMAGE }}:$tag-aws-linux-arm64 | |
done | |
# Push ghcr amd64 tags | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-amd64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
# Push ghcr amd64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-amd64\ | |
ghcr.io/${{ github.repository }}:$tag-linux-amd64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64\ | |
ghcr.io/${{ github.repository }}:$tag-gcp-linux-amd64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64\ | |
ghcr.io/${{ github.repository }}:$tag-aws-linux-amd64 | |
done | |
# Push ghcr arm64 tags | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-arm64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64-${{ github.sha }}\ | |
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64 | |
# Push ghcr arm64 additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-arm64\ | |
ghcr.io/${{ github.repository }}:$tag-linux-arm64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64\ | |
ghcr.io/${{ github.repository }}:$tag-gcp-linux-arm64 | |
./retag-and-push.sh ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64\ | |
ghcr.io/${{ github.repository }}:$tag-aws-linux-arm64 | |
done | |
# Assemble multi arch ECR manifests | |
echo "Create ECR manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}" | |
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }} \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }} | |
echo "Create ECR manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp" | |
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-gcp | |
echo "Create ECR manifest ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws" | |
docker manifest create ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-aws | |
# Assemble multi arch ECR manifests for additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
echo "Create manifest ${{ env.ECR_IMAGE }}:$tag" | |
docker manifest create ${{ env.ECR_IMAGE }}:$tag \ | |
--amend ${{ env.ECR_IMAGE }}:$tag-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:$tag-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:$tag | |
echo "Create manifest ${{ env.ECR_IMAGE }}:$tag-gcp" | |
docker manifest create ${{ env.ECR_IMAGE }}:$tag-gcp \ | |
--amend ${{ env.ECR_IMAGE }}:$tag-gcp-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:$tag-gcp-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:$tag-gcp | |
echo "Create manifest ${{ env.ECR_IMAGE }}:$tag-aws" | |
docker manifest create ${{ env.ECR_IMAGE }}:$tag-aws \ | |
--amend ${{ env.ECR_IMAGE }}:$tag-aws-linux-arm64 \ | |
--amend ${{ env.ECR_IMAGE }}:$tag-aws-linux-amd64 | |
docker manifest push ${{ env.ECR_IMAGE }}:$tag-aws | |
done | |
# Assemble multi arch ghcr manifests | |
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}" | |
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }} \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }} | |
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp" | |
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp | |
echo "Create manifest ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws" | |
docker manifest create ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws | |
# Assemble multi arch ghcr manifests for additional tags | |
for tag in ${{ join(matrix.versions.additional_tags, ' ') }} | |
do | |
echo "Create manifest ghcr.io/${{ github.repository }}:$tag" | |
docker manifest create ghcr.io/${{ github.repository }}:$tag \ | |
--amend ghcr.io/${{ github.repository }}:$tag-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:$tag-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:$tag | |
echo "Create manifest ghcr.io/${{ github.repository }}:$tag-gcp" | |
docker manifest create ghcr.io/${{ github.repository }}:$tag-gcp \ | |
--amend ghcr.io/${{ github.repository }}:$tag-gcp-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:$tag-gcp-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:$tag-gcp | |
echo "Create manifest ghcr.io/${{ github.repository }}:$tag-aws" | |
docker manifest create ghcr.io/${{ github.repository }}:$tag-aws \ | |
--amend ghcr.io/${{ github.repository }}:$tag-aws-linux-arm64 \ | |
--amend ghcr.io/${{ github.repository }}:$tag-aws-linux-amd64 | |
docker manifest push ghcr.io/${{ github.repository }}:$tag-aws | |
done | |
security: | |
name: Security scan | |
needs: [ matrix, deploy ] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: | |
- linux/amd64 | |
- linux/arm64 | |
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | |
steps: | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
- name: Run Trivy vulnerability scanner for base image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ env.PLATFORM_PAIR }}" | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "base.sarif" | |
severity: "CRITICAL,HIGH" | |
- name: Run Trivy vulnerability scanner for gcp image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-${{ env.PLATFORM_PAIR }}" | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "gcp.sarif" | |
severity: "CRITICAL,HIGH" | |
- name: Run Trivy vulnerability scanner for aws image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-${{ env.PLATFORM_PAIR }}" | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "aws.sarif" | |
severity: "CRITICAL,HIGH" | |
- name: Upload base image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
category: base | |
sarif_file: "base.sarif" | |
- name: Upload gcp image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
category: gcp | |
sarif_file: "gcp.sarif" | |
- name: Upload aws image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
category: aws | |
sarif_file: "aws.sarif" |