diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml new file mode 100644 index 00000000..cd6655bb --- /dev/null +++ b/.github/workflows/_build.yml @@ -0,0 +1,143 @@ +# Internal reusable workflow for building multi-platform Docker images. +# +# This workflow builds Docker images for linux/amd64 and linux/arm64 platforms, +# pushes them by digest to GHCR, signs them with cosign/Sigstore for supply chain +# security, and uploads build artifacts for subsequent manifest creation. +# +# @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners + +name: Build Multi-Platform Images + +on: + workflow_call: + inputs: + git_ref: + description: "Git ref to checkout" + required: true + type: string + docker_tags: + description: "Docker tags configuration (JSON array or raw tags)" + required: true + type: string + use_app_token: + description: "Whether to use GitHub App token for checkout" + required: false + type: boolean + default: false + secrets: + release_app_id: + description: "GitHub App ID (required if use_app_token is true)" + required: false + release_app_private_key: + description: "GitHub App private key (required if use_app_token is true)" + required: false + +env: + REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot + +jobs: + build: + runs-on: ${{ matrix.runs-on}} + environment: oss + permissions: + contents: read + packages: write + # Required for keyless signing with cosign/Sigstore. + # Allows workflow to obtain OIDC token for ephemeral certificate from Fulcio. + id-token: write + strategy: + matrix: + platform: [linux/amd64, linux/arm64] + include: + - platform: linux/amd64 + runs-on: ubuntu-latest + - platform: linux/arm64 + runs-on: ubuntu-24.04-arm + + steps: + - name: Generate GitHub App token + if: inputs.use_app_token + id: generate_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.release_app_id }} + private-key: ${{ secrets.release_app_private_key }} + + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ inputs.git_ref }} + submodules: "true" + fetch-depth: 0 + token: ${{ inputs.use_app_token && steps.generate_token.outputs.token || github.token }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: ${{ inputs.docker_tags }} + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + uses: sigstore/cosign-installer@v3.5.0 + with: + cosign-release: "v2.2.4" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Packages Docker Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build Docker image + id: build + uses: docker/build-push-action@v6 + with: + context: . + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }} + cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }} + platforms: ${{ matrix.platform }} + outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true,annotation.org.opencontainers.image.description=Blazingly fast code search + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + diff --git a/.github/workflows/_merge.yml b/.github/workflows/_merge.yml new file mode 100644 index 00000000..b6ed0edb --- /dev/null +++ b/.github/workflows/_merge.yml @@ -0,0 +1,59 @@ +# Internal reusable workflow for merging platform-specific image digests into a +# single multi-platform manifest and pushing to GHCR. +# +# This workflow takes the individual platform image digests created by _build.yml, +# combines them into a multi-platform manifest, and pushes the final tagged images. + +name: Merge Multi-Platform Manifest + +on: + workflow_call: + inputs: + docker_tags: + description: "Docker tags configuration (JSON array or raw tags)" + required: true + type: string + +env: + REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot + +jobs: + merge: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: ${{ inputs.docker_tags }} + + - name: Login to GitHub Packages Docker Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} + diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml new file mode 100644 index 00000000..cf64b3c6 --- /dev/null +++ b/.github/workflows/release-dev.yml @@ -0,0 +1,23 @@ +name: Release Sourcebot (Development) + +permissions: + contents: read + +on: + push: + branches: ["main"] + +jobs: + build: + uses: ./.github/workflows/_build.yml + with: + git_ref: ${{ github.ref_name }} + docker_tags: type=raw,value=main + use_app_token: false + secrets: inherit + + publish-to-registry: + needs: build + uses: ./.github/workflows/_merge.yml + with: + docker_tags: type=raw,value=main diff --git a/.github/workflows/release-sourcebot.yml b/.github/workflows/release-prod.yml similarity index 61% rename from .github/workflows/release-sourcebot.yml rename to .github/workflows/release-prod.yml index b303d16a..2d4a71c5 100644 --- a/.github/workflows/release-sourcebot.yml +++ b/.github/workflows/release-prod.yml @@ -1,4 +1,7 @@ -name: Release Sourcebot +name: Release Sourcebot (Production) + +permissions: + contents: read on: workflow_dispatch: @@ -143,117 +146,22 @@ jobs: build: needs: prepare-release - runs-on: ${{ matrix.runs-on}} - environment: oss - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - strategy: - matrix: - platform: [linux/amd64, linux/arm64] - include: - - platform: linux/amd64 - runs-on: ubuntu-latest - - platform: linux/arm64 - runs-on: ubuntu-24.04-arm - - steps: - - name: Generate GitHub App token - id: generate_token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.RELEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ needs.prepare-release.outputs.temp_branch }} - submodules: "true" - fetch-depth: 0 - token: ${{ steps.generate_token.outputs.token }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=raw,value=v${{ needs.prepare-release.outputs.version }} - type=raw,value=latest - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - uses: sigstore/cosign-installer@v3.5.0 - with: - cosign-release: "v2.2.4" - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build Docker image - id: build - uses: docker/build-push-action@v6 - with: - context: . - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }} - cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }} - platforms: ${{ matrix.platform }} - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true,annotation.org.opencontainers.image.description=Blazingly fast code search - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + uses: ./.github/workflows/_build.yml + with: + git_ref: ${{ needs.prepare-release.outputs.temp_branch }} + docker_tags: | + type=raw,value=v${{ needs.prepare-release.outputs.version }} + type=raw,value=latest + use_app_token: true + secrets: + release_app_id: ${{ secrets.RELEASE_APP_ID }} + release_app_private_key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} finalize-release: needs: [prepare-release, build] runs-on: ubuntu-latest permissions: contents: write - packages: write steps: - name: Generate GitHub App token @@ -315,42 +223,6 @@ jobs: git push origin main git push origin --tags echo "Pushed main branch and tags" - - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=raw,value=v${{ needs.prepare-release.outputs.version }} - type=raw,value=latest - - - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:v${{ needs.prepare-release.outputs.version }} - name: Create GitHub release env: @@ -362,15 +234,23 @@ jobs: --generate-notes \ --latest + publish-to-registry: + needs: [prepare-release, build, finalize-release] + uses: ./.github/workflows/_merge.yml + with: + docker_tags: | + type=raw,value=v${{ needs.prepare-release.outputs.version }} + type=raw,value=latest + update-helm-chart: - needs: finalize-release + needs: [finalize-release, publish-to-registry] permissions: contents: write pull-requests: write uses: sourcebot-dev/sourcebot-helm-chart/.github/workflows/update-sourcebot-version.yaml@main cleanup: - needs: [prepare-release, build, finalize-release, update-helm-chart] + needs: [prepare-release, build, publish-to-registry, finalize-release, update-helm-chart] if: always() && needs.prepare-release.outputs.temp_branch != '' runs-on: ubuntu-latest permissions: