bake: distributed builds #54
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: .test | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - 'main' | |
| - 'releases/v*' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| jobs: | |
| build-aws-single: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| cache: true | |
| meta-images: | | |
| public.ecr.aws/q3b5f1u4/test-docker-action | |
| meta-tags: | | |
| type=raw,value=build-ghbuilder-single-${{ github.run_id }} | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| secrets: | |
| registry-auths: | | |
| - registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| build-aws: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| cache: true | |
| cache-scope: build-aws | |
| meta-images: | | |
| public.ecr.aws/q3b5f1u4/test-docker-action | |
| meta-tags: | | |
| type=raw,value=build-ghbuilder-${{ github.run_id }} | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| build-platforms: linux/amd64,linux/arm64 | |
| secrets: | |
| registry-auths: | | |
| - registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| build-aws-verify: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - build-aws | |
| steps: | |
| - | |
| name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: ${{ needs.build-aws.outputs.cosign-version }} | |
| - | |
| name: Login to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| - | |
| name: Verify signatures | |
| uses: actions/github-script@v8 | |
| env: | |
| INPUT_COSIGN-VERSION: ${{ needs.build-aws.outputs.cosign-version }} | |
| INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.build-aws.outputs.cosign-verify-commands }} | |
| with: | |
| script: | | |
| const cosignVersion = core.getInput('cosign-version'); | |
| core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`); | |
| const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands'); | |
| for (const cmd of cosignVerifyCommands) { | |
| await exec.exec(cmd); | |
| } | |
| build-ghcr: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| meta-images: ghcr.io/docker/github-builder-test | |
| meta-tags: | | |
| type=raw,value=build-${{ github.run_id }} | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| build-platforms: linux/amd64,linux/arm64 | |
| secrets: | |
| registry-auths: | | |
| - registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| build-dockerhub-stage: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| meta-images: registry-1-stage.docker.io/docker/github-builder-test | |
| meta-tags: | | |
| type=raw,value=build-${{ github.run_id }} | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| build-platforms: linux/amd64,linux/arm64 | |
| secrets: | |
| registry-auths: | | |
| - registry: registry-1-stage.docker.io | |
| username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} | |
| build-dockerhub-stage-oidc: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| meta-images: registry-1-stage.docker.io/docker/github-builder-test | |
| meta-tags: | | |
| type=raw,value=${{ github.run_id }},prefix=oidc- | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| build-platforms: linux/amd64,linux/arm64 | |
| secrets: | |
| registry-auths: | | |
| - registry: registry-1-stage.docker.io | |
| username: docker:cdeb5882-30b7-4076-be92-bfdceb258e9c | |
| build-ghcr-and-aws: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| meta-images: | | |
| ghcr.io/docker/github-builder-test | |
| public.ecr.aws/q3b5f1u4/test-docker-action | |
| meta-tags: | | |
| type=raw,value=${{ github.run_id }},prefix=build-ghcr-and-aws- | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| build-platforms: linux/amd64,linux/arm64 | |
| secrets: | |
| registry-auths: | | |
| - registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| build-local: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }} | |
| artifact-name: build-output | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| build-platforms: linux/amd64,linux/arm64 | |
| build-local-verify: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - build-local | |
| steps: | |
| - | |
| name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: ${{ needs.build-local.outputs.cosign-version }} | |
| - | |
| name: Download artifact | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: ${{ needs.build-local.outputs.artifact-name }} | |
| - | |
| name: Verify signatures | |
| uses: actions/github-script@v8 | |
| env: | |
| INPUT_COSIGN-VERSION: ${{ needs.build-local.outputs.cosign-version }} | |
| INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.build-local.outputs.cosign-verify-commands }} | |
| with: | |
| script: | | |
| const cosignVersion = core.getInput('cosign-version'); | |
| core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`); | |
| const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands'); | |
| for (const cmd of cosignVerifyCommands) { | |
| await exec.exec(cmd); | |
| } | |
| build-local-single: | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }} | |
| artifact-name: build-output-single | |
| build-file: test/hello.Dockerfile | |
| build-sbom: true | |
| bake-aws: | |
| uses: ./.github/workflows/bake.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| context: test | |
| target: hello-cross | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| cache: true | |
| cache-scope: bake-aws | |
| meta-images: | | |
| public.ecr.aws/q3b5f1u4/test-docker-action | |
| meta-tags: | | |
| type=raw,value=bake-ghbuilder-${{ github.run_id }} | |
| bake-sbom: true | |
| secrets: | |
| registry-auths: | | |
| - registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| bake-aws-verify: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - bake-aws | |
| steps: | |
| - | |
| name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: ${{ needs.bake-aws.outputs.cosign-version }} | |
| - | |
| name: Login to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| - | |
| name: Verify signatures | |
| uses: actions/github-script@v8 | |
| env: | |
| INPUT_COSIGN-VERSION: ${{ needs.bake-aws.outputs.cosign-version }} | |
| INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.bake-aws.outputs.cosign-verify-commands }} | |
| with: | |
| script: | | |
| const cosignVersion = core.getInput('cosign-version'); | |
| core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`); | |
| const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands'); | |
| for (const cmd of cosignVerifyCommands) { | |
| await exec.exec(cmd); | |
| } | |
| bake-ghcr-and-aws: | |
| uses: ./.github/workflows/bake.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| context: test | |
| target: hello-cross | |
| output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }} | |
| cache: true | |
| cache-scope: bake-aws | |
| meta-images: | | |
| ghcr.io/docker/github-builder-test | |
| public.ecr.aws/q3b5f1u4/test-docker-action | |
| meta-tags: | | |
| type=raw,value=${{ github.run_id }},prefix=bake-ghcr-and-aws- | |
| bake-sbom: true | |
| secrets: | |
| registry-auths: | | |
| - registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| bake-ghcr-and-aws-verify: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - bake-ghcr-and-aws | |
| steps: | |
| - | |
| name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: ${{ needs.bake-ghcr-and-aws.outputs.cosign-version }} | |
| - | |
| name: Login to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: public.ecr.aws | |
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| - | |
| name: Verify signatures | |
| uses: actions/github-script@v8 | |
| env: | |
| INPUT_COSIGN-VERSION: ${{ needs.bake-ghcr-and-aws.outputs.cosign-version }} | |
| INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.bake-ghcr-and-aws.outputs.cosign-verify-commands }} | |
| with: | |
| script: | | |
| const cosignVersion = core.getInput('cosign-version'); | |
| core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`); | |
| const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands'); | |
| for (const cmd of cosignVerifyCommands) { | |
| await exec.exec(cmd); | |
| } | |
| bake-local: | |
| uses: ./.github/workflows/bake.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| context: test | |
| target: hello-cross | |
| output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }} | |
| cache: true | |
| artifact-name: bake-output | |
| bake-sbom: true | |
| bake-local-verify: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - bake-local | |
| steps: | |
| - | |
| name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: ${{ needs.bake-local.outputs.cosign-version }} | |
| - | |
| name: Download artifacts | |
| uses: actions/download-artifact@v5 | |
| with: | |
| pattern: ${{ needs.bake-local.outputs.artifact-name }}* | |
| merge-multiple: true | |
| - | |
| name: Verify signatures | |
| uses: actions/github-script@v8 | |
| env: | |
| INPUT_COSIGN-VERSION: ${{ needs.bake-local.outputs.cosign-version }} | |
| INPUT_COSIGN-VERIFY-COMMANDS: ${{ needs.bake-local.outputs.cosign-verify-commands }} | |
| with: | |
| script: | | |
| const cosignVersion = core.getInput('cosign-version'); | |
| core.info(`Cosign version used by Docker GitHub Builder: ${cosignVersion}`); | |
| const cosignVerifyCommands = core.getMultilineInput('cosign-verify-commands'); | |
| for (const cmd of cosignVerifyCommands) { | |
| await exec.exec(cmd); | |
| } | |
| bake-local-single: | |
| uses: ./.github/workflows/bake.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| with: | |
| context: test | |
| target: hello | |
| output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }} | |
| cache: true | |
| artifact-name: bake-output-single | |
| bake-sbom: true |