Skip to content

Bump actions/attest-build-provenance from 1.4.3 to 1.4.4 #787

Bump actions/attest-build-provenance from 1.4.3 to 1.4.4

Bump actions/attest-build-provenance from 1.4.3 to 1.4.4 #787

name: Docker Image Builder
on:
workflow_dispatch:
schedule:
# Run once a week on Fridays
- cron: "0 0 * * FRI"
pull_request:
paths:
- '.github/workflows/build-docker-images.yml'
- 'runners/**'
- 'cryptography-linux/**'
push:
branches:
- main
paths:
- '.github/workflows/build-docker-images.yml'
- 'runners/**'
- 'cryptography-linux/**'
jobs:
build:
runs-on: ${{ matrix.IMAGE.RUNNER }}
timeout-minutes: 10
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
fail-fast: false
matrix:
IMAGE:
- {TAG_NAME: "cryptography-runner-rhel8", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=redhat/ubi8", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-rhel8-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=redhat/ubi8", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-centos-stream9", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "RELEASE=quay.io/centos/centos:stream9", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-centos-stream9-fips", DOCKERFILE_PATH: "runners/rhel", BUILD_ARGS: "FIPS=1\nRELEASE=quay.io/centos/centos:stream9", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-fedora", DOCKERFILE_PATH: "runners/fedora", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-alpine", DOCKERFILE_PATH: "runners/alpine", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-bullseye", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=bullseye", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-bookworm", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=bookworm", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-trixie", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=trixie", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-sid", DOCKERFILE_PATH: "runners/debian", BUILD_ARGS: "RELEASE=sid", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-focal", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=focal", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-jammy", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=jammy", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-noble", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=noble", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-rolling", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=rolling", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-manylinux2014:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux2014_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-manylinux_2_28:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_28_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-musllinux_1_1:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_1_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-musllinux_1_2:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_2_x86_64", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-manylinux2014_aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-manylinux_2_28:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=manylinux_2_28_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-musllinux_1_1:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_1_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-musllinux_1_2:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "PYCA_RELEASE=musllinux_1_2_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-runner-ubuntu-rolling:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "RELEASE=rolling", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-runner-alpine:aarch64", DOCKERFILE_PATH: "runners/alpine", RUNNER: [self-hosted, Linux, ARM64]}
name: "${{ matrix.IMAGE.TAG_NAME }}"
steps:
- uses: actions/checkout@v4.2.2
with:
persist-credentials: false
- run: |
source ./staticnode/node-version.sh
arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
echo "NODE_ARCH_RELEASE=$arch:$NODE_VERSION" >> $GITHUB_ENV
# Pull the previous image, but if it fails return true anyway.
# Sometimes we add new docker images and if they've never been pushed
# they can't be pulled.
- name: Pull existing image
run: docker pull ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} || true
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
- name: Get image name
id: image-name
run: |
ATTEST_IMAGE=$(echo "${{ matrix.IMAGE.TAG_NAME }}" | cut -d ':' -f 1)
echo "ATTEST_IMAGE=${ATTEST_IMAGE}" | tee -a "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Login to ghcr.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
- name: Build (and push if main) docker image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: docker-build
with:
context: ${{ matrix.IMAGE.DOCKERFILE_PATH }}
cache-from: ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }}
tags: ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }}
pull: true
build-args: |
NODE_ARCH_RELEASE=${{ env.NODE_ARCH_RELEASE }}
${{ matrix.IMAGE.BUILD_ARGS }}
push: ${{ (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' }}
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: "ghcr.io/pyca/${{ steps.image-name.outputs.ATTEST_IMAGE }}"
subject-digest: ${{ steps.docker-build.outputs.digest }}
push-to-registry: true
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'