falco/.github/workflows/reusable_publish_docker.yaml

# This is a reusable workflow used by master and release CI
on:
  workflow_call:
    inputs:
      tag:
        description: The tag to push
        required: true
        type: string
      is_latest:
        description: Update the latest tag with the new image
        required: false
        type: boolean
        default: false
      sign:
        description: Add signature with cosign
        required: false
        type: boolean
        default: false

permissions:
  id-token: write
  contents: read
  
jobs:
  publish-docker:
    runs-on: ubuntu-latest
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
    
      - name: Download images tarballs
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: falco-images
          path: /tmp/falco-images
      
      - name: Load all images
        run: |
          for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
    
      - name: Login to Docker Hub
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_SECRET }}
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
        with:
          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
          aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
          
      - name: Login to Amazon ECR
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
        with:
          registry-type: public    
      
      - name: Setup Crane
        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
        with:
          version: v0.15.1

      # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
      - name: Push arch-specific images to Docker Hub
        run: |
          docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }}
          docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}

      - name: Create no-driver manifest on Docker Hub
        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
        with:
          inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
          images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
          push: true

      - name: Create distroless manifest on Docker Hub
        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
        with:
          inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }}
          images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
          push: true
          
      - name: Tag slim manifest on Docker Hub
        run: |
          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim

      - name: Create falco manifest on Docker Hub
        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
        with:
          inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
          images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
          push: true
          
      - name: Create falco-driver-loader manifest on Docker Hub
        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
        with:
          inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
          images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
          push: true

      - name: Create falco-driver-loader-legacy manifest on Docker Hub
        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
        with:
          inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
          images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
          push: true

      - name: Get Digests for images
        id: digests
        # We could probably use the docker-manifest-action output instead of recomputing those with crane
        run: |
          echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
          echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT
          echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
          echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
          echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT

      - name: Publish images to ECR
        run: |
          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
          crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }}
          crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
          crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
          crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
          crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim

      - name: Tag latest on Docker Hub and ECR
        if: inputs.is_latest
        run: |
          crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
          crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest
          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
          crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
          crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim

          crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
          crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest
          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
          crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
          crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim

      - name: Setup Cosign
        if: inputs.sign
        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
        with:
          cosign-release: v2.0.2

      - name: Sign images with cosign
        if: inputs.sign
        env:
          COSIGN_EXPERIMENTAL: "true"
          COSIGN_YES: "true"
        run: |
          cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
          cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
          cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
          cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
          cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}

          cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
          cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
          cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}