mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
b3b4f4a431
Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
175 lines
8.9 KiB
YAML
175 lines
8.9 KiB
YAML
# This is a reusable workflow used by master and release CI
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
tag:
|
|
description: The tag to push
|
|
required: true
|
|
type: string
|
|
is_latest:
|
|
description: Update the latest tag with the new image
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
sign:
|
|
description: Add signature with cosign
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
|
|
jobs:
|
|
publish-docker:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
|
|
- name: Download images tarballs
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
name: falco-images
|
|
path: /tmp/falco-images
|
|
|
|
- name: Load all images
|
|
run: |
|
|
for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v2
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USER }}
|
|
password: ${{ secrets.DOCKERHUB_SECRET }}
|
|
|
|
- name: Configure AWS credentials
|
|
uses: aws-actions/configure-aws-credentials@v2
|
|
with:
|
|
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
|
|
aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
|
|
|
|
- name: Login to Amazon ECR
|
|
id: login-ecr-public
|
|
uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
|
|
with:
|
|
registry-type: public
|
|
|
|
- name: Setup Crane
|
|
uses: imjasonh/setup-crane@v0.3
|
|
with:
|
|
version: v0.15.1
|
|
|
|
# We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
|
|
- name: Push arch-specific images to Docker Hub
|
|
run: |
|
|
docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }}
|
|
docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
|
|
|
|
- name: Create no-driver manifest on Docker Hub
|
|
uses: Noelware/docker-manifest-action@0.3.1
|
|
with:
|
|
inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
|
|
images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
|
|
push: true
|
|
|
|
- name: Create distroless manifest on Docker Hub
|
|
uses: Noelware/docker-manifest-action@0.3.1
|
|
with:
|
|
inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }}
|
|
images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
|
|
push: true
|
|
|
|
- name: Tag slim manifest on Docker Hub
|
|
run: |
|
|
crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
|
|
|
|
- name: Create falco manifest on Docker Hub
|
|
uses: Noelware/docker-manifest-action@0.3.1
|
|
with:
|
|
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
|
|
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
|
|
push: true
|
|
|
|
- name: Create falco-driver-loader manifest on Docker Hub
|
|
uses: Noelware/docker-manifest-action@0.3.1
|
|
with:
|
|
inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
|
|
images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
|
|
push: true
|
|
|
|
- name: Create falco-driver-loader-legacy manifest on Docker Hub
|
|
uses: Noelware/docker-manifest-action@0.3.1
|
|
with:
|
|
inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
|
|
images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
|
|
push: true
|
|
|
|
- name: Get Digests for images
|
|
id: digests
|
|
run: |
|
|
echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
|
|
echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT
|
|
echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
|
|
echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
|
|
echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT
|
|
|
|
- name: Publish images to ECR
|
|
run: |
|
|
crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
|
|
crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }}
|
|
crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
|
|
crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
|
|
crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
|
|
crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
|
|
|
|
- name: Tag latest on Docker Hub and ECR
|
|
if: inputs.is_latest
|
|
run: |
|
|
crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
|
|
crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest
|
|
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
|
|
crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
|
|
crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
|
|
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
|
|
|
|
crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
|
|
crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest
|
|
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
|
|
crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
|
|
crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
|
|
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
|
|
|
|
- name: Setup Cosign
|
|
if: inputs.sign
|
|
uses: sigstore/cosign-installer@main
|
|
with:
|
|
cosign-release: v2.0.2
|
|
|
|
- name: Sign images with cosign
|
|
if: inputs.sign
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_YES: "true"
|
|
run: |
|
|
cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
|
|
cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
|
|
cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
|
|
cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
|
|
cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
|
|
|
|
cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
|
|
cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
|
|
cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
|
|
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
|
|
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
|