From 8eb74952d94511cc96dec15ff4029cd81961bd03 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 25 Aug 2025 10:40:59 +0200 Subject: [PATCH 1/3] feat(ci): Build copy of Bitnami images for vendorized charts Signed-off-by: Javier Rodriguez --- .../build_external_container_images.yaml.yml | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 .github/workflows/build_external_container_images.yaml.yml diff --git a/.github/workflows/build_external_container_images.yaml.yml b/.github/workflows/build_external_container_images.yaml.yml new file mode 100644 index 000000000..7d02bea9f --- /dev/null +++ b/.github/workflows/build_external_container_images.yaml.yml @@ -0,0 +1,130 @@ +name: Build Bitnami Container Images + +on: + workflow_dispatch: + +permissions: + contents: read + packages: write + +jobs: + build_and_push_images: + name: Build and Push ${{ matrix.image.name }} Image + runs-on: ubuntu-latest + strategy: + matrix: + image: + # On Ref we use the specific commit SHA to ensure reproducible builds + # It can be: branch, tag or SHA + - name: PostgresSQL + image_name: chainloop-dev/chainloop/postgresql + path: bitnami/postgresql/16/debian-12 + sparse_checkout: bitnami/postgresql/16/debian-12 + ref: 5d351cc8a742d6a6f417f879ba2df9882b617676 + - name: PostgresSQL Exporter + image_name: chainloop-dev/chainloop/postgres-exporter + path: bitnami/postgres-exporter/0/debian-12 + sparse_checkout: bitnami/postgres-exporter/0/debian-12 + ref: 1d0408ccfbdc43b90bc6449227ce731079e42f6b + - name: OS Shell + image_name: chainloop-dev/chainloop/os-shell + path: bitnami/os-shell/12/debian-12 + sparse_checkout: bitnami/os-shell/12/debian-12 + ref: dde1f3b2d7b271de64c6ce948a04716cb96199a1 + - name: Dex + image_name: chainloop-dev/chainloop/dex + path: bitnami/dex/2/debian-12 + sparse_checkout: bitnami/dex/2/debian-12 + ref: 19c7a5ade4364ff1b52c65004291203ff2096eb0 + - name: Vault + image_name: chainloop-dev/chainloop/vault + path: bitnami/vault/1/debian-12 + sparse_checkout: bitnami/vault/1/debian-12 + ref: 28d8f22ad6b7c3871c2f429c72e5ccf3344ae5bc + - name: Vault CSI Provider + image_name: chainloop-dev/chainloop/vault-csi-provider + path: bitnami/vault-csi-provider/1/debian-12 + sparse_checkout: bitnami/vault-csi-provider/1/debian-12 + ref: 673c94210db93a8df808765b6b213661686aeb33 + - name: Vault K8s + image_name: chainloop-dev/chainloop/vault-k8s + path: bitnami/vault-k8s/1/debian-12 + sparse_checkout: bitnami/vault-k8s/1/debian-12 + ref: 62cb6e1498e873dd9ab92880073a43896b470c4b + env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ matrix.image.image_name }} + BITNAMI_PATH: bitnami-containers + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Checkout Bitnami containers repository + uses: actions/checkout@v4 + with: + repository: bitnami/containers + path: ${{ env.BITNAMI_PATH }} + ref: ${{ matrix.image.ref }} + sparse-checkout: ${{ matrix.image.sparse_checkout }} + sparse-checkout-cone-mode: false + + - name: Extract version from Bitnami Dockerfile + id: extract_version + run: | + VERSION=$(grep -E 'APP_VERSION=' ${{ env.BITNAMI_PATH }}/${{ matrix.image.path }}/Dockerfile | cut -d'"' -f2) + if [ -z "$VERSION" ]; then + echo "Failed to extract version from Dockerfile" + exit 1 + fi + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "Extracted ${{ matrix.image.name }} version: $VERSION" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.extract_version.outputs.version }} + type=raw,value=latest + type=sha,format=long + + - name: Build and push Docker image + id: build + uses: docker/build-push-action@v5 + with: + context: ${{ env.BITNAMI_PATH }}/${{ matrix.image.path }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + with: + cosign-release: "v2.4.1" + + - name: Sign container image + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + run: | + cosign sign --tlog-upload=false --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} + + - name: Output build information + run: | + echo "Successfully built and pushed ${{ matrix.image.name }} image" + echo "Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" + echo "Version: ${{ steps.extract_version.outputs.version }}" + echo "Digest: ${{ steps.build.outputs.digest }}" \ No newline at end of file From 42adf9f389a20fe2f1bee8b7f038ce974cacffe9 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 25 Aug 2025 12:22:27 +0200 Subject: [PATCH 2/3] fix typo Signed-off-by: Javier Rodriguez --- .github/workflows/build_external_container_images.yaml.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_external_container_images.yaml.yml b/.github/workflows/build_external_container_images.yaml.yml index 7d02bea9f..0d7ab2689 100644 --- a/.github/workflows/build_external_container_images.yaml.yml +++ b/.github/workflows/build_external_container_images.yaml.yml @@ -16,12 +16,12 @@ jobs: image: # On Ref we use the specific commit SHA to ensure reproducible builds # It can be: branch, tag or SHA - - name: PostgresSQL + - name: PostgreSQL image_name: chainloop-dev/chainloop/postgresql path: bitnami/postgresql/16/debian-12 sparse_checkout: bitnami/postgresql/16/debian-12 ref: 5d351cc8a742d6a6f417f879ba2df9882b617676 - - name: PostgresSQL Exporter + - name: PostgreSQL Exporter image_name: chainloop-dev/chainloop/postgres-exporter path: bitnami/postgres-exporter/0/debian-12 sparse_checkout: bitnami/postgres-exporter/0/debian-12 From 71cd40714e3e214a2cce55240ef4b854ffeecc53 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 25 Aug 2025 12:40:48 +0200 Subject: [PATCH 3/3] add versions Signed-off-by: Javier Rodriguez --- .github/workflows/build_external_container_images.yaml.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build_external_container_images.yaml.yml b/.github/workflows/build_external_container_images.yaml.yml index 0d7ab2689..06503608f 100644 --- a/.github/workflows/build_external_container_images.yaml.yml +++ b/.github/workflows/build_external_container_images.yaml.yml @@ -16,36 +16,43 @@ jobs: image: # On Ref we use the specific commit SHA to ensure reproducible builds # It can be: branch, tag or SHA + # PostgreSQL version: 16.4.0 - name: PostgreSQL image_name: chainloop-dev/chainloop/postgresql path: bitnami/postgresql/16/debian-12 sparse_checkout: bitnami/postgresql/16/debian-12 ref: 5d351cc8a742d6a6f417f879ba2df9882b617676 + # PostgreSQL Exporter version: 0.15.0 - name: PostgreSQL Exporter image_name: chainloop-dev/chainloop/postgres-exporter path: bitnami/postgres-exporter/0/debian-12 sparse_checkout: bitnami/postgres-exporter/0/debian-12 ref: 1d0408ccfbdc43b90bc6449227ce731079e42f6b + # OS Shell version: 12 - name: OS Shell image_name: chainloop-dev/chainloop/os-shell path: bitnami/os-shell/12/debian-12 sparse_checkout: bitnami/os-shell/12/debian-12 ref: dde1f3b2d7b271de64c6ce948a04716cb96199a1 + # Dex version: 2.40.0 - name: Dex image_name: chainloop-dev/chainloop/dex path: bitnami/dex/2/debian-12 sparse_checkout: bitnami/dex/2/debian-12 ref: 19c7a5ade4364ff1b52c65004291203ff2096eb0 + # Vault version: 1.17.3 - name: Vault image_name: chainloop-dev/chainloop/vault path: bitnami/vault/1/debian-12 sparse_checkout: bitnami/vault/1/debian-12 ref: 28d8f22ad6b7c3871c2f429c72e5ccf3344ae5bc + # Vault CSI Provider version: 1.4.3 - name: Vault CSI Provider image_name: chainloop-dev/chainloop/vault-csi-provider path: bitnami/vault-csi-provider/1/debian-12 sparse_checkout: bitnami/vault-csi-provider/1/debian-12 ref: 673c94210db93a8df808765b6b213661686aeb33 + # Vault K8s version: 1.4.2 - name: Vault K8s image_name: chainloop-dev/chainloop/vault-k8s path: bitnami/vault-k8s/1/debian-12