deps: bump golang.org/x/sys from 0.43.0 to 0.44.0 (#2302) #1209
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Retina Container Images | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["v*"] | |
| permissions: | |
| contents: read | |
| packages: write | |
| # This is used to complete the identity challenge | |
| # with sigstore/fulcio when running outside of PRs. | |
| id-token: write | |
| jobs: | |
| retina-images: | |
| name: Build Agent Images | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 60 | |
| strategy: | |
| matrix: | |
| platform: ["linux"] | |
| arch: ["amd64", "arm64"] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-latest | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "TAG=$(make version)" >> $GITHUB_ENV | |
| make retina-image \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| BUILDX_ACTION=--push | |
| - name: Sign container image | |
| run: | | |
| for image in retina-agent retina-init; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | |
| DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done | |
| build-windows-binaries: | |
| name: Build Windows Binaries | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Build Windows Binaries | |
| shell: bash | |
| run: | | |
| TAG=$(make version) | |
| echo "TAG=$TAG" >> $GITHUB_ENV | |
| make build-windows-binaries \ | |
| GOOS=windows \ | |
| GOARCH=amd64 \ | |
| TAG=$TAG | |
| - name: Upload Windows Binaries | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: windows-binaries | |
| path: output/windows_amd64/ | |
| retention-days: 1 | |
| retina-win-images: | |
| name: Build Agent Image - Windows ${{ matrix.year }} | |
| needs: build-windows-binaries | |
| runs-on: windows-${{ matrix.year }} | |
| timeout-minutes: 60 | |
| strategy: | |
| matrix: | |
| year: ["2022"] | |
| platform: ["windows"] | |
| arch: ["amd64"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Download Windows Binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: windows-binaries | |
| path: output/windows_amd64/ | |
| - name: Ensure Docker daemon is running | |
| shell: pwsh | |
| run: | | |
| $timeout = 120 | |
| $timer = [Diagnostics.Stopwatch]::StartNew() | |
| while ($timer.Elapsed.TotalSeconds -lt $timeout) { | |
| $svc = Get-Service docker -ErrorAction SilentlyContinue | |
| if ($svc -and $svc.Status -ne 'Running') { | |
| Start-Service docker -ErrorAction SilentlyContinue | |
| } | |
| $result = docker info 2>&1 | |
| if ($LASTEXITCODE -eq 0) { | |
| Write-Host "Docker daemon is ready" | |
| return | |
| } | |
| Write-Host "Waiting for Docker daemon to start..." | |
| Start-Sleep -Seconds 5 | |
| } | |
| throw "Docker daemon failed to start within $timeout seconds" | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| TAG=$(make version) | |
| echo "TAG=$TAG" >> "$GITHUB_ENV" | |
| make retina-image-win \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| WINDOWS_YEARS=${{ matrix.year }} \ | |
| BINARIES_PATH=output/windows_${{ matrix.arch }} \ | |
| REPO_PATH=. | |
| docker push ghcr.io/${{ github.repository }}/retina-agent:${TAG}-windows-ltsc${{ matrix.year }}-${{ matrix.arch }} | |
| - name: Sign container image | |
| shell: bash | |
| run: | | |
| for image in retina-agent ; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-windows-ltsc${{ matrix.year }}-${{ matrix.arch }}" | |
| DIGEST=$(docker manifest inspect $IMAGE_PATH -v | jq -r '.Descriptor.digest') | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done | |
| operator-images: | |
| name: Build Operator Images | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 60 | |
| strategy: | |
| matrix: | |
| platform: ["linux"] | |
| arch: ["amd64", "arm64"] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-latest | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "TAG=$(make version)" >> $GITHUB_ENV | |
| make retina-operator-image \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| BUILDX_ACTION=--push | |
| - name: Sign container image | |
| run: | | |
| for image in retina-operator ; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | |
| DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done | |
| retina-shell-images: | |
| name: Build Retina Shell Images (${{ matrix.platform }}, ${{ matrix.arch }}) | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 60 | |
| strategy: | |
| matrix: | |
| include: | |
| - platform: linux | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - platform: linux | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "TAG=$(make version)" >> $GITHUB_ENV | |
| make retina-shell-image \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| BUILDX_ACTION=--push | |
| - name: Sign container image | |
| run: | | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/retina-shell:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | |
| DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-retina-shell-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| kubectl-retina-images: | |
| name: Build Kubectl Retina Images | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 60 | |
| strategy: | |
| matrix: | |
| platform: ["linux"] | |
| arch: ["amd64", "arm64"] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-latest | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| - run: go version | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Build/Push Images | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "TAG=$(make version)" >> $GITHUB_ENV | |
| make kubectl-retina-image \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | |
| BUILDX_ACTION=--push | |
| - name: Sign container image | |
| run: | | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/kubectl-retina:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | |
| DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-kubectl-retina-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| manifests: | |
| name: Generate Manifests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: | |
| [ | |
| retina-images, | |
| retina-win-images, | |
| operator-images, | |
| retina-shell-images, | |
| kubectl-retina-images, | |
| ] | |
| strategy: | |
| matrix: | |
| component: ["retina", "operator", "shell", "kubectl-retina"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - name: Log in to registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| - name: Generate Manifests | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| make manifest \ | |
| IMAGE_NAMESPACE=${{ github.repository }} \ | |
| COMPONENT=${{ matrix.component }} | |
| - name: Sign manifest | |
| run: | | |
| export TAG="$(make version)" | |
| images=("retina-agent" "retina-init") | |
| if [[ ${{ matrix.component }} == "operator" ]]; then | |
| images=("retina-operator") | |
| elif [[ ${{ matrix.component }} == "shell" ]]; then | |
| images=("retina-shell") | |
| elif [[ ${{ matrix.component }} == "kubectl-retina" ]]; then | |
| images=("kubectl-retina") | |
| fi | |
| for image in "${images[@]}"; do | |
| IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG" | |
| DIGEST=$(docker buildx imagetools inspect $IMAGE_PATH --format "{{json .Manifest}}" | jq -r .digest) | |
| cosign sign --yes ${IMAGE_PATH}@${DIGEST} | |
| done |