Operator/CES: Simplify rate limit configuration #54778

Workflow file for this run

.github/workflows/build-images-ci.yaml at 0083b52

	name: Image CI Build

	# Any change in triggers needs to be reflected in the concurrency group.
	on:
	pull_request_target:
	types:
	- opened
	- synchronize
	- reopened
	push:
	branches:
	- main
	- ft/main/**

	# If the cache was cleaned we should re-build the cache with the latest commit
	workflow_run:
	workflows:
	- "Image CI Cache Cleaner"
	branches:
	- main
	- ft/main/**
	types:
	- completed

	permissions:
	# To be able to access the repository with `actions/checkout`
	contents: read
	# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
	id-token: write

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.event.after }}
	cancel-in-progress: true

	jobs:
	build-and-push-prs:
	timeout-minutes: 45
	name: Build and Push Images
	runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }}
	strategy:
	matrix:
	include:
	- name: cilium
	dockerfile: ./images/cilium/Dockerfile

	- name: operator-aws
	dockerfile: ./images/operator/Dockerfile

	- name: operator-azure
	dockerfile: ./images/operator/Dockerfile

	- name: operator-alibabacloud
	dockerfile: ./images/operator/Dockerfile

	- name: operator-generic
	dockerfile: ./images/operator/Dockerfile

	- name: hubble-relay
	dockerfile: ./images/hubble-relay/Dockerfile

	- name: clustermesh-apiserver
	dockerfile: ./images/clustermesh-apiserver/Dockerfile

	- name: docker-plugin
	dockerfile: ./images/cilium-docker-plugin/Dockerfile

	steps:
	- name: Checkout default branch (trusted)
	uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
	with:
	ref: ${{ github.event.repository.default_branch }}
	persist-credentials: false

	- name: Set Environment Variables
	uses: ./.github/actions/set-env-variables

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

	- name: Login to quay.io for CI
	uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME_CI }}
	password: ${{ secrets.QUAY_PASSWORD_CI }}

	- name: Getting image tag
	id: tag
	run: \|
	if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then
	echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT
	else
	echo tag=${{ github.sha }} >> $GITHUB_OUTPUT
	fi
	if [ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]; then
	echo floating_tag=latest >> $GITHUB_OUTPUT
	else
	echo floating_tag=${{ github.ref_name }} >> $GITHUB_OUTPUT
	fi

	# Warning: since this is a privileged workflow, subsequent workflow job
	# steps must take care not to execute untrusted code.
	- name: Checkout pull request branch (NOT TRUSTED)
	uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
	with:
	persist-credentials: false
	ref: ${{ steps.tag.outputs.tag }}

	# Load Golang cache build from GitHub
	- name: Load ${{ matrix.name }} Golang cache build from GitHub
	uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
	id: cache
	with:
	path: /tmp/.cache/${{ matrix.name }}
	key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }}
	restore-keys: \|
	${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-
	${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-
	${{ runner.os }}-go-

	- name: Create ${{ matrix.name }} cache directory
	if: ${{ steps.cache.outputs.cache-hit != 'true' }}
	shell: bash
	run: \|
	mkdir -p /tmp/.cache/${{ matrix.name }}

	# Import GitHub's cache build to docker cache
	- name: Copy ${{ matrix.name }} Golang cache to docker cache
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	with:
	provenance: false
	context: /tmp/.cache/${{ matrix.name }}
	file: ./images/cache/Dockerfile
	push: false
	platforms: linux/amd64
	target: import-cache

	- name: Install Cosign
	uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

	- name: Install Bom
	shell: bash
	env:
	# renovate: datasource=github-releases depName=kubernetes-sigs/bom
	BOM_VERSION: v0.6.0
	run: \|
	curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
	sudo mv ./bom /usr/local/bin/bom
	sudo chmod +x /usr/local/bin/bom

	# main branch pushes
	- name: CI Build ${{ matrix.name }}
	if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	# Only push when the event name was a GitHub push, this is to avoid
	# re-pushing the image tags when we only want to re-create the Golang
	# docker cache after the workflow "Image CI Cache Cleaner" was terminated.
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64,linux/arm64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	target: release
	build-args: \|
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI race detection Build ${{ matrix.name }}
	if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_detect_race_condition
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	# Only push when the event name was a GitHub push, this is to avoid
	# re-pushing the image tags when we only want to re-create the Golang
	# docker cache after the workflow "Image CI Cache Cleaner" was terminated.
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	target: release
	build-args: \|
	BASE_IMAGE=quay.io/cilium/cilium-runtime:874a7957a8384b46fb750a151c393eb2503f4b98@sha256:36b0039e76287af586482b0657116266996d502ff7ba5b0ac4a359ba478833b4
	LOCKDEBUG=1
	RACE=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI Unstripped Binaries Build ${{ matrix.name }}
	if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_unstripped
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	# Only push when the event name was a GitHub push, this is to avoid
	# re-pushing the image tags when we only want to re-create the Golang
	# docker cache after the workflow "Image CI Cache Cleaner" was terminated.
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
	target: release
	build-args: \|
	NOSTRIP=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: Sign Container Images
	# Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
	# In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
	# It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
	# neither push nor load are set in the docker/build-push-action action.
	if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
	run: \|
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }}

	- name: Generate SBOM
	# Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
	# In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
	# It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
	# neither push nor load are set in the docker/build-push-action action.
	if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
	shell: bash
	# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
	# To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
	run: \|
	bom generate -o sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	bom generate -o sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	bom generate -o sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped

	- name: Attach SBOM to Container Images
	# Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
	# In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
	# It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
	# neither push nor load are set in the docker/build-push-action action.
	if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
	run: \|
	cosign attach sbom --sbom sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }}

	- name: Sign SBOM Images
	# Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
	# In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
	# It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
	# neither push nor load are set in the docker/build-push-action action.
	if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
	run: \|
	docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_digest/:/-}.sbom"
	docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_sbom_digest}"

	docker_build_ci_detect_race_condition_digest="${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_detect_race_condition_digest/:/-}.sbom"
	docker_build_ci_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_detect_race_condition_sbom_digest}"

	docker_build_ci_unstripped_digest="${{ steps.docker_build_ci_unstripped.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_unstripped_digest/:/-}.sbom"
	docker_build_ci_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_unstripped_sbom_digest}"

	- name: CI Image Releases digests
	# Only sign when the event name was a GitHub push and not workflow_run (re-building cache).
	# In this case the image wasn't pushed, therefore it's not necessary to execute this step too.
	# It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case
	# neither push nor load are set in the docker/build-push-action action.
	if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }}
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt

	# PR or feature branch updates
	- name: CI Build ${{ matrix.name }}
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_pr
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64,linux/arm64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	target: release
	build-args: \|
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI race detection Build ${{ matrix.name }}
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_pr_detect_race_condition
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	target: release
	build-args: \|
	BASE_IMAGE=quay.io/cilium/cilium-runtime:874a7957a8384b46fb750a151c393eb2503f4b98@sha256:36b0039e76287af586482b0657116266996d502ff7ba5b0ac4a359ba478833b4
	LOCKDEBUG=1
	RACE=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: CI Unstripped Binaries Build ${{ matrix.name }}
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	id: docker_build_ci_pr_unstripped
	with:
	provenance: false
	context: .
	file: ${{ matrix.dockerfile }}
	push: true
	platforms: linux/amd64
	tags: \|
	quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped
	target: release
	build-args: \|
	NOSTRIP=1
	OPERATOR_VARIANT=${{ matrix.name }}

	- name: Sign Container Images
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	run: \|
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
	cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}

	- name: Generate SBOM
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	shell: bash
	# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
	# To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
	run: \|
	bom generate -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
	bom generate -o sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
	bom generate -o sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
	--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped

	- name: Attach SBOM to Container Images
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	run: \|
	cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}
	cosign attach sbom --sbom sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}

	- name: Sign SBOM Images
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	run: \|
	docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom"
	docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}"

	docker_build_ci_pr_detect_race_condition_digest="${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_detect_race_condition_digest/:/-}.sbom"
	docker_build_ci_pr_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_detect_race_condition_sbom_digest}"

	docker_build_ci_pr_unstripped_digest="${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}"
	image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_unstripped_digest/:/-}.sbom"
	docker_build_ci_pr_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_unstripped_sbom_digest}"

	- name: CI Image Releases digests
	if: ${{ github.event_name == 'pull_request_target' \|\| (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }}
	shell: bash
	run: \|
	mkdir -p image-digest/
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt
	echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt

	# Upload artifact digests
	- name: Upload artifact digests
	uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
	with:
	name: image-digest ${{ matrix.name }}
	path: image-digest
	retention-days: 1

	# Store docker's golang's cache build locally only on the main branch
	- name: Store ${{ matrix.name }} Golang cache build locally
	if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }}
	uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
	with:
	provenance: false
	context: .
	file: ./images/cache/Dockerfile
	push: false
	outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }}
	platforms: linux/amd64
	target: export-cache

	# Store docker's golang's cache build locally only on the main branch
	- name: Store ${{ matrix.name }} Golang cache in GitHub cache path
	if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }}
	shell: bash
	run: \|
	mkdir -p /tmp/.cache/${{ matrix.name }}/
	if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then
	cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/
	fi
	if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then
	cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/
	fi

	image-digests:
	if: ${{ always() }}
	name: Display Digests
	runs-on: ubuntu-22.04
	needs: build-and-push-prs
	steps:
	- name: Downloading Image Digests
	shell: bash
	run: \|
	mkdir -p image-digest/

	- name: Download digests of all images built
	uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
	with:
	path: image-digest/

	- name: Image Digests Output
	shell: bash
	run: \|
	cd image-digest/
	find -type f \| sort \| xargs -d '\n' cat

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Operator/CES: Simplify rate limit configuration #54778

Workflow file

Operator/CES: Simplify rate limit configuration #54778

Jobs

Run details

Workflow file for this run