Merge pull request #1372 from zabbix/50_lic #1014

Workflow file for this run

.github/workflows/images_build.yml at 0e45e3e

	name: Build images (DockerHub)

	on:
	release:
	types:
	- published
	push:
	branches:
	- '[0-9]+.[0-9]+'
	- 'trunk'
	paths:
	- 'Dockerfiles/**'
	- 'build.json'
	- '!**/README.md'
	- '!Dockerfiles//rhel/'
	- '!Dockerfiles//windows/'
	- '.github/workflows/images_build.yml'
	schedule:
	- cron: '50 02 * * *'
	workflow_dispatch:

	defaults:
	run:
	shell: bash

	permissions:
	contents: read

	env:
	TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
	AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}

	DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
	LATEST_BRANCH: ${{ github.event.repository.default_branch }}
	TRUNK_GIT_BRANCH: "refs/heads/trunk"
	IMAGES_PREFIX: "zabbix-"

	BASE_BUILD_NAME: "build-base"
	BASE_CACHE_FILE_NAME: "base_image_metadata.json"
	BUILD_CACHE_FILE_NAME: "base_build_image_metadata.json"

	MATRIX_FILE: "build.json"
	DOCKERFILES_DIRECTORY: "./Dockerfiles"

	OIDC_ISSUER: "https://token.actions.githubusercontent.com"
	IDENTITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/"

	DOCKER_REGISTRY_TEST: "ghcr.io"
	DOCKER_REPOSITORY_TEST: "zabbix"

	jobs:
	init_build:
	name: Initialize build
	runs-on: ubuntu-latest
	permissions:
	contents: read
	outputs:
	os: ${{ steps.os.outputs.list }}
	database: ${{ steps.database.outputs.list }}
	components: ${{ steps.components.outputs.list }}
	is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
	current_branch: ${{ steps.branch_info.outputs.current_branch }}
	sha_short: ${{ steps.branch_info.outputs.sha_short }}
	steps:
	- name: Block egress traffic
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: >
	api.github.com:443
	github.com:443
	objects.githubusercontent.com:443

	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH \|\| '' }}
	fetch-depth: 1
	sparse-checkout: ${{ env.MATRIX_FILE }}

	- name: Check ${{ env.MATRIX_FILE }} file
	id: build_exists
	env:
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	if [[ ! -f "$MATRIX_FILE" ]]; then
	echo "::error::File $MATRIX_FILE is missing"
	exit 1
	fi

	- name: Prepare Operating System list
	id: os
	env:
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	os_list=$(jq -r '.["os-linux"] \| keys \| map(select(. != "rhel")) \| [ .[] \| tostring ] \| @json' "$MATRIX_FILE")

	echo "::group::Operating System List"
	echo "$os_list"
	echo "::endgroup::"

	echo "list=$os_list" >> $GITHUB_OUTPUT

	- name: Prepare Database engine list
	id: database
	env:
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	database_list=$(jq -r '[.components \| values[].base ] \| sort \| unique \| del(.. \| select ( . == "" ) ) \| @json' "$MATRIX_FILE")

	echo "::group::Database List"
	echo "$database_list"
	echo "::endgroup::"

	echo "list=$database_list" >> $GITHUB_OUTPUT

	- name: Prepare Zabbix component list
	id: components
	env:
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	component_list=$(jq -r '.components \| keys \| @json' "$MATRIX_FILE")

	echo "::group::Zabbix Component List"
	echo "$component_list"
	echo "::endgroup::"

	echo "list=$component_list" >> $GITHUB_OUTPUT

	- name: Get branch info
	id: branch_info
	env:
	LATEST_BRANCH: ${{ env.LATEST_BRANCH }}
	github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH \|\| github.ref }}
	run: \|
	result=false
	sha_short=$(git rev-parse --short HEAD)

	if [[ "$github_ref" == "refs/tags/"* ]]; then
	github_ref=${github_ref%.*}
	fi

	github_ref=${github_ref##*/}

	if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then
	result=true
	fi

	echo "::group::Branch data"
	echo "is_default_branch - $result"
	echo "current_branch - $github_ref"
	echo "sha_short - $sha_short"
	echo "::endgroup::"

	echo "is_default_branch=$result" >> $GITHUB_OUTPUT
	echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
	echo "sha_short=$sha_short" >> $GITHUB_OUTPUT

	build_base:
	timeout-minutes: 30
	name: Build base on ${{ matrix.os }}
	needs: init_build
	strategy:
	fail-fast: false
	matrix:
	os: ${{ fromJson(needs.init_build.outputs.os) }}

	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	packages: write
	steps:
	- name: Block egress traffic
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: >
	abqix.mm.fcix.net:80
	api.github.com:443
	archive.ubuntu.com:443
	archive.ubuntu.com:80
	atl.mirrors.knownhost.com:443
	atl.mirrors.knownhost.com:80
	auth.docker.io:443
	bungi.mm.fcix.net:443
	bungi.mm.fcix.net:80
	cdn03.quay.io:443
	centos-distro.1gservers.com:80
	centos-distro.cavecreek.net:80
	centos-stream-distro.1gservers.com:443
	centos-stream-distro.1gservers.com:80
	centos.hivelocity.net:80
	centos.mirror.constant.com:80
	centos.mirror.shastacoe.net:80
	coresite.mm.fcix.net:80
	d2lzkl7pfhq30w.cloudfront.net:443
	dfw.mirror.rackspace.com:443
	dfw.mirror.rackspace.com:80
	distro.ibiblio.org:80
	dl-cdn.alpinelinux.org:443
	download.cf.centos.org:443
	download.cf.centos.org:80
	epel.gb.ssimn.org:443
	epel.mirror.constant.com:443
	epel.mirror.constant.com:80
	epel.stl.us.ssimn.org:443
	epel.stl.us.ssimn.org:80
	fedora.nyherji.is:443
	fedora.nyherji.is:80
	forksystems.mm.fcix.net:443
	forksystems.mm.fcix.net:80
	ftp-nyc.osuosl.org:443
	ftp-nyc.osuosl.org:80
	ftp-osl.osuosl.org:443
	ftp-osl.osuosl.org:80
	ftp.agdsn.de:443
	ftp.agdsn.de:80
	ftp.fau.de:443
	ftp.fau.de:80
	ftp.halifax.rwth-aachen.de:443
	ftp.halifax.rwth-aachen.de:80
	ftp.osuosl.org:80
	ftp.plusline.net:443
	ftp.plusline.net:80
	ftp.uni-stuttgart.de:80
	ftpmirror.your.org:80
	fulcio.sigstore.dev:443
	ghcr.io:443
	github.com:443
	iad.mirror.rackspace.com:443
	iad.mirror.rackspace.com:80
	ima.mm.fcix.net:80
	index.docker.io:443
	ix-denver.mm.fcix.net:443
	ix-denver.mm.fcix.net:80
	la.mirrors.clouvider.net:80
	lesnet.mm.fcix.net:443
	lesnet.mm.fcix.net:80
	level66.mm.fcix.net:80
	linux-mirrors.fnal.gov:80
	linux.cc.lehigh.edu:80
	linux.mirrors.es.net:80
	mirror-mci.yuki.net.uk:443
	mirror-mci.yuki.net.uk:80
	mirror.23m.com:443
	mirror.23m.com:80
	mirror.arizona.edu:443
	mirror.arizona.edu:80
	mirror.ash.fastserv.com:80
	mirror.centos.iad1.serverforge.org:80
	mirror.chpc.utah.edu:80
	mirror.clarkson.edu:80
	mirror.cogentco.com:80
	mirror.dal.nexril.net:443
	mirror.dal.nexril.net:80
	mirror.datto.com:80
	mirror.de.leaseweb.net:443
	mirror.de.leaseweb.net:80
	mirror.dogado.de:443
	mirror.dogado.de:80
	mirror.ette.biz:80
	mirror.facebook.net:443
	mirror.facebook.net:80
	mirror.fcix.net:443
	mirror.fcix.net:80
	mirror.genesishosting.com:80
	mirror.grid.uchicago.edu:80
	mirror.hoobly.com:443
	mirror.hoobly.com:80
	mirror.imt-systems.com:443
	mirror.imt-systems.com:80
	mirror.keystealth.org:80
	mirror.lstn.net:443
	mirror.lstn.net:80
	mirror.math.princeton.edu:443
	mirror.math.princeton.edu:80
	mirror.metrocast.net:443
	mirror.metrocast.net:80
	mirror.netcologne.de:443
	mirror.netcologne.de:80
	mirror.netzwerge.de:443
	mirror.netzwerge.de:80
	mirror.nodesdirect.com:80
	mirror.pilotfiber.com:443
	mirror.pilotfiber.com:80
	mirror.rackspace.com:443
	mirror.rackspace.com:80
	mirror.scaleuptech.com:443
	mirror.scaleuptech.com:80
	mirror.servaxnet.com:443
	mirror.servaxnet.com:80
	mirror.sfo12.us.leaseweb.net:443
	mirror.sfo12.us.leaseweb.net:80
	mirror.siena.edu:80
	mirror.steadfastnet.com:80
	mirror.stream.centos.org:443
	mirror.stream.centos.org:80
	mirror.team-cymru.com:443
	mirror.team-cymru.com:80
	mirror.umd.edu:443
	mirror.umd.edu:80
	mirror.us-midwest-1.nexcess.net:80
	mirror.us.oneandone.net:80
	mirror.vacares.com:80
	mirror.vtti.vt.edu:80
	mirror.wdc2.us.leaseweb.net:80
	mirror.web-ster.com:80
	mirror1.hs-esslingen.de:443
	mirror1.hs-esslingen.de:80
	mirrorlist.centos.org:80
	mirrors.advancedhosters.com:80
	mirrors.centos.org:443
	mirrors.cmich.edu:80
	mirrors.fedoraproject.org:443
	mirrors.fedoraproject.org:80
	mirrors.iu13.net:443
	mirrors.iu13.net:80
	mirrors.liquidweb.com:80
	mirrors.lug.mtu.edu:443
	mirrors.lug.mtu.edu:80
	mirrors.maine.edu:80
	mirrors.mit.edu:443
	mirrors.mit.edu:80
	mirrors.ocf.berkeley.edu:443
	mirrors.ocf.berkeley.edu:80
	mirrors.oit.uci.edu:80
	mirrors.raystedman.org:80
	mirrors.rcs.alaska.edu:80
	mirrors.sonic.net:443
	mirrors.sonic.net:80
	mirrors.syringanetworks.net:80
	mirrors.tscak.com:80
	mirrors.unifiedlayer.com:80
	mirrors.vcea.wsu.edu:80
	mirrors.wcupa.edu:443
	mirrors.wcupa.edu:80
	mirrors.xmission.com:80
	mirrors.xtom.com:80
	mirrors.xtom.de:443
	mirrors.xtom.de:80
	mnvoip.mm.fcix.net:80
	na.edge.kernel.org:443
	nc-centos-mirror.iwebfusion.net:80
	nnenix.mm.fcix.net:443
	nnenix.mm.fcix.net:80
	nocix.mm.fcix.net:443
	nocix.mm.fcix.net:80
	nyc.mirrors.clouvider.net:80
	oauth2.sigstore.dev:443
	objects.githubusercontent.com:443
	ohioix.mm.fcix.net:443
	ohioix.mm.fcix.net:80
	opencolo.mm.fcix.net:443
	opencolo.mm.fcix.net:80
	or-mirror.iwebfusion.net:80
	packages.oit.ncsu.edu:80
	paducahix.mm.fcix.net:80
	pkg-containers.githubusercontent.com:443
	ports.ubuntu.com:443
	ports.ubuntu.com:80
	production.cloudflare.docker.com:443
	pubmirror1.math.uh.edu:443
	pubmirror1.math.uh.edu:80
	pubmirror2.math.uh.edu:80
	pubmirror3.math.uh.edu:443
	pubmirror3.math.uh.edu:80
	quay.io:443
	registry-1.docker.io:443
	rekor.sigstore.dev:443
	repo.ialab.dsu.edu:443
	repo.ialab.dsu.edu:80
	repo1.sea.innoscale.net:80
	repos.eggycrew.com:443
	repos.eggycrew.com:80
	ridgewireless.mm.fcix.net:443
	ridgewireless.mm.fcix.net:80
	scientificlinux.physik.uni-muenchen.de:443
	scientificlinux.physik.uni-muenchen.de:80
	security.ubuntu.com:443
	security.ubuntu.com:80
	southfront.mm.fcix.net:443
	southfront.mm.fcix.net:80
	tuf-repo-cdn.sigstore.dev:443
	tx-mirror.tier.net:80
	us.mirrors.virtono.com:80
	uvermont.mm.fcix.net:443
	uvermont.mm.fcix.net:80
	volico.mm.fcix.net:443
	volico.mm.fcix.net:80
	www.gtlib.gatech.edu:80
	yum.oracle.com:443
	ziply.mm.fcix.net:443
	ziply.mm.fcix.net:80
	dl.google.com:443
	keyserver.ubuntu.com:11371

	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH \|\| '' }}
	fetch-depth: 1

	- name: Install cosign
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
	with:
	cosign-release: 'v2.2.3'

	- name: Check cosign version
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	run: cosign version

	- name: Set up QEMU
	uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
	with:
	image: tonistiigi/binfmt:latest
	platforms: all

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
	with:
	driver-opts: image=moby/buildkit:master

	- name: Prepare Platform list
	id: platform
	env:
	MATRIX_OS: ${{ matrix.os }}
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS \| join(\",\")" "$MATRIX_FILE")
	platform_list="${platform_list%,}"

	echo "::group::Platform List"
	echo "$platform_list"
	echo "::endgroup::"

	echo "list=$platform_list" >> $GITHUB_OUTPUT

	- name: Generate tags
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
	${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
	context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' \|\| '' }}
	tags: \|
	type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
	type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
	type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
	type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest
	type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
	type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
	type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' \|\| contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
	flavor: \|
	latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}

	- name: Prepare cache data
	id: cache_data
	env:
	IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	run: \|
	cache_from=()
	cache_to=()

	cache_from+=("type=gha,scope=${IMAGE_TAG}")
	#cache_from+=("type=registry,ref=${IMAGE_TAG}")

	cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}")

	echo "::group::Cache from data"
	echo "${cache_from[*]}"
	echo "::endgroup::"

	echo "::group::Cache to data"
	echo "${cache_to[*]}"
	echo "::endgroup::"

	cache_from=$(printf '%s\n' "${cache_from[@]}")
	cache_to=$(printf '%s\n' "${cache_to[@]}")

	echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT"
	echo "$cache_from" >> "$GITHUB_OUTPUT"
	echo 'EOF' >> "$GITHUB_OUTPUT"
	echo 'cache_to<<EOF' >> "$GITHUB_OUTPUT"
	echo "$cache_to" >> "$GITHUB_OUTPUT"
	echo 'EOF' >> "$GITHUB_OUTPUT"

	- name: Login to DockerHub
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
	if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ${{ env.DOCKER_REGISTRY_TEST }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build and publish image
	id: docker_build
	uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
	with:
	context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
	file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
	platforms: ${{ steps.platform.outputs.list }}
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: \|
	org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
	org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
	cache-from: ${{ steps.cache_data.outputs.cache_from }}
	cache-to: ${{ steps.cache_data.outputs.cache_to }}

	- name: Sign the images with GitHub OIDC Token
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	env:
	DIGEST: ${{ steps.docker_build.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done

	echo "::group::Images to sign"
	echo "$images"
	echo "::endgroup::"

	echo "::group::Signing"
	echo "cosign sign --yes $images"
	cosign sign --yes ${images}
	echo "::endgroup::"

	- name: Image metadata
	env:
	CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
	METADATA: ${{ steps.docker_build.outputs.metadata }}
	run: \|
	echo "::group::Image metadata"
	echo "${METADATA}"
	echo "::endgroup::"
	echo "::group::Cache file name"
	echo "${CACHE_FILE_NAME}"
	echo "::endgroup::"

	echo "${METADATA}" > "$CACHE_FILE_NAME"

	- name: Cache image metadata
	uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
	with:
	path: ${{ env.BASE_CACHE_FILE_NAME }}
	key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}

	build_base_database:
	timeout-minutes: 180
	needs: [ "build_base", "init_build"]
	name: Build ${{ matrix.build }} base on ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	build: ${{ fromJson(needs.init_build.outputs.database) }}
	os: ${{ fromJson(needs.init_build.outputs.os) }}
	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	packages: write
	steps:
	- name: Block egress traffic
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: >
	api.github.com:443
	auth.docker.io:443
	git.zabbix.com:443
	github.com:443
	go.googlesource.com:443
	go.mongodb.org:443
	golang.org:443
	google.golang.org:443
	gopkg.in:443
	ghcr.io:443
	index.docker.io:443
	noto-website.storage.googleapis.com:443
	production.cloudflare.docker.com:443
	proxy.golang.org:443
	registry-1.docker.io:443
	storage.googleapis.com:443
	fulcio.sigstore.dev:443
	oauth2.sigstore.dev:443
	objects.githubusercontent.com:443
	tuf-repo-cdn.sigstore.dev:443
	rekor.sigstore.dev:443
	pkg-containers.githubusercontent.com:443

	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH \|\| '' }}
	fetch-depth: 1

	- name: Install cosign
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
	with:
	cosign-release: 'v2.2.3'

	- name: Check cosign version
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	run: cosign version

	- name: Set up QEMU
	uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
	with:
	image: tonistiigi/binfmt:latest
	platforms: all

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
	with:
	driver-opts: image=moby/buildkit:master

	- name: Prepare Platform list
	id: platform
	env:
	MATRIX_OS: ${{ matrix.os }}
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS \| join(\",\")" "$MATRIX_FILE")
	platform_list="${platform_list%,}"

	echo "::group::Platform List"
	echo "$platform_list"
	echo "::endgroup::"

	echo "list=$platform_list" >> $GITHUB_OUTPUT

	- name: Generate tags
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
	${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
	context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' \|\| '' }}
	tags: \|
	type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
	type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
	type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
	type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,suffix=-${{ matrix.os }}-latest
	type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
	type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
	type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' \|\| contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
	flavor: \|
	latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}

	- name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }}
	uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
	with:
	path: ${{ env.BASE_CACHE_FILE_NAME }}
	key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }}

	- name: Process ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} image metadata
	id: base_build
	env:
	CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
	run: \|
	echo "::group::Base image metadata"
	cat "${CACHE_FILE_NAME}"
	echo "::endgroup::"

	IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}")
	IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" \| cut -d: -f1)

	echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT

	- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	env:
	BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
	OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
	IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
	run: \|
	echo "::group::Image sign data"
	echo "OIDC issuer=$OIDC_ISSUER"
	echo "Identity=$IDENTITY_REGEX"
	echo "Image to verify=$BASE_IMAGE"
	echo "::endgroup::"

	echo "::group::Verify signature"
	cosign verify \
	--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
	--certificate-identity-regexp "$IDENTITY_REGEX" \
	"$BASE_IMAGE"
	echo "::endgroup::"

	- name: Prepare cache data
	id: cache_data
	env:
	BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }}
	IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	run: \|
	cache_from=()
	cache_to=()

	cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}")
	cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}")
	cache_from+=("type=gha,scope=${IMAGE_TAG}")
	cache_from+=("type=registry,ref=${IMAGE_TAG}")

	cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}")

	echo "::group::Cache from data"
	echo "${cache_from[*]}"
	echo "::endgroup::"

	echo "::group::Cache to data"
	echo "${cache_to[*]}"
	echo "::endgroup::"

	cache_from=$(printf '%s\n' "${cache_from[@]}")
	cache_to=$(printf '%s\n' "${cache_to[@]}")

	echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT"
	echo "$cache_from" >> "$GITHUB_OUTPUT"
	echo 'EOF' >> "$GITHUB_OUTPUT"
	echo 'cache_to<<EOF' >> "$GITHUB_OUTPUT"
	echo "$cache_to" >> "$GITHUB_OUTPUT"
	echo 'EOF' >> "$GITHUB_OUTPUT"

	- name: Login to DockerHub
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
	if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ${{ env.DOCKER_REGISTRY_TEST }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
	id: docker_build
	uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
	with:
	context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
	file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
	platforms: ${{ steps.platform.outputs.list }}
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
	labels: \|
	org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
	org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}

	- name: Sign the images with GitHub OIDC Token
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	env:
	DIGEST: ${{ steps.docker_build.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done

	echo "::group::Images to sign"
	echo "$images"
	echo "::endgroup::"

	echo "::group::Signing"
	echo "cosign sign --yes $images"
	cosign sign --yes ${images}
	echo "::endgroup::"

	- name: Image metadata
	env:
	CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
	METADATA: ${{ steps.docker_build.outputs.metadata }}
	run: \|
	echo "::group::Image metadata"
	echo "${METADATA}"
	echo "::endgroup::"
	echo "::group::Cache file name"
	echo "${CACHE_FILE_NAME}"
	echo "::endgroup::"

	echo "${METADATA}" > "$CACHE_FILE_NAME"

	- name: Cache image metadata
	uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
	with:
	path: ${{ env.BUILD_CACHE_FILE_NAME }}
	key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }}

	build_images:
	timeout-minutes: 90
	needs: [ "build_base_database", "init_build"]
	name: Build ${{ matrix.build }} on ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	build: ${{ fromJson(needs.init_build.outputs.components) }}
	os: ${{ fromJson(needs.init_build.outputs.os) }}

	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	packages: write
	steps:
	- name: Block egress traffic
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: >
	abqix.mm.fcix.net:80
	api.github.com:443
	archive.ubuntu.com:443
	archive.ubuntu.com:80
	atl.mirrors.knownhost.com:443
	atl.mirrors.knownhost.com:80
	auth.docker.io:443
	bungi.mm.fcix.net:443
	bungi.mm.fcix.net:80
	cdn03.quay.io:443
	centos-distro.1gservers.com:80
	centos-distro.cavecreek.net:80
	centos-stream-distro.1gservers.com:443
	centos-stream-distro.1gservers.com:80
	centos.hivelocity.net:80
	centos.mirror.constant.com:80
	centos.mirror.shastacoe.net:80
	coresite.mm.fcix.net:80
	d2lzkl7pfhq30w.cloudfront.net:443
	deb.debian.org:80
	dfw.mirror.rackspace.com:443
	dfw.mirror.rackspace.com:80
	distro.ibiblio.org:80
	dl-cdn.alpinelinux.org:443
	download.cf.centos.org:443
	download.cf.centos.org:80
	epel.gb.ssimn.org:443
	epel.mirror.constant.com:443
	epel.mirror.constant.com:80
	epel.stl.us.ssimn.org:443
	epel.stl.us.ssimn.org:80
	fedora.nyherji.is:443
	fedora.nyherji.is:80
	forksystems.mm.fcix.net:443
	forksystems.mm.fcix.net:80
	ftp-nyc.osuosl.org:443
	ftp-nyc.osuosl.org:80
	ftp-osl.osuosl.org:443
	ftp-osl.osuosl.org:80
	ftp.agdsn.de:443
	ftp.agdsn.de:80
	ftp.fau.de:443
	ftp.fau.de:80
	ftp.halifax.rwth-aachen.de:443
	ftp.halifax.rwth-aachen.de:80
	ftp.osuosl.org:80
	ftp.plusline.net:443
	ftp.plusline.net:80
	ftp.uni-stuttgart.de:80
	ftpmirror.your.org:80
	fulcio.sigstore.dev:443
	ghcr.io:443
	github.com:443
	iad.mirror.rackspace.com:443
	iad.mirror.rackspace.com:80
	ima.mm.fcix.net:80
	index.docker.io:443
	ix-denver.mm.fcix.net:443
	ix-denver.mm.fcix.net:80
	keyserver.ubuntu.com:11371
	la.mirrors.clouvider.net:80
	lesnet.mm.fcix.net:443
	lesnet.mm.fcix.net:80
	level66.mm.fcix.net:80
	linux-mirrors.fnal.gov:80
	linux.cc.lehigh.edu:80
	linux.mirrors.es.net:80
	mirror-mci.yuki.net.uk:443
	mirror-mci.yuki.net.uk:80
	mirror.23m.com:443
	mirror.23m.com:80
	mirror.arizona.edu:443
	mirror.arizona.edu:80
	mirror.ash.fastserv.com:80
	mirror.centos.iad1.serverforge.org:80
	mirror.chpc.utah.edu:80
	mirror.clarkson.edu:80
	mirror.cogentco.com:80
	mirror.dal.nexril.net:443
	mirror.dal.nexril.net:80
	mirror.datto.com:80
	mirror.de.leaseweb.net:443
	mirror.de.leaseweb.net:80
	mirror.dogado.de:443
	mirror.dogado.de:80
	mirror.ette.biz:80
	mirror.facebook.net:443
	mirror.facebook.net:80
	mirror.fcix.net:443
	mirror.fcix.net:80
	mirror.genesishosting.com:80
	mirror.grid.uchicago.edu:80
	mirror.hoobly.com:443
	mirror.hoobly.com:80
	mirror.imt-systems.com:443
	mirror.imt-systems.com:80
	mirror.keystealth.org:80
	mirror.lstn.net:443
	mirror.lstn.net:80
	mirror.math.princeton.edu:443
	mirror.math.princeton.edu:80
	mirror.metrocast.net:443
	mirror.metrocast.net:80
	mirror.netcologne.de:443
	mirror.netcologne.de:80
	mirror.netzwerge.de:443
	mirror.netzwerge.de:80
	mirror.nodesdirect.com:80
	mirror.pilotfiber.com:443
	mirror.pilotfiber.com:80
	mirror.rackspace.com:443
	mirror.rackspace.com:80
	mirror.scaleuptech.com:443
	mirror.scaleuptech.com:80
	mirror.servaxnet.com:443
	mirror.servaxnet.com:80
	mirror.sfo12.us.leaseweb.net:443
	mirror.sfo12.us.leaseweb.net:80
	mirror.siena.edu:80
	mirror.steadfastnet.com:80
	mirror.stream.centos.org:443
	mirror.stream.centos.org:80
	mirror.team-cymru.com:443
	mirror.team-cymru.com:80
	mirror.umd.edu:443
	mirror.umd.edu:80
	mirror.us-midwest-1.nexcess.net:80
	mirror.us.oneandone.net:80
	mirror.vacares.com:80
	mirror.vtti.vt.edu:80
	mirror.wdc2.us.leaseweb.net:80
	mirror.web-ster.com:80
	mirror1.hs-esslingen.de:443
	mirror1.hs-esslingen.de:80
	mirrorlist.centos.org:80
	mirrors.advancedhosters.com:80
	mirrors.centos.org:443
	mirrors.cmich.edu:80
	mirrors.fedoraproject.org:443
	mirrors.fedoraproject.org:80
	mirrors.iu13.net:443
	mirrors.iu13.net:80
	mirrors.liquidweb.com:80
	mirrors.lug.mtu.edu:443
	mirrors.lug.mtu.edu:80
	mirrors.maine.edu:80
	mirrors.mit.edu:443
	mirrors.mit.edu:80
	mirrors.ocf.berkeley.edu:443
	mirrors.ocf.berkeley.edu:80
	mirrors.oit.uci.edu:80
	mirrors.raystedman.org:80
	mirrors.rcs.alaska.edu:80
	mirrors.sonic.net:443
	mirrors.sonic.net:80
	mirrors.syringanetworks.net:80
	mirrors.tscak.com:80
	mirrors.unifiedlayer.com:80
	mirrors.vcea.wsu.edu:80
	mirrors.wcupa.edu:443
	mirrors.wcupa.edu:80
	mirrors.xmission.com:80
	mirrors.xtom.com:80
	mirrors.xtom.de:443
	mirrors.xtom.de:80
	mnvoip.mm.fcix.net:80
	na.edge.kernel.org:443
	nc-centos-mirror.iwebfusion.net:80
	nginx.org:443
	nginx.org:80
	nnenix.mm.fcix.net:443
	nnenix.mm.fcix.net:80
	nocix.mm.fcix.net:443
	nocix.mm.fcix.net:80
	nyc.mirrors.clouvider.net:80
	oauth2.sigstore.dev:443
	objects.githubusercontent.com:443
	ohioix.mm.fcix.net:443
	ohioix.mm.fcix.net:80
	opencolo.mm.fcix.net:443
	opencolo.mm.fcix.net:80
	or-mirror.iwebfusion.net:80
	packages.oit.ncsu.edu:80
	paducahix.mm.fcix.net:80
	pkg-containers.githubusercontent.com:443
	ports.ubuntu.com:443
	ports.ubuntu.com:80
	production.cloudflare.docker.com:443
	pubmirror1.math.uh.edu:443
	pubmirror1.math.uh.edu:80
	pubmirror2.math.uh.edu:80
	pubmirror3.math.uh.edu:443
	pubmirror3.math.uh.edu:80
	quay.io:443
	registry-1.docker.io:443
	rekor.sigstore.dev:443
	repo.ialab.dsu.edu:443
	repo.ialab.dsu.edu:80
	repo1.sea.innoscale.net:80
	repos.eggycrew.com:443
	repos.eggycrew.com:80
	ridgewireless.mm.fcix.net:443
	ridgewireless.mm.fcix.net:80
	scientificlinux.physik.uni-muenchen.de:443
	scientificlinux.physik.uni-muenchen.de:80
	security.ubuntu.com:443
	security.ubuntu.com:80
	southfront.mm.fcix.net:443
	southfront.mm.fcix.net:80
	tuf-repo-cdn.sigstore.dev:443
	tx-mirror.tier.net:80
	us.mirrors.virtono.com:80
	uvermont.mm.fcix.net:443
	uvermont.mm.fcix.net:80
	volico.mm.fcix.net:443
	volico.mm.fcix.net:80
	www.gtlib.gatech.edu:80
	yum.oracle.com:443
	ziply.mm.fcix.net:443
	ziply.mm.fcix.net:80
	ha.pool.sks-keyservers.net:11371
	keyserver.ubuntu.com:80
	p80.pool.sks-keyservers.net:80
	pgp.mit.edu:11371

	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH \|\| '' }}
	fetch-depth: 1

	- name: Install cosign
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
	with:
	cosign-release: 'v2.2.3'

	- name: Check cosign version
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	run: cosign version

	- name: Set up QEMU
	uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
	with:
	image: tonistiigi/binfmt:latest
	platforms: all

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
	with:
	driver-opts: image=moby/buildkit:master

	- name: Prepare Platform list
	id: platform
	env:
	MATRIX_OS: ${{ matrix.os }}
	MATRIX_BUILD: ${{ matrix.build }}
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	# Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms
	if ([ "$MATRIX_OS" == "alpine" ] \|\| [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then
	platform_list="linux/amd64,linux/arm64"
	# Chromium on Ubuntu is not available on s390x platform
	elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then
	platform_list="linux/amd64,linux/arm/v7,linux/arm64"
	else
	platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" \| join(\",\")" "$MATRIX_FILE")
	fi

	# Build only Agent and Agent2 on 386
	if [ "$MATRIX_BUILD" != "agent"* ]; then
	platform_list="${platform_list#linux/386,}"
	fi

	platform_list="${platform_list%,}"

	echo "::group::Platform List"
	echo "$platform_list"
	echo "::endgroup::"

	echo "list=$platform_list" >> $GITHUB_OUTPUT

	- name: Detect Build Base Image
	id: build_base_image
	env:
	MATRIX_BUILD: ${{ matrix.build }}
	MATRIX_FILE: ${{ env.MATRIX_FILE }}
	run: \|
	BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE")

	echo "::group::Base Build Image"
	echo "$BUILD_BASE"
	echo "::endgroup::"

	echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT

	- name: Generate tags
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
	${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
	context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' \|\| '' }}
	tags: \|
	type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
	type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }}
	type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest
	type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest
	type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest
	type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}-
	type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' \|\| contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}
	flavor: \|
	latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }}

	- name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }}
	uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
	if: ${{ matrix.build != 'snmptraps' }}
	with:
	path: ${{ env.BUILD_CACHE_FILE_NAME }}
	key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }}

	- name: Process ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} image metadata
	id: base_build
	if: ${{ matrix.build != 'snmptraps' }}
	env:
	CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
	run: \|
	echo "::group::Base build image metadata"
	cat "${CACHE_FILE_NAME}"
	echo "::endgroup::"

	IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}")
	IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" \| cut -d: -f1)

	echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT

	- name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
	if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }}
	env:
	BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
	OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
	IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
	run: \|
	echo "::group::Image sign data"
	echo "OIDC issuer=${OIDC_ISSUER}"
	echo "Identity=${IDENTITY_REGEX}"
	echo "Image to verify=${BASE_IMAGE}"
	echo "::endgroup::"

	echo "::group::Verify signature"
	cosign verify \
	--certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
	--certificate-identity-regexp "${IDENTITY_REGEX}" \
	"${BASE_IMAGE}"
	echo "::endgroup::"

	- name: Prepare cache data
	if: ${{ matrix.build != 'snmptraps' }}
	id: cache_data
	env:
	BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }}
	run: \|
	cache_from=()
	cache_to=()

	cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}")

	echo "::group::Cache from data"
	echo "${cache_from[*]}"
	echo "::endgroup::"

	cache_from=$(printf '%s\n' "${cache_from[@]}")

	echo 'cache_from<<EOF' >> "$GITHUB_OUTPUT"
	echo "$cache_from" >> "$GITHUB_OUTPUT"
	echo 'EOF' >> "$GITHUB_OUTPUT"

	- name: Login to DockerHub
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Build and push image
	id: docker_build
	uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
	with:
	context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
	file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
	platforms: ${{ steps.platform.outputs.list }}
	push: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	tags: ${{ steps.meta.outputs.tags }}
	build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
	labels: \|
	org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
	org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}

	- name: Sign the images with GitHub OIDC Token
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	env:
	DIGEST: ${{ steps.docker_build.outputs.digest }}
	TAGS: ${{ steps.meta.outputs.tags }}
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done

	echo "::group::Images to sign"
	echo "$images"
	echo "::endgroup::"

	echo "::group::Signing"
	echo "cosign sign --yes $images"
	cosign sign --yes ${images}
	echo "::endgroup::"

	- name: Image metadata
	if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
	env:
	METADATA: ${{ steps.docker_build.outputs.metadata }}
	run: \|
	echo "::group::Image metadata"
	echo "${METADATA}"
	echo "::endgroup::"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #1372 from zabbix/50_lic #1014

Workflow file

Merge pull request #1372 from zabbix/50_lic #1014

Jobs

Run details

Workflow file for this run