feat: immutable digest for the most specific tags (#113)

Detect updates of the Dockerfile template and Barman python dependencies, and increase the imageReleaseVersion accordingly. Avoid pushing an image if its most specific tag (fullTag) already exists, thus preventing the override of the existing digest. Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
2024-09-05 16:48:18 +02:00
parent d0c032f6c1
commit 57be4d409f
2 changed files with 53 additions and 9 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -72,8 +72,29 @@ jobs:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

+    # When publishing new images from main, we should not overwrite an existing
+    # tag in order to guarantee the tag's SHA digest consistency.
+    - name: Verify primary tag is not overwritten
+      run: |
+        echo "MISSING_TAG=false" >> $GITHUB_ENV
+        # if we are not on the main branch, always push
+        if [ "${GITHUB_REF#refs/heads/}" != main ]; then
+            echo "MISSING_TAG=true" >> $GITHUB_ENV
+            exit 0
+        fi
+        IMAGE="${IMAGE_RELEASE}:${{ matrix.fullTag }}"
+        # If the primary tag already exists, skip the building phase
+        if skopeo inspect docker://${IMAGE} >/dev/null 2>/dev/null; then
+          echo "Image ${IMAGE} already exists"
+          # We still need to grab the digest to build the imageCatalog
+          echo "OLD_DIGEST=$(skopeo inspect docker://${IMAGE} --format '{{ .Digest }}')" >> $GITHUB_ENV
+        else
+          echo "MISSING_TAG=true" >> $GITHUB_ENV
+        fi
+
    - name: Build and load
      uses: docker/build-push-action@v6
+      if: ${{ env.MISSING_TAG == 'true' }}
      with:
        context: ${{ matrix.dir }}
        file: ${{ matrix.file }}
@@ -83,6 +104,7 @@ jobs:

    - name: Dockle scan
      uses: erzz/dockle-action@v1
+      if: ${{ env.MISSING_TAG == 'true' }}
      with:
        image: "${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}"
        exit-code: '1'
@@ -92,6 +114,7 @@ jobs:

    - name: Run Snyk to check Docker image for vulnerabilities
      uses: snyk/actions/docker@master
+      if: ${{ env.MISSING_TAG == 'true' }}
      continue-on-error: true
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -101,6 +124,7 @@ jobs:

    - name: Upload result to GitHub Code Scanning
      uses: github/codeql-action/upload-sarif@v3
+      if: ${{ env.MISSING_TAG == 'true' }}
      continue-on-error: true
      with:
        sarif_file: snyk.sarif
@@ -108,6 +132,7 @@ jobs:
    - name: Build and push
      id: build
      uses: docker/build-push-action@v6
+      if: ${{ env.MISSING_TAG == 'true' }}
      with:
        context: ${{ matrix.dir }}
        file: ${{ matrix.file }}
@@ -123,7 +148,12 @@ jobs:
            BASE_IMAGE=${IMAGE_RELEASE}
        fi

-        IMAGE=${BASE_IMAGE}:${{ matrix.fullTag }}@${{ steps.build.outputs.digest }} \
+        DIGEST="${{ steps.build.outputs.digest }}"
+        if [[ "${{ env.MISSING_TAG }}" == "false" ]]; then
+            DIGEST="${{ env.OLD_DIGEST }}"
+        fi
+
+        IMAGE=${BASE_IMAGE}:${{ matrix.fullTag }}@${DIGEST} \
        MAJOR=${{ matrix.version }} \
        yq --null-input '{
          "apiVersion": "postgresql.cnpg.io/v1",