forked from repo-mirrors/cnpg-postgres-containers
121 lines
3.8 KiB
Markdown
121 lines
3.8 KiB
Markdown
# Copy Images Action
|
||
|
||
This composite GitHub Action copies a set of container images from a
|
||
`testing registry` to a `production registry`, and signs them using `Cosign`.
|
||
It requires as input Bake's build result metadata, which is the output provided
|
||
by the [bake-action](https://github.com/docker/bake-action?tab=readme-ov-file#outputs).
|
||
|
||
---
|
||
|
||
## How it works
|
||
|
||
The action assumes a consistent naming convention between your testing and production registries.
|
||
|
||
* A production image is named like `ghcr.io/org/image`
|
||
* The corresponding testing image must include a suffix, e.g. `ghcr.io/org/image-testing`
|
||
|
||
You can customize this suffix with the `inputs.test_registry_suffix` input.
|
||
|
||
The action proceeds as follows:
|
||
|
||
1. It retrieves all image references from `inputs.bake_build_metadata`
|
||
2. It generates a list of destination images by stripping out the `test_registry_suffix` from each image
|
||
3. Each image is copied to the destination registry using `Skopeo copy`. The digest of the image is preserved.
|
||
4. Each production image is signed using `Cosign`
|
||
|
||
---
|
||
|
||
## Requirements
|
||
|
||
This composite action requires the calling workflow’s `GITHUB_TOKEN`
|
||
to have the following permissions:
|
||
|
||
```
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
id-token: write # needed by Cosign for signing the images with GitHub OIDC Token
|
||
```
|
||
|
||
---
|
||
|
||
## Inputs
|
||
|
||
| Name | Description | Required | Default |
|
||
| ---------------------- | -------------------------------------------------- | --------- | -------------- |
|
||
| `bake_build_metadata` | The JSON build result metadata generated by Bake | ✅ Yes | — |
|
||
| `registry_user` | The user used to authenticate to the registry | ✅ Yes | — |
|
||
| `registry_token` | The token used to authenticate to the registry | ✅ Yes | — |
|
||
| `test_registry_suffix` | The suffix of the testing images | ❌ No | `-testing` |
|
||
|
||
Note:
|
||
The JSON build result metadata is provided by [bake-action](https://github.com/docker/bake-action) as an output, see
|
||
[bake-action outputs](https://github.com/docker/bake-action?tab=readme-ov-file#outputs).
|
||
Alternatively, if you are using `docker buildx bake` via commandline, you can write your build metadata to a file
|
||
by using `--metadata-file`, and then provide the content of that file as `input.bake_build_metadata`.
|
||
|
||
---
|
||
|
||
## Usage
|
||
|
||
Example usage:
|
||
|
||
```
|
||
jobs:
|
||
copytoproduction:
|
||
runs-on: ubuntu-latest
|
||
needs:
|
||
- testbuild
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
id-token: write
|
||
steps:
|
||
- name: Copy to production
|
||
uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
|
||
with:
|
||
bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
|
||
registry_user: ${{ github.actor }}
|
||
registry_token: ${{ secrets.GITHUB_TOKEN }}
|
||
```
|
||
|
||
Example workflow:
|
||
|
||
```
|
||
jobs:
|
||
# Building and pushing to a testing registry
|
||
testbuild:
|
||
runs-on: ubuntu-latest
|
||
outputs:
|
||
metadata: ${{ steps.build.outputs.metadata }}
|
||
steps:
|
||
...
|
||
- uses: docker/bake-action@v6
|
||
id: build
|
||
with:
|
||
push: true
|
||
|
||
# Here's when you'd want to have one or
|
||
# multiple jobs to scan and test your images
|
||
scan-images:
|
||
...
|
||
|
||
# If the tests passed, we promote the images to the production repo
|
||
copytoproduction:
|
||
runs-on: ubuntu-latest
|
||
needs:
|
||
- testbuild
|
||
- scan-images
|
||
permissions:
|
||
contents: read
|
||
packages: write
|
||
id-token: write
|
||
steps:
|
||
- name: Copy to production
|
||
uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
|
||
with:
|
||
bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
|
||
registry_user: ${{ github.actor }}
|
||
registry_token: ${{ secrets.GITHUB_TOKEN }}
|
||
```
|