Files
cnpg-postgres-containers/.github/actions/copy-images/README.md
2025-10-13 19:32:44 +02:00

121 lines
3.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Copy Images Action
This composite GitHub Action copies a set of container images from a
`testing registry` to a `production registry`, and signs them using `Cosign`.
It requires as input Bake's build result metadata, which is the output provided
by the [bake-action](https://github.com/docker/bake-action?tab=readme-ov-file#outputs).
---
## How it works
The action assumes a consistent naming convention between your testing and production registries.
* A production image is named like `ghcr.io/org/image`
* The corresponding testing image must include a suffix, e.g. `ghcr.io/org/image-testing`
You can customize this suffix with the `inputs.test_registry_suffix` input.
The action proceeds as follows:
1. It retrieves all image references from `inputs.bake_build_metadata`
2. It generates a list of destination images by stripping out the `test_registry_suffix` from each image
3. Each image is copied to the destination registry using `Skopeo copy`. The digest of the image is preserved.
4. Each production image is signed using `Cosign`
---
## Requirements
This composite action requires the calling workflows `GITHUB_TOKEN`
to have the following permissions:
```
permissions:
contents: read
packages: write
id-token: write # needed by Cosign for signing the images with GitHub OIDC Token
```
---
## Inputs
| Name | Description | Required | Default |
| ---------------------- | -------------------------------------------------- | --------- | -------------- |
| `bake_build_metadata` | The JSON build result metadata generated by Bake | ✅ Yes | — |
| `registry_user` | The user used to authenticate to the registry | ✅ Yes | — |
| `registry_token` | The token used to authenticate to the registry | ✅ Yes | — |
| `test_registry_suffix` | The suffix of the testing images | ❌ No | `-testing` |
Note:
The JSON build result metadata is provided by [bake-action](https://github.com/docker/bake-action) as an output, see
[bake-action outputs](https://github.com/docker/bake-action?tab=readme-ov-file#outputs).
Alternatively, if you are using `docker buildx bake` via commandline, you can write your build metadata to a file
by using `--metadata-file`, and then provide the content of that file as `input.bake_build_metadata`.
---
## Usage
Example usage:
```
jobs:
copytoproduction:
runs-on: ubuntu-latest
needs:
- testbuild
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Copy to production
uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
with:
bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
```
Example workflow:
```
jobs:
# Building and pushing to a testing registry
testbuild:
runs-on: ubuntu-latest
outputs:
metadata: ${{ steps.build.outputs.metadata }}
steps:
...
- uses: docker/bake-action@v6
id: build
with:
push: true
# Here's when you'd want to have one or
# multiple jobs to scan and test your images
scan-images:
...
# If the tests passed, we promote the images to the production repo
copytoproduction:
runs-on: ubuntu-latest
needs:
- testbuild
- scan-images
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Copy to production
uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
with:
bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
```