replace skopeo action with skopeo image (#5760)

nginx · Jun 14, 2024 · 8752533 · 8752533
1 parent d7e499c
commit 8752533
Show file tree

Hide file tree

Showing 9 changed files with 81 additions and 91 deletions.
diff --git a/.github/actions/install-skopeo/action.yml b/.github/actions/install-skopeo/action.yml
diff --git a/.github/scripts/copy-images.sh b/.github/scripts/copy-images.sh
@@ -2,6 +2,14 @@
 
 set -eo pipefail
 
+# shellcheck disable=SC2155
+export ROOTDIR=$(git rev-parse --show-toplevel || echo ".")
+
+SKOPEO_BIN=skopeo
+if [ -n "$CI" ]; then
+    SKOPEO_BIN="docker run --rm -v $HOME/.docker/config.json:/tmp/auth.json $(grep skopeo "${ROOTDIR}/tests/Dockerfile" | grep FROM | cut -d ' ' -f 2)"
+fi
+
 ## Setup inputs
 
 SOURCE_TAG=${SOURCE_TAG:-stable}
@@ -31,22 +39,19 @@ SOURCE_NAP_WAF_IMAGE_PREFIX=${SOURCE_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-p
 SOURCE_NAP_WAFV5_IMAGE_PREFIX=${SOURCE_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap-v5/nginx-plus-ingress"}
 SOURCE_NAP_DOS_IMAGE_PREFIX=${SOURCE_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
 SOURCE_NAP_WAF_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
-SOURCE_NAP_WAFV5_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAFV5_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap-v5/nginx-plus-ingress"}
 
 TARGET_PLUS_IMAGE_PREFIX=${TARGET_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
 TARGET_NAP_WAF_IMAGE_PREFIX=${TARGET_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
 TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
 TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
 TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
-TARGET_NAP_WAFV5_DOS_IMAGE_PREFIX=${TARGET_NAP_WAFV5_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap-v5/nginx-plus-ingress"}
 
 declare -a OSS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine")
 declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
-declare -a NAP_WAFV5_DOS_TAG_POSTFIX_LIST=()
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
 
 CONFIG_PATH=${CONFIG_PATH:-~/.nic-release/config}
@@ -89,7 +94,7 @@ if $PUBLISH_OSS; then
         new_tag=${TARGET_REGISTRY}/${TARGET_OSS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
         echo "  Pushing image OSS ${new_tag}..."
         if ! $DRY_RUN; then
-            skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+            ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
         fi
         for tag in "${ADDITIONAL_TAGS[@]}"; do
             if [ -z "${tag}" ]; then
@@ -98,7 +103,7 @@ if $PUBLISH_OSS; then
             additional_tag=${TARGET_REGISTRY}/${TARGET_OSS_IMAGE_PREFIX}:${tag}${postfix}
             echo "  Pushing image OSS ${additional_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
             fi
         done
     done
@@ -111,12 +116,12 @@ if $PUBLISH_PLUS; then
         image=${SOURCE_REGISTRY}/${SOURCE_PLUS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_PLUS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image Plus ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -125,7 +130,7 @@ if $PUBLISH_PLUS; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_PLUS_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image Plus ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi
@@ -139,12 +144,12 @@ if $PUBLISH_WAF; then
         image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAF_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image NAP WAF ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -153,7 +158,7 @@ if $PUBLISH_WAF; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image NAP WAF ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi
@@ -162,12 +167,12 @@ if $PUBLISH_WAF; then
         image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAFV5_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image NAP WAFV5 ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -176,7 +181,7 @@ if $PUBLISH_WAF; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image NAP WAFV5 ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi
@@ -190,12 +195,12 @@ if $PUBLISH_DOS; then
         image=${SOURCE_REGISTRY}/${SOURCE_NAP_DOS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_NAP_DOS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image NAP DOS ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -204,7 +209,7 @@ if $PUBLISH_DOS; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_DOS_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image NAP DOS ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi
@@ -218,12 +223,12 @@ if $PUBLISH_WAF_DOS; then
         image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_DOS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image NAP WAF/DOS ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -232,7 +237,7 @@ if $PUBLISH_WAF_DOS; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_DOS_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image NAP WAF/DOS ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi

diff --git a/.github/scripts/create-release-tarballs.sh b/.github/scripts/create-release-tarballs.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -e
+
+directory=$1
+version=$2
+tarball_dir=${TARBALL_DIR:-tarballs}
+releases=$(find "${directory}" -mindepth 1 -type d)
+syft_binary=${SYFT_BIN:-"syft"}
+cosign_binary=${COSIGN_BIN:-"cosign"}
+
+if [ ! -d "${tarball_dir}" ]; then
+    mkdir "${tarball_dir}"
+fi
+
+for i in ${releases}; do
+    # fix for v1 in kubernetes-ingress_linux_amd64_v1
+    if [[ ${i} =~ v1 ]]; then
+        mv "${i}" "${i%*_v1}"
+        i=${i%*_v1}
+    fi
+
+    if [[ ${i} =~ aws ]]; then
+        continue
+    fi
+    product_name=$(basename "${i}" | cut -d '_' -f 1)
+    product_arch=$(echo "${i}" | cut -d '_' -f 2-)
+    product_release="${product_name}_${version}_${product_arch}"
+    # shellcheck disable=SC2086
+    tarball_name="${tarball_dir}/${product_release}.tar.gz"
+    cp -r "${i}" "${directory}/${product_release}"
+    cp README.md LICENSE CHANGELOG.md "${directory}/${product_release}"
+
+    tar -czf "${tarball_name}" "${directory}/${product_release}"
+    ${syft_binary} scan file:"${directory}/${product_release}/nginx-ingress" -o spdx-json > "${tarball_name}.spdx.json"
+    pushd "${tarball_dir}"
+    sha256sum "${product_release}.tar.gz" >> "${product_name}_${version}_checksums.txt"
+    sha256sum "${product_release}.tar.gz.spdx.json" >> "${product_name}_${version}_checksums.txt"
+    popd
+done
+
+checksum_file=$(ls "${tarball_dir}"/*_checksums.txt )
+${cosign_binary} sign-blob "${checksum_file}" --output-signature="${checksum_file}.sig" --output-certificate="${checksum_file}.pem" -y
diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml
@@ -94,9 +94,6 @@ jobs:
           username: oauth2accesstoken
           password: ${{ steps.gcr-auth.outputs.access_token }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish OSS images
         run: |
           export CONFIG_PATH=.github/config/config-oss-gcr-release
@@ -147,9 +144,6 @@ jobs:
         with:
           registry: public.ecr.aws
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish images
         run: |
           export CONFIG_PATH=.github/config/config-oss-ecr
@@ -195,9 +189,6 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish images
         run: |
           export CONFIG_PATH=.github/config/config-oss-dockerhub
@@ -244,9 +235,6 @@ jobs:
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_ROBOT_TOKEN }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish images
         run: |
           export CONFIG_PATH=.github/config/config-oss-quay
@@ -294,9 +282,6 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish images
         run: |
           export CONFIG_PATH=.github/config/config-oss-github

diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml
@@ -94,9 +94,6 @@ jobs:
           username: oauth2accesstoken
           password: ${{ steps.gcr-auth.outputs.access_token }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish Plus images
         run: |
           export CONFIG_PATH=.github/config/config-plus-gcr-release
@@ -151,9 +148,6 @@ jobs:
           username: ${{ steps.idtoken.outputs.id_token }}
           password: ${{ github.actor }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish images
         run: |
           export CONFIG_PATH=.github/config/config-plus-nginx
@@ -194,9 +188,6 @@ jobs:
           workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }}
           service_account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish Plus images
         run: |
           export CONFIG_PATH=.github/config/config-plus-gcr-public
@@ -249,9 +240,6 @@ jobs:
         with:
           registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish images
         run: |
           export CONFIG_PATH=.github/config/config-plus-ecr
@@ -295,9 +283,6 @@ jobs:
           username: ${{ secrets.AZ_MKTPL_ID }}
           password: ${{ secrets.AZ_MKTPL_SECRET }}
 
-      - name: Install latest skopeo
-        uses: ./.github/actions/install-skopeo
-
       - name: Publish images
         run: |
           export CONFIG_PATH=.github/config/config-plus-azure