Build with buildah+vfs+chroot to bypass runner sandbox
build-image / Build & push (${{ matrix.platform }}) (linux/amd64) (push) Failing after 11s
Details
build-image / Build & push (${{ matrix.platform }}) (linux/amd64) (push) Failing after 11s
Details
This commit is contained in:
parent
dfbe598bc3
commit
5df0d94d92
|
|
@ -106,6 +106,11 @@ jobs:
|
||||||
cosign version
|
cosign version
|
||||||
jq --version
|
jq --version
|
||||||
|
|
||||||
|
# Build with buildah + vfs + chroot isolation. This combo avoids:
|
||||||
|
# - user namespaces (which need newuidmap and aren't always allowed)
|
||||||
|
# - overlay mounts (which need mount propagation)
|
||||||
|
# - clone() with CLONE_NEW* flags (which seccomp may block)
|
||||||
|
# Run with sudo so we already have full caps and don't need to unshare.
|
||||||
- name: Build image
|
- name: Build image
|
||||||
id: build
|
id: build
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
@ -113,11 +118,16 @@ jobs:
|
||||||
IMAGE_REF: ${{ steps.tags.outputs.image_ref }}
|
IMAGE_REF: ${{ steps.tags.outputs.image_ref }}
|
||||||
DATE_TAG: ${{ steps.tags.outputs.date_tag }}
|
DATE_TAG: ${{ steps.tags.outputs.date_tag }}
|
||||||
SHA_TAG: ${{ steps.tags.outputs.sha_tag }}
|
SHA_TAG: ${{ steps.tags.outputs.sha_tag }}
|
||||||
|
BUILDAH_ISOLATION: chroot
|
||||||
|
STORAGE_DRIVER: vfs
|
||||||
run: |
|
run: |
|
||||||
set -euxo pipefail
|
set -euxo pipefail
|
||||||
podman build \
|
sudo BUILDAH_ISOLATION=chroot STORAGE_DRIVER=vfs buildah \
|
||||||
|
--storage-driver=vfs \
|
||||||
|
bud \
|
||||||
|
--isolation=chroot \
|
||||||
--platform=${{ matrix.platform }} \
|
--platform=${{ matrix.platform }} \
|
||||||
--pull=newer \
|
--pull-always \
|
||||||
--tag "${IMAGE_REF}:${DATE_TAG}" \
|
--tag "${IMAGE_REF}:${DATE_TAG}" \
|
||||||
--tag "${IMAGE_REF}:${SHA_TAG}" \
|
--tag "${IMAGE_REF}:${SHA_TAG}" \
|
||||||
$(for t in $IMAGE_TAGS; do echo --tag "${IMAGE_REF}:${t}"; done) \
|
$(for t in $IMAGE_TAGS; do echo --tag "${IMAGE_REF}:${t}"; done) \
|
||||||
|
|
@ -127,7 +137,7 @@ jobs:
|
||||||
if: github.event_name != 'pull_request'
|
if: github.event_name != 'pull_request'
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
echo "${REGISTRY_TOKEN}" | podman login \
|
echo "${REGISTRY_TOKEN}" | sudo buildah --storage-driver=vfs login \
|
||||||
--username "${REGISTRY_USER}" \
|
--username "${REGISTRY_USER}" \
|
||||||
--password-stdin \
|
--password-stdin \
|
||||||
"${REGISTRY}"
|
"${REGISTRY}"
|
||||||
|
|
@ -142,7 +152,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
set -euxo pipefail
|
set -euxo pipefail
|
||||||
for tag in $DATE_TAG $SHA_TAG $IMAGE_TAGS; do
|
for tag in $DATE_TAG $SHA_TAG $IMAGE_TAGS; do
|
||||||
podman push "${IMAGE_REF}:${tag}"
|
sudo buildah --storage-driver=vfs push "${IMAGE_REF}:${tag}"
|
||||||
done
|
done
|
||||||
|
|
||||||
- name: Sign image with cosign
|
- name: Sign image with cosign
|
||||||
|
|
@ -155,7 +165,11 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
set -euxo pipefail
|
set -euxo pipefail
|
||||||
for tag in $IMAGE_TAGS; do
|
for tag in $IMAGE_TAGS; do
|
||||||
DIGEST=$(skopeo inspect --format '{{.Digest}}' "docker://${IMAGE_REF}:${tag}")
|
# skopeo inspect against private registry needs creds
|
||||||
|
DIGEST=$(skopeo inspect \
|
||||||
|
--creds "${REGISTRY_USER}:${REGISTRY_TOKEN}" \
|
||||||
|
--format '{{.Digest}}' \
|
||||||
|
"docker://${IMAGE_REF}:${tag}")
|
||||||
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_REF}@${DIGEST}"
|
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_REF}@${DIGEST}"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue