Add GHA to publish head images (#1141)

crobby · web-flow · commit 8be8bcfe1cd8 · 2025-10-16T10:05:55.000-04:00
* Add GHA to publish head images

* Use full SHA instead of short version
diff --git a/.github/workflows/publish-head.yaml b/.github/workflows/publish-head.yaml
@@ -0,0 +1,141 @@
+name: Publish Head
+on:
+  push:
+    branches:
+      - main
+      - release/v*
+permissions:
+  contents: write
+env:
+  REGISTRY: docker.io
+  REPO: rancher
+jobs:
+  build:
+    name: build and package
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+        - amd64
+        - arm64
+    steps:
+    - name : Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Setup Go
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Build and package
+      run: |
+          ./scripts/build
+          mkdir -p dist/artifacts
+          cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
+      env:
+        ARCH: "${{ matrix.arch}}"
+        GOARCH: "${{ matrix.arch}}"
+    - name: Upload artifacts
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: webhook-artifacts-${{ matrix.arch }}
+        path: |
+          dist/artifacts/webhook-linux-${{ matrix.arch }}
+  image:
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        arch:
+        - amd64
+        - arm64
+    name: Build and push Webhook images
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name : Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Download the artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          name: webhook-artifacts-${{ matrix.arch }}
+          path: dist/artifacts
+      - name: Move binary to bin/
+        run: |
+          mkdir -p bin/
+          cp -v dist/artifacts/webhook-linux-${{ matrix.arch }} bin/webhook
+          chmod +x bin/webhook
+      - name: "Read vault secrets"
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Log in to the Container registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+      - name: Build and push the webhook image
+        id: build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: ./package/Dockerfile
+          platforms: "linux/${{ matrix.arch }}"
+          outputs: type=image,name=${{ env.REPO }}/rancher-webhook,push-by-digest=true,name-canonical=true,push=true
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      - name: Upload digest
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  merge:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: image
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: "Read vault secrets"
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+      - name: Log in to the Container registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+      - name: Generate tag
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            echo "TAG=head" >> $GITHUB_ENV
+          else
+            VERSION=$(echo "${{ github.ref }}" | sed -E -n 's|refs/heads/release/v(.*)|\1|p')
+            echo "TAG=v${VERSION}-${{ github.sha }}-head" >> $GITHUB_ENV
+          fi
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.REPO }}/rancher-webhook:${{ env.TAG }} \
+            $(printf '${{ env.REPO }}/rancher-webhook@sha256:%s ' *)
