mirror of
https://github.com/meilisearch/meilisearch.git
synced 2025-07-28 09:11:00 +00:00
191ea340ed
Cosign keyless mode makes possible to sign the container image using the OIDC Identity Tokens provided by GitHub Actions [0][1]. The signature is published to the registry storing the image and to the public Rekor transparency log instance [2]. Cosign keyless mode has already been adopted by some major projects like Kubernetes [3]. The image signature can be manually verified using: ``` $ cosign verify \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='^https://github.com/meilisearch/meilisearch/.github/workflows/publish-docker-images.yaml' \ <image_name> ``` See #2179. Note that a similar approach can be used to sign the release binaries. [0] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect [1] https://docs.sigstore.dev/cosign/signing/signing_with_containers/ [2] https://docs.sigstore.dev/rekor/overview [3] https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/#verifying-image-signatures
143 lines
6.0 KiB
YAML
143 lines
6.0 KiB
YAML
name: Publish images to Docker Hub
|
|
|
|
on:
|
|
push:
|
|
# Will run for every tag pushed except `latest`
|
|
# When the `latest` git tag is created with this [CI](../latest-git-tag.yml)
|
|
# we don't need to create a Docker `latest` image again.
|
|
# The `latest` Docker image push is already done in this CI when releasing a stable version of Meilisearch.
|
|
tags-ignore:
|
|
- latest
|
|
# Both `schedule` and `workflow_dispatch` build the nightly tag
|
|
schedule:
|
|
- cron: '0 23 * * *' # Every day at 11:00pm
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
docker:
|
|
runs-on: docker
|
|
permissions:
|
|
id-token: write # This is needed to use Cosign in keyless mode
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
# If we are running a cron or manual job ('schedule' or 'workflow_dispatch' event), it means we are publishing the `nightly` tag, so not considered stable.
|
|
# If we have pushed a tag, and the tag has the v<nmumber>.<number>.<number> format, it means we are publishing an official release, so considered stable.
|
|
# In this situation, we need to set `output.stable` to create/update the following tags (additionally to the `vX.Y.Z` Docker tag):
|
|
# - a `vX.Y` (without patch version) Docker tag
|
|
# - a `latest` Docker tag
|
|
# For any other tag pushed, this is not considered stable.
|
|
- name: Define if stable and latest release
|
|
id: check-tag-format
|
|
env:
|
|
# To avoid request limit with the .github/scripts/is-latest-release.sh script
|
|
GITHUB_PATH: ${{ secrets.MEILI_BOT_GH_PAT }}
|
|
run: |
|
|
escaped_tag=$(printf "%q" ${{ github.ref_name }})
|
|
echo "latest=false" >> $GITHUB_OUTPUT
|
|
|
|
if [[ ${{ github.event_name }} != 'push' ]]; then
|
|
echo "stable=false" >> $GITHUB_OUTPUT
|
|
elif [[ $escaped_tag =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
echo "stable=true" >> $GITHUB_OUTPUT
|
|
echo "latest=$(sh .github/scripts/is-latest-release.sh)" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "stable=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
# Check only the validity of the tag for stable releases (not for pre-releases or other tags)
|
|
- name: Check release validity
|
|
if: steps.check-tag-format.outputs.stable == 'true'
|
|
run: bash .github/scripts/check-release.sh
|
|
|
|
- name: Set build-args for Docker buildx
|
|
id: build-metadata
|
|
run: |
|
|
# Extract commit date
|
|
commit_date=$(git show -s --format=%cd --date=iso-strict ${{ github.sha }})
|
|
|
|
echo "date=$commit_date" >> $GITHUB_OUTPUT
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # tag=v3.8.2
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: getmeili/meilisearch
|
|
# Prevent `latest` to be updated for each new tag pushed.
|
|
# We need latest and `vX.Y` tags to only be pushed for the stable Meilisearch releases.
|
|
flavor: latest=false
|
|
tags: |
|
|
type=ref,event=tag
|
|
type=raw,value=nightly,enable=${{ github.event_name != 'push' }}
|
|
type=semver,pattern=v{{major}}.{{minor}},enable=${{ steps.check-tag-format.outputs.stable == 'true' }}
|
|
type=semver,pattern=v{{major}},enable=${{ steps.check-tag-format.outputs.stable == 'true' }}
|
|
type=raw,value=latest,enable=${{ steps.check-tag-format.outputs.stable == 'true' && steps.check-tag-format.outputs.latest == 'true' }}
|
|
|
|
- name: Build and push
|
|
uses: docker/build-push-action@v6
|
|
id: build-and-push
|
|
with:
|
|
push: true
|
|
platforms: linux/amd64,linux/arm64
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
build-args: |
|
|
COMMIT_SHA=${{ github.sha }}
|
|
COMMIT_DATE=${{ steps.build-metadata.outputs.date }}
|
|
GIT_TAG=${{ github.ref_name }}
|
|
|
|
- name: Sign the images with GitHub OIDC Token
|
|
env:
|
|
DIGEST: ${{ steps.build-and-push.outputs.digest }}
|
|
TAGS: ${{ steps.meta.outputs.tags }}
|
|
run: |
|
|
images=""
|
|
for tag in ${TAGS}; do
|
|
images+="${tag}@${DIGEST} "
|
|
done
|
|
cosign sign --yes ${images}
|
|
|
|
# /!\ Don't touch this without checking with Cloud team
|
|
- name: Send CI information to Cloud team
|
|
# Do not send if nightly build (i.e. 'schedule' or 'workflow_dispatch' event)
|
|
if: github.event_name == 'push'
|
|
uses: peter-evans/repository-dispatch@v3
|
|
with:
|
|
token: ${{ secrets.MEILI_BOT_GH_PAT }}
|
|
repository: meilisearch/meilisearch-cloud
|
|
event-type: cloud-docker-build
|
|
client-payload: '{ "meilisearch_version": "${{ github.ref_name }}", "stable": "${{ steps.check-tag-format.outputs.stable }}" }'
|
|
|
|
# Send notification to Swarmia to notify of a deployment: https://app.swarmia.com
|
|
# - name: 'Setup jq'
|
|
# uses: dcarbone/install-jq-action
|
|
# - name: Send deployment to Swarmia
|
|
# if: github.event_name == 'push' && success()
|
|
# run: |
|
|
# JSON_STRING=$( jq --null-input --compact-output \
|
|
# --arg version "${{ github.ref_name }}" \
|
|
# --arg appName "meilisearch" \
|
|
# --arg environment "production" \
|
|
# --arg commitSha "${{ github.sha }}" \
|
|
# --arg repositoryFullName "${{ github.repository }}" \
|
|
# '{"version": $version, "appName": $appName, "environment": $environment, "commitSha": $commitSha, "repositoryFullName": $repositoryFullName}' )
|
|
|
|
# curl -H "Authorization: ${{ secrets.SWARMIA_DEPLOYMENTS_AUTHORIZATION }}" \
|
|
# -H "Content-Type: application/json" \
|
|
# -d "$JSON_STRING" \
|
|
# https://hook.swarmia.com/deployments
|