policy: Use timing-safe string comparison #1485

Workflow file for this run

.github/workflows/build-envoy-image-ci.yaml at 2d9f6cb

	name: CI Build & Push
	on:
	pull_request_target:
	types: [opened, synchronize, reopened]

	permissions:
	# To be able to access the repository with `actions/checkout`
	contents: read
	# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
	id-token: write

	jobs:
	build-and-push-prs:
	timeout-minutes: 360
	name: Build and push multi-arch images
	runs-on: equinix-32cpu-256gb
	steps:
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

	- name: Cache Docker layers
	uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
	with:
	path: /tmp/buildx-cache
	key: docker-cache-${{ github.head_ref }}
	restore-keys: docker-cache-main

	- name: Login to quay.io
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }}
	password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }}

	- name: Checkout PR
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
	with:
	ref: ${{ github.event.pull_request.head.sha }}
	persist-credentials: false

	- name: Prep for build
	run: \|
	echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION
	echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION \| sed 's/envoy-$[0-9]\+\.[0-9]\+$\..*/v\1/')" >> $GITHUB_ENV
	echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION \| sed 's/^envoy-$[0-9]\+\.[0-9]\+\.[0-9]\+$$/v\1/')" >> $GITHUB_ENV
	echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder \| awk '{ print $3 }')" >> $GITHUB_ENV

	- name: Checking if cilium-envoy-builder image exists
	id: cilium-builder-tag-in-repositories
	shell: bash
	run: \|
	if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
	echo exists="true" >> $GITHUB_OUTPUT
	else
	echo exists="false" >> $GITHUB_OUTPUT
	fi

	- name: PR Multi-arch build & push of Builder image (dev)
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
	id: docker_build_builder_ci
	with:
	provenance: false
	context: .
	file: ./Dockerfile.builder
	platforms: linux/amd64,linux/arm64
	push: true
	tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}

	- name: CI Builder Image Digest
	if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
	shell: bash
	run: \|
	echo "Digests:"
	echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}"

	- name: PR Multi-arch build & push of cilium-envoy
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	id: docker_build_ci
	with:
	provenance: false
	context: .
	file: ./Dockerfile
	platforms: linux/amd64,linux/arm64
	build-args: \|
	BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
	ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest
	BAZEL_BUILD_OPTS=--remote_upload_local_results=false
	cache-from: type=local,src=/tmp/buildx-cache
	cache-to: type=local,dest=/tmp/buildx-cache,mode=max
	push: true
	tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}

	- name: Install Cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- name: Sign Container Image
	run: \|
	cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}

	- name: Install Bom
	shell: bash
	env:
	# renovate: datasource=github-releases depName=kubernetes-sigs/bom
	BOM_VERSION: v0.6.0
	run: \|
	curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
	sudo mv ./bom /usr/local/bin/bom
	sudo chmod +x /usr/local/bin/bom

	- name: Generate SBOM
	shell: bash
	# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
	run: \|
	bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}

	- name: Attach SBOM to container images
	run: \|
	cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}

	- name: Sign SBOM Image
	run: \|
	docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
	image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom"
	docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}"

	- name: Envoy binary version check
	shell: bash
	run: \|
	envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version)
	expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} \| sed 's/^v//')
	echo ${envoy_version}
	[[ "${envoy_version}" == "${{ github.event.pull_request.head.sha }}/$expected_version" ]]

	- name: CI Image Digest
	shell: bash
	run: \|
	echo "Digests:"
	echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

policy: Use timing-safe string comparison #1485

Workflow file

policy: Use timing-safe string comparison #1485

Jobs

Run details

Workflow file for this run