Add support for multilevel subdomain prefix wildcard in DNS match pattern #97075
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image CI Build | |
| # Any change in triggers needs to be reflected in the concurrency group. | |
| on: | |
| pull_request_target: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| branches-ignore: | |
| - v1.18 | |
| - v1.17 | |
| - v1.16 | |
| push: | |
| branches: | |
| - main | |
| - ft/main/** | |
| merge_group: | |
| types: [checks_requested] | |
| permissions: | |
| # To be able to access the repository with `actions/checkout` | |
| contents: read | |
| # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | |
| id-token: write | |
| # To be able to check if base images were built | |
| actions: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || (github.event_name == 'merge_group' && github.run_id) }} | |
| cancel-in-progress: true | |
| jobs: | |
| wait-for-base-images: | |
| name: Wait for lint checks | |
| uses: ./.github/workflows/wait-for-status-check.yaml | |
| with: | |
| # Only run this job if the event is pull_request_target and if the PR | |
| # is not opened from a fork. | |
| # This is to avoid waiting for base images on push to main or merge_group | |
| # events as the lint-images-base does not run on those events. | |
| if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }} | |
| sha: ${{ github.event.pull_request.head.sha || github.sha }} | |
| lint-workflows: "lint-images-base.yaml" | |
| timeout-minutes: 2 | |
| poll-interval: 15 | |
| build-and-push-prs: | |
| timeout-minutes: 45 | |
| name: Build and Push Images | |
| runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER_UBUNTU_LATEST || 'ubuntu-24.04' }} | |
| needs: wait-for-base-images | |
| outputs: | |
| sha: ${{ steps.tag.outputs.sha }} | |
| strategy: | |
| matrix: | |
| include: | |
| - name: cilium | |
| dockerfile: ./images/cilium/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: cilium-cli | |
| dockerfile: ./cilium-cli/Dockerfile | |
| platforms: linux/amd64 | |
| require-dir: cilium-cli | |
| - name: operator-aws | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: operator-azure | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: operator-alibabacloud | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: operator-generic | |
| dockerfile: ./images/operator/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: hubble-relay | |
| dockerfile: ./images/hubble-relay/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: clustermesh-apiserver | |
| dockerfile: ./images/clustermesh-apiserver/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| - name: docker-plugin | |
| dockerfile: ./images/cilium-docker-plugin/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| steps: | |
| - name: Checkout base or default branch (trusted) | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| # We first check if base_ref exist, meaning we're in pull_request_target context, and if not we just use default_branch | |
| ref: ${{ github.base_ref || github.event.repository.default_branch }} | |
| persist-credentials: false | |
| - name: Set Environment Variables | |
| uses: ./.github/actions/set-env-variables | |
| - name: Copy scripts to trusted directory | |
| run: | | |
| mkdir -p ../cilium-base-branch | |
| cp -r .github/actions/set-runtime-image ../cilium-base-branch | |
| cp -r .github/actions/cosign ../cilium-base-branch | |
| - name: Check for disk usage and cleanup /mnt | |
| shell: bash | |
| run: | | |
| echo "# Disk usage" | |
| df -h | |
| echo "# Usage for /mnt" | |
| sudo du --human-readable \ | |
| -- /mnt | |
| if compgen -G "/mnt/.*" > /dev/null; then | |
| echo "# Hidden files in /mnt:" | |
| sudo du --human-readable -- /mnt/.* 2>/dev/null | |
| fi | |
| echo "# Removing all contents of /mnt except /mnt/swapfile" | |
| sudo find /mnt -mindepth 1 ! -path /mnt/swapfile -exec rm -rf {} + || true | |
| - name: Setup docker volumes into /mnt | |
| # This allows us to make use of all available disk. | |
| shell: bash | |
| run: | | |
| sudo systemctl stop docker | |
| sudo mv /var/lib/docker/volumes /mnt/docker-volumes | |
| sudo ln -s /mnt/docker-volumes /var/lib/docker/volumes | |
| sudo systemctl start docker | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| # Disable GC entirely to avoid buildkit from GC caches. | |
| with: | |
| buildkitd-config-inline: | | |
| [worker.oci] | |
| gc=false | |
| - name: Login to quay.io for CI | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME_CI }} | |
| password: ${{ secrets.QUAY_PASSWORD_CI }} | |
| - name: Getting image tag | |
| id: tag | |
| run: | | |
| if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then | |
| sha=${{ github.event.pull_request.head.sha }} | |
| else | |
| sha=${{ github.sha }} | |
| fi | |
| echo sha=${sha} >> $GITHUB_OUTPUT | |
| tag=${sha} | |
| echo tag=${tag} >> $GITHUB_OUTPUT | |
| if [[ "${{ github.event_name == 'push' }}" == "true" ]]; then | |
| if [[ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]]; then | |
| floating_tag=latest | |
| else | |
| floating_tag="${{ github.ref_name }}" | |
| # Remove slashes from branch names | |
| floating_tag=${floating_tag##*/} | |
| fi | |
| echo floating_tag=${floating_tag} >> $GITHUB_OUTPUT | |
| fi | |
| normal_tag="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${tag}" | |
| race_tag="${normal_tag}-race" | |
| unstripped_tag="${normal_tag}-unstripped" | |
| if [ -n "${floating_tag}" ]; then | |
| floating_normal_tag="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${floating_tag}" | |
| normal_tag="${normal_tag},${floating_normal_tag}" | |
| fi | |
| if [[ "${{ github.event_name }}" == 'merge_group' || "${{ github.event_name }}" == 'push' ]]; then | |
| # Don't build race and unstripped images for merge_group or push events. | |
| race_tag="" | |
| unstripped_tag="" | |
| fi | |
| echo normal_tag=${normal_tag} >> $GITHUB_OUTPUT | |
| echo race_tag=${race_tag} >> $GITHUB_OUTPUT | |
| echo unstripped_tag=${unstripped_tag} >> $GITHUB_OUTPUT | |
| # Warning: since this is a privileged workflow, subsequent workflow job | |
| # steps must take care not to execute untrusted code. | |
| - name: Checkout pull request branch (NOT TRUSTED) | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ steps.tag.outputs.sha }} | |
| - name: Check for disk usage | |
| shell: bash | |
| run: | | |
| df -h | |
| - name: Copy runtime image tag from untrusted branch | |
| run: | | |
| cp -r .github/actions/set-runtime-image/runtime-image*.txt ../cilium-base-branch/set-runtime-image/ | |
| - name: Set runtime image environment variable | |
| uses: ./../cilium-base-branch/set-runtime-image | |
| with: | |
| repository: ${{ env.CILIUM_RUNTIME_IMAGE_PREFIX }} | |
| # Load Golang cache build from GitHub | |
| - name: Restore Golang cache build from GitHub | |
| uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 | |
| id: go-cache | |
| with: | |
| path: /tmp/.cache/go | |
| key: ${{ runner.os }}-go-${{ matrix.name }}-cache-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ matrix.name }}-cache- | |
| - name: Check for disk usage | |
| shell: bash | |
| run: | | |
| df -h | |
| docker buildx du | |
| - name: Create cache directories if they don't exist | |
| if: ${{ steps.go-cache.outputs.cache-hit != 'true' }} | |
| shell: bash | |
| run: | | |
| mkdir -p /tmp/.cache/go | |
| # Import GitHub's cache build to docker cache | |
| - name: Copy ${{ matrix.name }} Golang cache to docker cache | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| provenance: false | |
| context: /tmp/.cache/go | |
| file: ./images/cache/Dockerfile | |
| push: false | |
| platforms: linux/amd64 | |
| target: import-cache | |
| - name: Check for disk usage | |
| shell: bash | |
| run: | | |
| df -h | |
| docker buildx du | |
| - name: Check build constraints | |
| id: check | |
| run: | | |
| if [[ -z "${{ matrix.require-dir }}" ]] || | |
| [[ -d "${{ matrix.require-dir }}" ]]; then | |
| echo build="true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: CI Build ${{ matrix.name }} | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| id: docker_build_ci | |
| if: ${{ steps.check.outputs.build != '' }} | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: ${{ matrix.platforms }} | |
| tags: ${{ steps.tag.outputs.normal_tag }} | |
| target: release | |
| build-args: | | |
| CILIUM_RUNTIME_IMAGE=${{ env.CILIUM_RUNTIME_IMAGE }} | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI race detection Build ${{ matrix.name }} | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| id: docker_build_ci_detect_race_condition | |
| if: ${{ steps.check.outputs.build != '' && steps.tag.outputs.race_tag != ''}} | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64 | |
| tags: ${{ steps.tag.outputs.race_tag }} | |
| target: release | |
| build-args: | | |
| BASE_IMAGE=${{ env.CILIUM_RUNTIME_IMAGE }} | |
| CILIUM_RUNTIME_IMAGE=${{ env.CILIUM_RUNTIME_IMAGE }} | |
| MODIFIERS="LOCKDEBUG=1 RACE=1" | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI Unstripped Binaries Build ${{ matrix.name }} | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| id: docker_build_ci_unstripped | |
| if: ${{ steps.check.outputs.build != '' && steps.tag.outputs.unstripped_tag != ''}} | |
| with: | |
| provenance: false | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64 | |
| tags: ${{ steps.tag.outputs.unstripped_tag }} | |
| target: release | |
| build-args: | | |
| CILIUM_RUNTIME_IMAGE=${{ env.CILIUM_RUNTIME_IMAGE }} | |
| MODIFIERS="NOSTRIP=1" | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: Generate SBOM, Sign, and Attest Main CI Image | |
| if: ${{ matrix.name != 'cilium-cli' && steps.check.outputs.build != '' }} | |
| uses: ./../cilium-base-branch/cosign | |
| with: | |
| image: "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }}" | |
| image_tag: "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}" | |
| sbom_name: "ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}" | |
| - name: Generate SBOM, Sign, and Attest Race Detection Image | |
| if: ${{ matrix.name != 'cilium-cli' && steps.docker_build_ci_detect_race_condition.outcome != 'skipped' }} | |
| uses: ./../cilium-base-branch/cosign | |
| with: | |
| image: "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" | |
| image_tag: "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race" | |
| sbom_name: "ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}" | |
| install_cosign: 'false' | |
| - name: Generate SBOM, Sign, and Attest Unstripped Image | |
| if: ${{ matrix.name != 'cilium-cli' && steps.docker_build_ci_unstripped.outcome != 'skipped' }} | |
| uses: ./../cilium-base-branch/cosign | |
| with: | |
| image: "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }}" | |
| image_tag: "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped" | |
| sbom_name: "ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}" | |
| install_cosign: 'false' | |
| - name: CI Image Releases digests | |
| shell: bash | |
| if: ${{ steps.check.outputs.build != '' }} | |
| run: | | |
| mkdir -p image-digest/ | |
| # shellcheck disable=SC2078 | |
| if [ ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} ]; then | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
| fi | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| if [[ "${{ steps.docker_build_ci_detect_race_condition.outcome }}" != 'skipped' ]]; then | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| fi | |
| if [[ "${{ steps.docker_build_ci_unstripped.outcome }}" != 'skipped' ]]; then | |
| echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| fi | |
| # Upload artifact digests | |
| - name: Upload artifact digests | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| if: ${{ steps.check.outputs.build != '' }} | |
| with: | |
| name: image-digest ${{ matrix.name }} | |
| path: image-digest | |
| retention-days: 1 | |
| - name: Check for disk usage | |
| if: ${{ always() }} | |
| shell: bash | |
| run: | | |
| df -h | |
| image-digests: | |
| if: ${{ always() }} | |
| name: Display Digests | |
| runs-on: ubuntu-24.04 | |
| needs: build-and-push-prs | |
| steps: | |
| - name: Downloading Image Digests | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| - name: Download digests of all images built | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| path: image-digest/ | |
| pattern: "*image-digest *" | |
| - name: Image Digests Output | |
| shell: bash | |
| run: | | |
| cd image-digest/ | |
| find -type f | sort | xargs -d '\n' cat | |
| push-chart: | |
| name: Push dev chart | |
| needs: build-and-push-prs | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| statuses: write | |
| uses: ./.github/workflows/push-chart-ci.yaml | |
| with: | |
| checkout_ref: ${{ needs.build-and-push-prs.outputs.sha }} | |
| image_tag: ${{ needs.build-and-push-prs.outputs.sha }} | |
| secrets: inherit | |
| pre-comment: | |
| # Avoid running the "Trigger CI from renovate PRs" environment if we don't need to. | |
| name: Pre-Comment | |
| needs: build-and-push-prs | |
| runs-on: ubuntu-24.04 | |
| if: ${{ | |
| github.event_name == 'pull_request_target' && | |
| github.event.pull_request.user.login == vars.RENOVATE_BOT_USERNAME | |
| }} | |
| steps: | |
| - name: Debug | |
| run: | | |
| echo ${{ github.event.pull_request.user.login }} | |
| echo ${{ github.event.event_name }} | |
| comment: | |
| name: Post test comment for Renovate PRs after images built | |
| runs-on: ubuntu-24.04 | |
| needs: pre-comment | |
| environment: "Trigger CI from renovate PRs" | |
| if: ${{ | |
| github.event_name == 'pull_request_target' && | |
| github.event.pull_request.user.login == vars.RENOVATE_BOT_USERNAME | |
| }} | |
| steps: | |
| - name: Post /test comment | |
| env: | |
| TOKEN: ${{ secrets.AUTO_COMMENT_TOKEN }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| echo ${TOKEN} | gh auth login --with-token | |
| gh pr --repo ${GITHUB_REPOSITORY} comment ${PULL_REQUEST_NUMBER} --body "/test" |