zuul.d/playbooks/build-images/run.yml - atmosphere - Gitiles

 # Copyright (c) 2024 VEXXHOST, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.

 - name: Build images
   hosts: all
   tasks:
     - name: Create builder
       ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container

     - name: Log into registry
       when: zuul.pipeline == 'post'
       docker_login:
         registry: registry.atmosphere.dev
         username: "{{ registry_credentials.username }}"
         password: "{{ registry_credentials.password }}"

     - name: Build images
       ansible.builtin.shell: |
         docker buildx bake --builder=atmosphere --provenance --sbom=true {% if zuul.pipeline == 'post' %}--push{% endif %}
       args:
         chdir: "{{ zuul.project.src_dir }}"
       environment:
         PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}"

     - name: Get list of images built
       ansible.builtin.shell: docker buildx bake --print
       args:
         chdir: "{{ zuul.project.src_dir }}"
       register: images_built_json

     - name: Set fact with list of images
       set_fact:
         images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}"

     - name: Sign images
       when: zuul.pipeline == 'post'
       block:
         - name: Download cosign binary
           become: true
           ansible.builtin.get_url:
             url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
             dest: /usr/local/bin/cosign
             mode: 0755

         - name: Copy the cosign private key
           copy:
             content: "{{ cosign_key.private }}"
             dest: cosign.key

         - name: Sign images
           ansible.builtin.shell: |
             cosign sign -y --recursive --key cosign.key {{ item }}
           loop: "{{ images_built }}"

         - name: Delete the cosign private key
           file:
             path: cosign.key
             state: absent

     - name: Return Zuul artifacts for images
       zuul_return:
         data:
           zuul:
             artifacts:
               - name: "{{ item }}"
                 url: "docker://{{ item }}"
                 metadata:
                   type: container_image
                   repository: "{{ item.split(':')[0] }}"
                   tag: "{{ item.split(':')[1] }}"
       loop: "{{ images_built }}"
	# Copyright (c) 2024 VEXXHOST, Inc.
	#
	# Licensed under the Apache License, Version 2.0 (the "License"); you may
	# not use this file except in compliance with the License. You may obtain
	# a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	# License for the specific language governing permissions and limitations
	# under the License.

	- name: Build images
	hosts: all
	tasks:
	- name: Create builder
	ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container

	- name: Log into registry
	when: zuul.pipeline == 'post'
	docker_login:
	registry: registry.atmosphere.dev
	username: "{{ registry_credentials.username }}"
	password: "{{ registry_credentials.password }}"

	- name: Build images
	ansible.builtin.shell: \|
	docker buildx bake --builder=atmosphere --provenance --sbom=true {% if zuul.pipeline == 'post' %}--push{% endif %}
	args:
	chdir: "{{ zuul.project.src_dir }}"
	environment:
	PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}"

	- name: Get list of images built
	ansible.builtin.shell: docker buildx bake --print
	args:
	chdir: "{{ zuul.project.src_dir }}"
	register: images_built_json

	- name: Set fact with list of images
	set_fact:
	images_built: "{{ images_built_json.stdout \| from_json \| json_query('target.*.tags[?@] \| []') }}"

	- name: Sign images
	when: zuul.pipeline == 'post'
	block:
	- name: Download cosign binary
	become: true
	ansible.builtin.get_url:
	url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
	dest: /usr/local/bin/cosign
	mode: 0755

	- name: Copy the cosign private key
	copy:
	content: "{{ cosign_key.private }}"
	dest: cosign.key

	- name: Sign images
	ansible.builtin.shell: \|
	cosign sign -y --recursive --key cosign.key {{ item }}
	loop: "{{ images_built }}"

	- name: Delete the cosign private key
	file:
	path: cosign.key
	state: absent

	- name: Return Zuul artifacts for images
	zuul_return:
	data:
	zuul:
	artifacts:
	- name: "{{ item }}"
	url: "docker://{{ item }}"
	metadata:
	type: container_image
	repository: "{{ item.split(':')[0] }}"
	tag: "{{ item.split(':')[1] }}"
	loop: "{{ images_built }}"