Skip to content

PATCH: CVE fix - Upgrade golang.org/x/net from v0.20.0 to 0.33.0 #65

PATCH: CVE fix - Upgrade golang.org/x/net from v0.20.0 to 0.33.0

PATCH: CVE fix - Upgrade golang.org/x/net from v0.20.0 to 0.33.0 #65

# This is a copy of the publish-core-images.yaml and has been customized to
# use the quay login credentials.
# The unused parts of the original have been commented out on purpose.
name: ODH
on:
push:
branches:
- dev
tags:
- '**'
pull_request:
branches:
- dev
jobs:
build-and-publish-operator:
name: Build and (or) Publish Image
runs-on: ubuntu-latest
env:
GOPATH: ${{ github.workspace }}/go
REPO_NAME: ${{ vars.QUAY_REPO_NAME || 'opendatahub' }}
steps:
- name: Environment dump
shell: bash
run: |
echo "GOPATH = ${GOPATH}"
echo "REPO_NAME = ${REPO_NAME}"
- name: Checkout
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Run go mod
shell: bash
run: |
go mod download
# Build operators inside the gh runner vm directly and then copy the go binaries to docker images using the Dockerfile.buildx
- name: Build linux/amd64 operator binary
env:
CGO_ENABLED: 1
GOOS: linux
GOARCH: amd64
shell: bash
run: |
go build -tags strictfipsruntime -a -o manager-$GOARCH cmd/training-operator.v1/main.go
- name: Build linux/arm64 operator binary
env:
CC: aarch64-linux-gnu-gcc
CGO_ENABLED: 1
GOOS: linux
GOARCH: arm64
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y gcc-aarch64-linux-gnu libc6-dev-arm64-cross
go build -tags strictfipsruntime -a -o manager-$GOARCH cmd/training-operator.v1/main.go
- name: Add docker tags
id: meta
uses: docker/metadata-action@v5
with:
images: quay.io/${{ env.REPO_NAME }}/training-operator
tags: |
type=raw,latest
type=ref,event=pr
type=sha,prefix=v1-odh-
type=ref,enable=true,priority=600,prefix=,suffix=,event=tag
- name: Build image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: quay.io/${{ env.REPO_NAME }}/training-operator
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
containerfiles: |
build/images/training-operator/Dockerfile.multiarch
extra-args: |
--pull
# Check if image is build
- name: Check images created
shell: bash
run: buildah images | grep 'quay.io/${{ env.REPO_NAME }}/training-operator'
- name: Check image manifest
shell: bash
run: |
buildah manifest inspect ${{ steps.build-image.outputs.image }}:latest
- name: Check image metadata
shell: bash
run: |
buildah inspect ${{ steps.build-image.outputs.image-with-tag }} | jq '.OCIv1.config.Labels."org.opencontainers.image.title"'
buildah inspect ${{ steps.build-image.outputs.image-with-tag }} | jq '.OCIv1.config.Labels."org.opencontainers.image.description"'
buildah inspect ${{ steps.build-image.outputs.image-with-tag }} | jq '.Docker.config.Labels."org.opencontainers.image.title"'
buildah inspect ${{ steps.build-image.outputs.image-with-tag }} | jq '.Docker.config.Labels."org.opencontainers.image.description"'
- name: Login to Quay.io
id: podman-login-quay
# Trigger step only for specific branch (master, v.*-branch) or tag (v.*).
if: (github.ref == 'refs/heads/dev' || (startsWith(github.ref, 'refs/heads/v') && endsWith(github.ref, '-branch')) || startsWith(github.ref, 'refs/tags/v'))
shell: bash
run: |
podman login --username ${{ secrets.QUAY_USERNAME }} --password ${{ secrets.QUAY_TOKEN }} quay.io
- name: Push to Quay.io
if: always() && steps.podman-login-quay.outcome == 'success'
id: push-to-quay
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
- name: Print image url
if: steps.push-to-quay.outcome == 'success'
shell: bash
run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"
- name: Logout from Quay.io
if: always() && steps.podman-login-quay.outcome == 'success'
run: |
podman logout quay.io