diff --git a/.changeset/purple-plums-breathe.md b/.changeset/purple-plums-breathe.md new file mode 100644 index 000000000..8270554b3 --- /dev/null +++ b/.changeset/purple-plums-breathe.md @@ -0,0 +1,5 @@ +--- +"reusable-docker-build-publish": minor +--- + +revert: previous change, removing manifest-debug input diff --git a/.changeset/stupid-eggs-applaud.md b/.changeset/stupid-eggs-applaud.md new file mode 100644 index 000000000..80b13e16b --- /dev/null +++ b/.changeset/stupid-eggs-applaud.md @@ -0,0 +1,5 @@ +--- +"build-push-docker-manifest": minor +--- + +feat: poll for manifest existence before attempting to get digest diff --git a/.changeset/tall-ways-beam.md b/.changeset/tall-ways-beam.md new file mode 100644 index 000000000..1a3ab358b --- /dev/null +++ b/.changeset/tall-ways-beam.md @@ -0,0 +1,5 @@ +--- +"build-push-docker-manifest": patch +--- + +revert: previous change, ignore debug env vars for buildx logging diff --git a/.github/workflows/reusable-docker-build-publish.yml b/.github/workflows/reusable-docker-build-publish.yml index f7eacf0fa..6d8e00823 100644 --- a/.github/workflows/reusable-docker-build-publish.yml +++ b/.github/workflows/reusable-docker-build-publish.yml @@ -346,12 +346,6 @@ on: required: false type: string default: "true" - manifest-debug: - description: | - Enable debug output for Docker manifest generation step. Set to 'true' to enable. - required: false - type: string - default: "false" outputs: docker-image-sha-digest-amd64: @@ -787,8 +781,6 @@ jobs: - name: Docker manifest index uses: smartcontractkit/.github/actions/build-push-docker-manifest@build-push-docker-manifest/v1 id: docker-manifest - env: - CL_MANIFEST_DEBUG: ${{ inputs.manifest-debug }} with: # Avoid using `github.workflow_ref` here because the `cosign sign` # command will use the reusable workflow path for its identity and diff --git a/actions/build-push-docker-manifest/action.yml b/actions/build-push-docker-manifest/action.yml index ead300b44..e4f002959 100644 --- a/actions/build-push-docker-manifest/action.yml +++ b/actions/build-push-docker-manifest/action.yml @@ -135,21 +135,20 @@ inputs: outputs: manifest-digest: description: "Docker @sha256: digest." - value: ${{ steps.create-push-docker-manifest.outputs.manifest-digest }} + value: ${{ steps.inspect-docker-manifest.outputs.manifest-digest }} manifest-tag: description: "Docker manifest tag." value: ${{ inputs.docker-manifest-tag }} manifest-name: description: "Docker manifest name." - value: ${{ steps.create-push-docker-manifest.outputs.manifest-name }} + value: ${{ steps.inspect-docker-manifest.outputs.manifest-name }} manifest-name-with-digest: description: "Docker manifest name with digest." value: - ${{ steps.create-push-docker-manifest.outputs.manifest-name-with-digest }} + ${{ steps.inspect-docker-manifest.outputs.manifest-name-with-digest }} manifest-name-with-tag: description: "Docker manifest name with tag." - value: - ${{ steps.create-push-docker-manifest.outputs.manifest-name-with-tag }} + value: ${{ steps.inspect-docker-manifest.outputs.manifest-name-with-tag }} runs: using: composite @@ -341,14 +340,8 @@ runs: echo "Creating Docker manifest with tag: ${DOCKER_MANIFEST_TAG}" # Build the complete command with all flags - CMD_ARGS=() - - if [[ "${RUNNER_DEBUG}" == "1" || "${CL_MANIFEST_DEBUG}" == "1" || "${CL_MANIFEST_DEBUG,,}" == "true" ]]; then - echo "Debug logging enabled for docker buildx imagetools create" - CMD_ARGS+=("--debug") - fi + CMD_ARGS=("--tag" "${DOCKER_MANIFEST_NAME_WITH_TAG}") - CMD_ARGS+=("--tag" "${DOCKER_MANIFEST_NAME_WITH_TAG}") # Add additional tag flags if present if [[ -n "${TAG_FLAGS}" ]]; then echo "Adding additional tags to manifest..." @@ -370,8 +363,41 @@ runs: # Execute the command docker buildx imagetools create "${CMD_ARGS[@]}" - # Get manifest digest (format: sha256:hash) - MANIFEST_DIGEST=$(docker buildx imagetools inspect "${DOCKER_MANIFEST_NAME_WITH_TAG}" | grep -m1 'Digest:' | awk '{print $2}') + - name: Inspect Docker manifest digest + id: inspect-docker-manifest + shell: bash + env: + DOCKER_MANIFEST_NAME: ${{ steps.manifest-name.outputs.name }} + DOCKER_MANIFEST_TAG: ${{ inputs.docker-manifest-tag }} + run: | + DOCKER_MANIFEST_NAME_WITH_TAG="${DOCKER_MANIFEST_NAME}:${DOCKER_MANIFEST_TAG}" + + MAX_RETRIES=5 + RETRY_DELAY=10 + MANIFEST_DIGEST="" + + for i in $(seq 1 $MAX_RETRIES); do + echo "Attempt ${i}/${MAX_RETRIES}: Inspecting manifest (${DOCKER_MANIFEST_NAME_WITH_TAG}) to retrieve digest..." + + if INSPECT_OUTPUT=$(docker buildx imagetools inspect "${DOCKER_MANIFEST_NAME_WITH_TAG}" 2>/dev/null); then + MANIFEST_DIGEST=$(echo "${INSPECT_OUTPUT}" | grep -m1 'Digest:' | awk '{print $2}') + if [[ "${MANIFEST_DIGEST}" =~ ^sha256:[a-f0-9]{64}$ ]]; then + echo "Successfully retrieved manifest digest on attempt ${i}: ${MANIFEST_DIGEST}" + break + fi + fi + + echo "Attempt ${i}/${MAX_RETRIES}: Manifest not yet available (got: '${MANIFEST_DIGEST}'), retrying in ${RETRY_DELAY}s..." + + sleep $RETRY_DELAY + MANIFEST_DIGEST="" + done + + if [[ -z "${MANIFEST_DIGEST}" ]]; then + echo "::error::Failed to retrieve manifest digest for ${DOCKER_MANIFEST_NAME_WITH_TAG} after ${MAX_RETRIES} attempts" + exit 1 + fi + echo "manifest-digest=${MANIFEST_DIGEST}" | tee -a "${GITHUB_OUTPUT}" echo "manifest-name=${DOCKER_MANIFEST_NAME}" | tee -a "${GITHUB_OUTPUT}" echo "manifest-name-with-digest=${DOCKER_MANIFEST_NAME}@${MANIFEST_DIGEST}" | tee -a "${GITHUB_OUTPUT}" @@ -389,8 +415,7 @@ runs: shell: sh env: MANIFEST_NAME_WITH_DIGEST: - ${{ - steps.create-push-docker-manifest.outputs.manifest-name-with-digest }} + ${{ steps.inspect-docker-manifest.outputs.manifest-name-with-digest }} run: cosign sign "${MANIFEST_NAME_WITH_DIGEST}" --yes - name: Verify Docker image signature @@ -401,7 +426,7 @@ runs: env: MANIFEST_NAME_WITH_DIGEST: >- ${{ - steps.create-push-docker-manifest.outputs.manifest-name-with-digest + steps.inspect-docker-manifest.outputs.manifest-name-with-digest }} GITHUB_WORKFLOW_REPOSITORY: ${{ inputs.github-workflow-repository }} OIDC_ISSUER: ${{ inputs.cosign-oidc-issuer }} @@ -418,19 +443,17 @@ runs: DOCKER_MANIFEST_SIGNED: ${{ inputs.docker-manifest-sign }} GITHUB_WORKFLOW_REPOSITORY: ${{ inputs.github-workflow-repository }} MANIFEST_ADDITIONAL_TAGS: - ${{ steps.create-push-docker-manifest.outputs.manifest-additional-tags - }} + ${{ steps.inspect-docker-manifest.outputs.manifest-additional-tags }} MANIFEST_DIGEST: - ${{ steps.create-push-docker-manifest.outputs.manifest-digest }} - MANIFEST_NAME: - ${{ steps.create-push-docker-manifest.outputs.manifest-name}} + ${{ steps.inspect-docker-manifest.outputs.manifest-digest }} + MANIFEST_NAME: ${{ steps.inspect-docker-manifest.outputs.manifest-name}} MANIFEST_NAME_WITH_DIGEST: >- ${{ - steps.create-push-docker-manifest.outputs.manifest-name-with-digest + steps.inspect-docker-manifest.outputs.manifest-name-with-digest }} MANIFEST_NAME_WITH_TAG: >- ${{ - steps.create-push-docker-manifest.outputs.manifest-name-with-tag + steps.inspect-docker-manifest.outputs.manifest-name-with-tag }} MANIFEST_TAG: ${{ inputs.docker-manifest-tag }} OIDC_ISSUER: ${{ inputs.cosign-oidc-issuer }} diff --git a/workflows/reusable-docker-build-publish/reusable-docker-build-publish.yml b/workflows/reusable-docker-build-publish/reusable-docker-build-publish.yml index a7c58f36c..54ebde14e 100644 --- a/workflows/reusable-docker-build-publish/reusable-docker-build-publish.yml +++ b/workflows/reusable-docker-build-publish/reusable-docker-build-publish.yml @@ -342,12 +342,6 @@ on: required: false type: string default: "true" - manifest-debug: - description: | - Enable debug output for Docker manifest generation step. Set to 'true' to enable. - required: false - type: string - default: "false" outputs: docker-image-sha-digest-amd64: @@ -783,8 +777,6 @@ jobs: - name: Docker manifest index uses: smartcontractkit/.github/actions/build-push-docker-manifest@build-push-docker-manifest/v1 id: docker-manifest - env: - CL_MANIFEST_DEBUG: ${{ inputs.manifest-debug }} with: # Avoid using `github.workflow_ref` here because the `cosign sign` # command will use the reusable workflow path for its identity and