fix: add missig login for rancher repo

neuvector · Dec 23, 2024 · e585935 · e585935
1 parent 7a3fb10
commit e585935
Showing 1 changed file with 49 additions and 8 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -68,27 +68,68 @@ jobs:
         prime-repo: rancher
         prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
         prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+  retag:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+    - name: Parse target tag
+      run: |
+        TARGET=${{ github.ref_name }}
+        echo "TAG=${TARGET#v}" >> $GITHUB_ENV
+    - name: Check if we should tag v6 scanner
+      run: |
+        if [[ ${{ github.ref_name }} =~ ^v[0-9]+\.[0-9]+$ ]];then
+          echo "We should update v6 scanner"
+          echo "UPDATE_MUTABLE_TAG=True" >> $GITHUB_ENV
+        fi
     - name: Login to registry
+      if: env.UPDATE_MUTABLE_TAG == 'True'
       uses: docker/login-action@v3
       with:
         registry: docker.io
         username: ${{ env.DOCKER_USERNAME }}
         password: ${{ env.DOCKER_PASSWORD }}
+    - name: Tag v6 scanner to neuvector
+      if: env.UPDATE_MUTABLE_TAG == 'True'
+      run: |
+        docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:6 docker.io/${{ github.repository_owner }}/scanner:${TAG}
     - name: Login to registry
+      if: env.UPDATE_MUTABLE_TAG == 'True'
       uses: docker/login-action@v3
       with:
         registry: ${{ env.PRIME_REGISTRY }}
         username: ${{ env.PRIME_REGISTRY_USERNAME }}
         password: ${{ env.PRIME_REGISTRY_PASSWORD }}
-    - name: Check if we should tag v6 scanner
-      run: |
-        if [[ ${{ github.ref_name }} =~ ^v[0-9]+\.[0-9]+$ ]];then
-          echo "We should update v6 scanner"
-          echo "UPDATE_MUTABLE_TAG=True" >> $GITHUB_ENV
-        fi
-    - name: Tag v6 scanner
+    - name: Tag v6 scanner to prime
       if: env.UPDATE_MUTABLE_TAG == 'True'
       run: |
         docker buildx imagetools create --tag ${PRIME_REGISTRY}/rancher/neuvector-scanner:6 ${PRIME_REGISTRY}/rancher/neuvector-scanner:${TAG}
+    - name: Login to registry
+      if: env.UPDATE_MUTABLE_TAG == 'True'
+      uses: docker/login-action@v3
+      with:
+        registry: docker.io
+        username: ${{ env.RANCHER_DOCKER_USERNAME }}
+        password: ${{ env.RANCHER_DOCKER_PASSWORD }}
+    - name: Tag v6 scanner to rancher
+      if: env.UPDATE_MUTABLE_TAG == 'True'
+      run: |
         docker buildx imagetools create --tag docker.io/rancher/neuvector-scanner:6 docker.io/rancher/neuvector-scanner:${TAG}
-        docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:6 docker.io/${{ github.repository_owner }}/scanner:${TAG}