You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We should consider migrating our container images build -> push -> sign workflows to the official Docker GitHub Builder: https://github.com/docker/github-builder. This implies a major refactoring of all controller repos, CLI plugins and distro repo.
We can drop linux/arm/v7 and use the Docker workflow to run the linux/amd64 and linux/arm64 builds on dedicated GitHub runners. This will not only speed up our release pipeline but will also enable us to drop the dependency on QEMU and remove tonistiigi/xx from all our Dockerfiles.
From a security perspective, moving to Docker's reusable workflow should improve our supply chain security. We'll be able to reduce our build dependencies to Docker-owned artifacts and remove personal-owned deps such as: tonistiigi/binfmt and tonistiigi/xx. We should be able to lock our imports to the Docker GitHub org and to the official GitHub Actions, without relaying on actions and binaries imported from GitHub and Docker personal accounts.
The docker/github-builder imports crazy-max/ghaction-github-runtime which again puts us in a situation where we can not limit our release workflow to Docker's GitHub org, we must trust @crazy-max's action as it will have access to our most sensitive secrets (GITHUB_TOKEN and DOCKER_TOKEN with push/sign access).
We should consider migrating our container images build -> push -> sign workflows to the official Docker GitHub Builder: https://github.com/docker/github-builder. This implies a major refactoring of all controller repos, CLI plugins and distro repo.
We can drop
linux/arm/v7and use the Docker workflow to run thelinux/amd64andlinux/arm64builds on dedicated GitHub runners. This will not only speed up our release pipeline but will also enable us to drop the dependency on QEMU and removetonistiigi/xxfrom all our Dockerfiles.From a security perspective, moving to Docker's reusable workflow should improve our supply chain security. We'll be able to reduce our build dependencies to Docker-owned artifacts and remove personal-owned deps such as:
tonistiigi/binfmtandtonistiigi/xx. We should be able to lock our imports to the Docker GitHub org and to the official GitHub Actions, without relaying on actions and binaries imported from GitHub and Docker personal accounts.Blockers:
docker/github-builderimportscrazy-max/ghaction-github-runtimewhich again puts us in a situation where we can not limit our release workflow to Docker's GitHub org, we must trust @crazy-max's action as it will have access to our most sensitive secrets (GITHUB_TOKEN and DOCKER_TOKEN with push/sign access).