diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml new file mode 100755 index 0000000..aa75424 --- /dev/null +++ b/.github/workflows/maven.yml @@ -0,0 +1,76 @@ +name: Build OpenUnison + +on: + push: + branches: + - 'main' +permissions: + id-token: write + packages: write + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@main + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - uses: actions/checkout@v1 + + + - name: generate tag + run: |- + export PROJ_VERSION="1.0.0" + echo "TAG=$PROJ_VERSION-$(echo $GITHUB_SHA | cut -c 1-6)" >> $GITHUB_ENV + echo "SHORT_TAG=$PROJ_VERSION" >> $GITHUB_ENV + + - name: Login to container Registry + uses: docker/login-action@v2 + with: + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + + - name: downcase REPO + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + + + + + + + - + name: Build and push + id: docker_build + uses: docker/build-push-action@v2 + with: + context: "." + push: true + tags: | + ghcr.io/${{ env.REPO }}:${{ env.TAG }} + ghcr.io/${{ env.REPO }}:${{ env.SHORT_TAG }} + ghcr.io/${{ env.REPO }}:latest + + - name: sign images + run: |- + cosign sign -y ghcr.io/${{ env.REPO }}:${{ env.TAG }} + + - uses: anchore/sbom-action@v0 + with: + image: ghcr.io/${{ env.REPO }}:${{ env.TAG }} + format: spdx + output-file: /tmp/spdxg + + - name: attach sbom to images + run: |- + cosign attach sbom --sbom /tmp/spdxg ghcr.io/${{ env.REPO }}:${{ env.TAG }} + GH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' ghcr.io/${{ env.REPO }}:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-) + cosign sign -y ghcr.io/${{ env.REPO }}:sha256-$GH_SBOM_SHA.sbom