Build with evidence #21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build with evidence | |
on: | |
[push, workflow_dispatch] | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
Docker-build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install jfrog cli | |
uses: jfrog/setup-jfrog-cli@v4 | |
with: | |
# oidc-provider-name: evidence-demo | |
version: 2.71.2 | |
env: | |
JF_URL: ${{ vars.ARTIFACTORY_URL }} | |
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} | |
- uses: actions/checkout@v4 | |
- name: Collect commits into buildinfo | |
run: jfrog rt build-add-git ${{ vars.BUILD_NAME }} ${{ github.run_number }} | |
- name: Log in to Artifactory Docker Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ vars.ARTIFACTORY_URL }} | |
username: ${{ secrets.JF_USER }} | |
password: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64 | |
install: true | |
- name: Build Docker image | |
run: | | |
URL=$(echo ${{ vars.ARTIFACTORY_URL }} | sed 's|^https://||') | |
REPO_URL=${URL}'/${{ vars.PROJECT }}-docker-dev-virtual' | |
docker build --build-arg REPO_URL=${REPO_URL} -f Dockerfile . \ | |
--tag ${REPO_URL}/${{ vars.PROJECT }}-app:${{ github.run_number }} \ | |
--output=type=image --platform linux/amd64 --metadata-file=build-metadata --push | |
jfrog rt build-docker-create ${{ vars.PROJECT }}-docker-dev --image-file build-metadata --build-name ${{ vars.BUILD_NAME }} --build-number ${{ github.run_number }} | |
- name: Evidence on docker | |
run: | | |
echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json | |
jf evd create --key "${{ secrets.PRIVATE_KEY }}" \ | |
--subject-repo-path ${{ vars.PROJECT }}-docker-dev/${{ vars.PROJECT }}-app/${{ github.run_number }}/list.manifest.json \ | |
--predicate ./sign.json --predicate-type https://jfrog.com/evidence/signature/v1 | |
echo 'π Evidence attached: `signature` :lock_with_ink_pen: ' | |
- name: Upload readme file | |
run: | | |
jf rt upload ./README.md ${{ vars.PROJECT }}-generic-dev/readme/${{ github.run_number }}/ --build-name ${{ vars.BUILD_NAME }} --build-number ${{ github.run_number }} | |
- name: Publish build info | |
run: jfrog rt build-publish ${{ vars.BUILD_NAME }} ${{ github.run_number }} | |
Evidence-on-build: | |
needs: Docker-build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install jfrog cli | |
uses: jfrog/setup-jfrog-cli@v4 | |
with: | |
oidc-provider-name: evidence-demo | |
version: 2.71.2 | |
env: | |
JF_URL: ${{ vars.ARTIFACTORY_URL }} | |
- uses: actions/checkout@v4 | |
# sign the buildinfo file | |
- name: Sign build evidence | |
run: | | |
echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json | |
jf evd create --build-name ${{ vars.BUILD_NAME }} --build-number ${{ github.run_number }} \ | |
--predicate ./sign.json --predicate-type https://jfrog.com/evidence/build-signature/v1 \ | |
--key "${{ secrets.PRIVATE_KEY }}" --key-alias CI-RSA-KEY | |
echo 'π Evidence attached: `build-signature` :lock_with_ink_pen: ' >> $GITHUB_STEP_SUMMARY | |
# Connect to Sonar service, get scanning results and create evidence with the results | |
- name: Sonar evidence | |
run: | | |
bash sonar/sonar-scan.sh > sonar-results.json | |
jf evd create --build-name ${{ vars.BUILD_NAME }} --build-number ${{ github.run_number }} \ | |
--predicate ./sonar-results.json --predicate-type https://jfrog.com/evidence/sonar-results/v1 \ | |
--key "${{ secrets.PRIVATE_KEY }}" --key-alias CI-RSA-KEY | |
echo 'π Evidence attached: `sonar-results` π‘ ' >> $GITHUB_STEP_SUMMARY | |
- name: Create release bundle | |
run: | | |
echo '{ "files": [ {"build": "'"${{ vars.BUILD_NAME }}/${{ github.run_number }}"'" } ] }' > bundle-spec.json | |
jf release-bundle-create ${{ vars.BUNDLE_NAME }} ${{ github.run_number }} --signing-key PGP-RSA-2048 --spec bundle-spec.json --project ${{ vars.PROJECT }} | |
NAME_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ vars.BUNDLE_NAME }}'&bundleToFlash='${{ vars.BUNDLE_NAME }}'&repositoryKey=${{ vars.PROJECT }}-release-bundles-v2&activeKanbanTab=promotion' | |
VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ vars.BUNDLE_NAME }}'&bundleToFlash='${{ vars.BUNDLE_NAME }}'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=${{ vars.PROJECT }}-release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion' | |
echo 'π¦ Release bundle ['${{ vars.BUNDLE_NAME }}']('${NAME_LINK}'):['${{ github.run_number }}']('${VER_LINK}')buig created' >> $GITHUB_STEP_SUMMARY |