Skip to content

[TC-1666] - Ten Latest Sboms with vulnerabilities summary backend (#1… #65

[TC-1666] - Ten Latest Sboms with vulnerabilities summary backend (#1…

[TC-1666] - Ten Latest Sboms with vulnerabilities summary backend (#1… #65

Workflow file for this run

name: snapshot
on:
push:
# Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0".
# Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1".
branches:
- main
concurrency: snapshot
permissions:
contents: write # for creating a release
packages: write # for publishing containers
id-token: write # for using OIDC tokens
env:
SYFT_VERSION: "0.68.1"
jobs:
init:
runs-on: ubuntu-22.04
outputs:
version: ${{steps.version.outputs.version}}
steps:
- name: Set version
id: version
env:
COMMIT: ${{github.sha}}
run: |
echo "version=$COMMIT" >> $GITHUB_OUTPUT
# check that our CI would pass
ci:
uses: ./.github/workflows/ci.yaml
publish:
needs: [ init, ci ]
permissions:
contents: write
packages: write
id-token: write # for using OIDC tokens
runs-on: ubuntu-22.04
strategy:
matrix:
include:
- name: trust
containerfile: container_files/Containerfile.services
- name: trust-docs
containerfile: container_files/Containerfile.docs
- name: trust-tests
containerfile: container_files/Containerfile.tests
env:
IMAGE_TAG: ${{ needs.init.outputs.version }} latest
PLATFORMS: "linux/amd64, linux/arm64"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Check cosign
run: cosign version
- uses: actions/download-artifact@v4
with:
path: ~/download
- name: Display downloaded content
run: ls -R ~/download
# We need to rebuild images until podman is able to load multi-arch images
# https://github.com/containers/podman/issues/4646
# - name: Load container
# run: |
# for container in $CONTAINERS; do
# podman load --input ~/download/${container}-container/${container}-image.tar
# done
- name: Install qemu dependency
run: |
sudo apt-get update
sudo apt-get install -y qemu-user-static
- name: Build Image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ matrix.name }}
tags: ${{ env.IMAGE_TAG }}
envs: |
TAG=${{ env.IMAGE_TAG }}
build-args: |
tag=${{ env.IMAGE_TAG }}
platforms: ${{ env.PLATFORMS }}
containerfiles: |
./${{ matrix.containerfile }}
- name: Check images created
run: buildah images | grep '${{ matrix.name }}'
- name: Save image
run: podman save --multi-image-archive ${{ matrix.name }}:latest > ${{ matrix.name }}-image.tar
# Push to ghcr.io
- name: Push to ghcr.io
id: push
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ matrix.name }}
tags: ${{ env.IMAGE_TAG }}
registry: ghcr.io/${{ github.repository_owner }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to ghcr.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: "ghcr.io"
- name: Sign the images with GitHub OIDC Token
env:
COSIGN_EXPERIMENTAL: true
run: |
cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}@${{ steps.push.outputs.digest }}"
staging:
needs: [ init, publish ]
uses: ./.github/workflows/staging.yaml
secrets: inherit
with:
releaseTag: ${{ needs.init.outputs.version }}