Skip to content

TC-1177 spog-api: retrieve CertifyVuln for package #42

TC-1177 spog-api: retrieve CertifyVuln for package

TC-1177 spog-api: retrieve CertifyVuln for package #42

Workflow file for this run

name: snapshot
on:
push:
# Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0".
# Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1".
branches:
- main
concurrency: snapshot
permissions:
contents: write # for creating a release
packages: write # for publishing containers
id-token: write # for using OIDC tokens
env:
SYFT_VERSION: "0.68.1"
jobs:
init:
runs-on: ubuntu-22.04
outputs:
version: ${{steps.version.outputs.version}}
steps:
- name: Set version
id: version
env:
COMMIT: ${{github.sha}}
run: |
echo "version=$COMMIT" >> $GITHUB_OUTPUT
# check that our CI would pass
ci:
uses: ./.github/workflows/ci.yaml
publish:
needs: [ init, ci ]
permissions:
contents: write
packages: write
id-token: write # for using OIDC tokens
runs-on: ubuntu-22.04
env:
CONTAINERS: "trust trust-docs trust-tests"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Check cosign
run: cosign version
- uses: actions/download-artifact@v4
with:
path: ~/download
- name: Display downloaded content
run: ls -R ~/download
- name: Load container
run: |
for container in $CONTAINERS; do
podman load --input ~/download/${container}-container/${container}-image.tar
done
- name: Log in to ghcr.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: "ghcr.io"
- name: Push to ghcr.io
id: push-images
run: |
for container in $CONTAINERS; do
IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:${{ needs.init.outputs.version }}"
podman push \
"${container}:ci" \
"${IMAGE}" \
--digestfile "${RUNNER_TEMP}/push.${container}.digest"
done
- name: Push to ghcr.io (as latest)
id: push-images-latest
run: |
for container in $CONTAINERS; do
IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:latest"
podman push \
"${container}:ci" \
"${IMAGE}"
done
- name: Sign the images with GitHub OIDC Token
env:
COSIGN_EXPERIMENTAL: true
run: |
for container in $CONTAINERS; do
imageDigest="$(cat ${RUNNER_TEMP}/push.${container}.digest)"
echo "Image Digest: ${imageDigest}"
# and then construct the full (pushed) name
cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${container}@${imageDigest}"
done
staging:
needs: [ init, publish ]
uses: ./.github/workflows/staging.yaml
secrets: inherit
with:
releaseTag: ${{ needs.init.outputs.version }}