forked from trustification/trustification
-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (125 loc) · 4.19 KB
/
snapshot.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: snapshot
on:
push:
# Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0".
# Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1".
branches:
- main
concurrency: snapshot
permissions:
contents: write # for creating a release
packages: write # for publishing containers
id-token: write # for using OIDC tokens
env:
SYFT_VERSION: "0.68.1"
jobs:
init:
runs-on: ubuntu-22.04
outputs:
version: ${{steps.version.outputs.version}}
steps:
- name: Set version
id: version
env:
COMMIT: ${{github.sha}}
run: |
echo "version=$COMMIT" >> $GITHUB_OUTPUT
# check that our CI would pass
ci:
uses: ./.github/workflows/ci.yaml
publish:
needs: [ init, ci ]
permissions:
contents: write
packages: write
id-token: write # for using OIDC tokens
runs-on: ubuntu-22.04
strategy:
matrix:
include:
- name: trust
containerfile: container_files/Containerfile.services
- name: trust-docs
containerfile: container_files/Containerfile.docs
- name: trust-tests
containerfile: container_files/Containerfile.tests
env:
IMAGE_TAG: ci
PLATFORMS: "linux/amd64, linux/arm64"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Check cosign
run: cosign version
- uses: actions/download-artifact@v4
with:
path: ~/download
- name: Display downloaded content
run: ls -R ~/download
# We need to rebuild images until podman is able to load multi-arch images
# https://github.com/containers/podman/issues/4646
# - name: Load container
# run: |
# for container in $CONTAINERS; do
# podman load --input ~/download/${container}-container/${container}-image.tar
# done
- name: Install qemu dependency
run: |
sudo apt-get update
sudo apt-get install -y qemu-user-static
- name: Build Image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ matrix.name }}
tags: ${{ env.IMAGE_TAG }}
envs: |
TAG=${{ env.IMAGE_TAG }}
build-args: |
tag=${{ env.IMAGE_TAG }}
platforms: ${{ env.PLATFORMS }}
containerfiles: |
./${{ matrix.containerfile }}
- name: Check images created
run: buildah images | grep '${{ matrix.name }}'
- name: Save image
run: podman save --multi-image-archive ${{ matrix.name }}:${{ env.IMAGE_TAG }} > ${{ matrix.name }}-image.tar
- name: Log in to ghcr.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: "ghcr.io"
- name: Push to ghcr.io
id: push-images
run: |
IMAGE="ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ needs.init.outputs.version }}"
podman push \
"${{ matrix.name }}:ci" \
"${IMAGE}" --all \
--digestfile "${RUNNER_TEMP}/push.${{ matrix.name }}.digest"
- name: Push to ghcr.io (as latest)
id: push-images-latest
run: |
IMAGE="ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}:latest"
podman push \
"${{ matrix.name }}:ci" --all \
"${IMAGE}"
- name: Sign the images with GitHub OIDC Token
env:
COSIGN_EXPERIMENTAL: true
run: |
imageDigest="$(cat ${RUNNER_TEMP}/push.${{ matrix.name }}.digest)"
echo "Image Digest: ${imageDigest}"
# and then construct the full (pushed) name
cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}@${imageDigest}"
staging:
needs: [ init, publish ]
uses: ./.github/workflows/staging.yaml
secrets: inherit
with:
releaseTag: ${{ needs.init.outputs.version }}