forked from trustification/trustification
-
Notifications
You must be signed in to change notification settings - Fork 0
143 lines (117 loc) · 3.82 KB
/
snapshot.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: snapshot
on:
push:
# Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0".
# Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1".
branches:
- main
concurrency: snapshot
permissions:
contents: write # for creating a release
packages: write # for publishing containers
id-token: write # for using OIDC tokens
env:
SYFT_VERSION: "0.68.1"
jobs:
init:
runs-on: ubuntu-22.04
outputs:
version: ${{steps.version.outputs.version}}
steps:
- name: Set version
id: version
env:
COMMIT: ${{github.sha}}
run: |
echo "version=$COMMIT" >> $GITHUB_OUTPUT
# check that our CI would pass
ci:
uses: ./.github/workflows/ci.yaml
publish:
needs: [ init, ci ]
permissions:
contents: write
packages: write
id-token: write # for using OIDC tokens
runs-on: ubuntu-22.04
strategy:
matrix:
include:
- name: trust
containerfile: container_files/Containerfile.services
- name: trust-docs
containerfile: container_files/Containerfile.docs
- name: trust-tests
containerfile: container_files/Containerfile.tests
env:
IMAGE_TAG: ${{ needs.init.outputs.version }} latest
PLATFORMS: "linux/amd64, linux/arm64"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Check cosign
run: cosign version
- uses: actions/download-artifact@v4
with:
path: ~/download
- name: Display downloaded content
run: ls -R ~/download
# We need to rebuild images until podman is able to load multi-arch images
# https://github.com/containers/podman/issues/4646
# - name: Load container
# run: |
# for container in $CONTAINERS; do
# podman load --input ~/download/${container}-container/${container}-image.tar
# done
- name: Install qemu dependency
run: |
sudo apt-get update
sudo apt-get install -y qemu-user-static
- name: Build Image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ matrix.name }}
tags: ${{ env.IMAGE_TAG }}
envs: |
TAG=${{ env.IMAGE_TAG }}
build-args: |
tag=${{ env.IMAGE_TAG }}
platforms: ${{ env.PLATFORMS }}
containerfiles: |
./${{ matrix.containerfile }}
- name: Check images created
run: buildah images | grep '${{ matrix.name }}'
- name: Save image
run: podman save --multi-image-archive ${{ matrix.name }}:latest > ${{ matrix.name }}-image.tar
# Push to ghcr.io
- name: Push to ghcr.io
id: push
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ matrix.name }}
tags: ${{ env.IMAGE_TAG }}
registry: ghcr.io/${{ github.repository_owner }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to ghcr.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: "ghcr.io"
- name: Sign the images with GitHub OIDC Token
env:
COSIGN_EXPERIMENTAL: true
run: |
cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}@${{ steps.push.outputs.digest }}"
staging:
needs: [ init, publish ]
uses: ./.github/workflows/staging.yaml
secrets: inherit
with:
releaseTag: ${{ needs.init.outputs.version }}