Merge pull request #3 from polarsignals/fix-readme-fields #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| # renovate: datasource=go depName=github.com/goreleaser/goreleaser | |
| GORELEASER_VERSION: v1.21.2 | |
| jobs: | |
| skip-check: | |
| name: Skip check | |
| continue-on-error: true | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should_skip: ${{ steps.skip-check.outputs.should_skip }} | |
| permissions: | |
| actions: write | |
| contents: read | |
| steps: | |
| - id: skip-check | |
| uses: fkirc/skip-duplicate-actions@9d116fa7e55f295019cfab7e3ab72b478bcf7fdd # tag=v4.0.0 | |
| with: | |
| do_not_skip: '["schedule", "workflow_dispatch"]' | |
| paths: |- | |
| [ | |
| "**.go", | |
| ".dockerignore", | |
| ".github/workflows/container.yml", | |
| "Dockerfile*", | |
| "Makefile", | |
| "go.mod", | |
| "go.sum" | |
| ] | |
| skip_after_successful_duplicate: false | |
| build-binaries: | |
| name: Build binaries using goreleaser | |
| needs: skip-check | |
| if: ${{ needs.skip-check.outputs.should_skip != 'true' }} | |
| runs-on: ubuntu-latest | |
| container: | |
| image: docker.io/goreleaser/goreleaser-cross:v1.21.1 | |
| options: --privileged | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GORELEASER_CURRENT_TAG: "${{ env.goreleaser_current_tag }}" | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 | |
| - name: 'Trust the github workspace' | |
| run: | | |
| # This is to avoid fatal errors about "dubious ownership" because we are | |
| # running inside of a container action with the workspace mounted in. | |
| git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| - name: Set up Go | |
| uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # tag=v3.2.1 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Run Goreleaser | |
| run: goreleaser release --clean --skip-validate --skip-publish --snapshot --debug | |
| - name: Archive generated artifacts | |
| uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0 | |
| with: | |
| name: profile-exporter-dist-container | |
| if-no-files-found: error | |
| path: | | |
| goreleaser/dist | |
| !goreleaser/dist/*.txt | |
| build-and-push-container: | |
| if: github.event_name != 'pull_request' | |
| name: Container build and push (when merged) | |
| needs: build-binaries | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/containers/podman:v4.7.0@sha256:b64ba1c57d250e62d44088dd5ed62ff709699f858a2fc34776362082391fb7c2 | |
| options: >- | |
| --device /dev/fuse:rw | |
| --privileged | |
| --security-opt label=disable | |
| --security-opt seccomp=unconfined | |
| env: | |
| TUF_ROOT: /tmp | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: read | |
| steps: | |
| - name: Install dependencies | |
| run: dnf install --assumeyes --repo fedora git make jq | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 | |
| # https://github.com/actions/checkout/issues/766 | |
| - name: Add repository directory to the git global config as a safe directory | |
| run: git config --global --add safe.directory "${GITHUB_WORKSPACE}" | |
| - name: Set up Go | |
| uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # tag=v3.2.1 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: profile-exporter-dist-container | |
| path: goreleaser/dist | |
| - name: Build container | |
| run: make container | |
| - name: Check images are created | |
| run: podman images | grep 'ghcr.io/polarsignals/profile-exporter' | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
| - name: Login to registry | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | podman login -u polarsignals --password-stdin ghcr.io | |
| - name: Install crane | |
| uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 | |
| - name: Push and sign container | |
| env: | |
| COSIGN_YES: true | |
| run: | | |
| make push-container | |
| make sign-container |