[TC-1666] - Ten Latest Sboms with vulnerabilities summary backend (#1… #56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: snapshot | |
| on: | |
| push: | |
| # Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0". | |
| # Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1". | |
| branches: | |
| - main | |
| concurrency: snapshot | |
| permissions: | |
| contents: write # for creating a release | |
| packages: write # for publishing containers | |
| id-token: write # for using OIDC tokens | |
| env: | |
| SYFT_VERSION: "0.68.1" | |
| jobs: | |
| init: | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| version: ${{steps.version.outputs.version}} | |
| steps: | |
| - name: Set version | |
| id: version | |
| env: | |
| COMMIT: ${{github.sha}} | |
| run: | | |
| echo "version=$COMMIT" >> $GITHUB_OUTPUT | |
| # check that our CI would pass | |
| ci: | |
| uses: ./.github/workflows/ci.yaml | |
| publish: | |
| needs: [ init, ci ] | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write # for using OIDC tokens | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| include: | |
| - name: trust | |
| containerfile: container_files/Containerfile.services | |
| - name: trust-docs | |
| containerfile: container_files/Containerfile.docs | |
| - name: trust-tests | |
| containerfile: container_files/Containerfile.tests | |
| env: | |
| IMAGE_TAG: ${{ needs.init.outputs.version }} latest | |
| PLATFORMS: "linux/amd64, linux/arm64" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Check cosign | |
| run: cosign version | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: ~/download | |
| - name: Display downloaded content | |
| run: ls -R ~/download | |
| # We need to rebuild images until podman is able to load multi-arch images | |
| # https://github.com/containers/podman/issues/4646 | |
| # - name: Load container | |
| # run: | | |
| # for container in $CONTAINERS; do | |
| # podman load --input ~/download/${container}-container/${container}-image.tar | |
| # done | |
| - name: Install qemu dependency | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y qemu-user-static | |
| - name: Build Image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: ${{ matrix.name }} | |
| tags: ${{ env.IMAGE_TAG }} | |
| envs: | | |
| TAG=${{ env.IMAGE_TAG }} | |
| build-args: | | |
| tag=${{ env.IMAGE_TAG }} | |
| platforms: ${{ env.PLATFORMS }} | |
| containerfiles: | | |
| ./${{ matrix.containerfile }} | |
| - name: Check images created | |
| run: buildah images | grep '${{ matrix.name }}' | |
| - name: Save image | |
| run: podman save --multi-image-archive ${{ matrix.name }}:latest > ${{ matrix.name }}-image.tar | |
| # Push to ghcr.io | |
| - name: Push to ghcr.io | |
| id: push | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ matrix.name }} | |
| tags: ${{ env.IMAGE_TAG }} | |
| registry: ghcr.io/${{ github.repository_owner }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Log in to ghcr.io | |
| uses: redhat-actions/podman-login@v1 | |
| with: | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: "ghcr.io" | |
| - name: Sign the images with GitHub OIDC Token | |
| env: | |
| COSIGN_EXPERIMENTAL: true | |
| run: | | |
| cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}@${{ steps.push.outputs.digest }}" | |
| staging: | |
| needs: [ init, publish ] | |
| uses: ./.github/workflows/staging.yaml | |
| secrets: inherit | |
| with: | |
| releaseTag: ${{ needs.init.outputs.version }} |