forked from trustification/trustification
-
Notifications
You must be signed in to change notification settings - Fork 1
130 lines (105 loc) · 3.37 KB
/
snapshot.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: snapshot
on:
push:
# Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0".
# Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1".
branches:
- main
concurrency: snapshot
permissions:
contents: write # for creating a release
packages: write # for publishing containers
id-token: write # for using OIDC tokens
env:
SYFT_VERSION: "0.68.1"
jobs:
init:
runs-on: ubuntu-22.04
outputs:
version: ${{steps.version.outputs.version}}
steps:
- name: Set version
id: version
env:
COMMIT: ${{github.sha}}
run: |
echo "version=$COMMIT" >> $GITHUB_OUTPUT
# check that our CI would pass
ci:
uses: ./.github/workflows/ci.yaml
containers:
needs: [ init, ci ]
uses: ./.github/workflows/containers.yaml
secrets: inherit
with:
imageTag: ${{ needs.init.outputs.version }}
platforms: "linux/amd64"
publish:
needs: [ init, containers ]
permissions:
contents: write
packages: write
id-token: write # for using OIDC tokens
runs-on: ubuntu-22.04
env:
CONTAINERS: "trust trust-docs trust-tests"
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install cosign
uses: sigstore/cosign-installer@v2
- name: Check cosign
run: cosign version
- uses: actions/download-artifact@v3
with:
path: ~/download
- name: Display downloaded content
run: ls -R ~/download
- name: Load container
run: |
for container in $CONTAINERS; do
podman load --input ~/download/${container}-container/${container}-image.tar
done
- name: Log in to ghcr.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: "ghcr.io"
- name: Push to ghcr.io
id: push-images
run: |
for container in $CONTAINERS; do
IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:${{ needs.init.outputs.version }}"
podman push \
"${container}:${{ needs.init.outputs.version }}" \
"${IMAGE}" \
--digestfile "${RUNNER_TEMP}/push.${container}.digest"
done
- name: Push to ghcr.io (as latest)
id: push-images-latest
run: |
for container in $CONTAINERS; do
IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:latest"
podman push \
"${container}:${{ needs.init.outputs.version }}" \
"${IMAGE}"
done
- name: Sign the images with GitHub OIDC Token
env:
COSIGN_EXPERIMENTAL: true
run: |
for container in $CONTAINERS; do
imageDigest="$(cat ${RUNNER_TEMP}/push.${container}.digest)"
echo "Image Digest: ${imageDigest}"
# and then construct the full (pushed) name
cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${container}@${imageDigest}"
done
staging:
needs: [ init, publish ]
uses: ./.github/workflows/staging.yaml
secrets: inherit
with:
releaseTag: ${{ needs.init.outputs.version }}