🍜 Build/publish all runners #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 🍜 Build/publish all runners | |
on: | |
workflow_dispatch: # build on demand | |
schedule: | |
- cron: "43 6 * * 0" # build every Sunday at 6:43 AM UTC | |
jobs: | |
build-all: | |
runs-on: ubuntu-latest # use the GitHub-hosted runner to build the image | |
permissions: | |
contents: write # for uploading the SBOM to the release | |
packages: write # for uploading the finished container | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs | |
attestations: write # to create the attestations for the container | |
strategy: | |
matrix: | |
os: [rootless-ubuntu-jammy, rootless-ubuntu-numbat, ubi8, ubi9, wolfi] | |
continue-on-error: true | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@v4 | |
- name: Set version | |
run: echo "VERSION=$(cat ${GITHUB_EVENT_PATH} | jq -r '.release.tag_name')" >> $GITHUB_ENV | |
if: github.event_name == 'release' | |
- name: Set short SHA | |
run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Set Docker metadata | |
id: docker_meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ghcr.io/some-natalie/kubernoodles/${{ matrix.os }} | |
tags: | | |
type=sha,format=long | |
type=raw,value=${{ env.SHA_SHORT }} | |
type=raw,value=latest | |
- name: Build and push the containers | |
uses: docker/build-push-action@v6 | |
id: build-and-push | |
with: | |
file: ./images/${{ matrix.os }}.Dockerfile | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
tags: ${{ steps.docker_meta.outputs.tags }} | |
- name: Attest the build | |
uses: actions/attest-build-provenance@v2 | |
id: attest | |
with: | |
subject-name: ghcr.io/some-natalie/kubernoodles/${{ matrix.os }} | |
subject-digest: ${{ steps.build-and-push.outputs.digest }} | |
push-to-registry: true | |
- name: Scan it | |
uses: anchore/scan-action@v5 | |
id: scan | |
with: | |
image: "ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}" | |
fail-build: false | |
- name: Upload the container scan report | |
id: upload | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: ${{ steps.scan.outputs.sarif }} | |
wait-for-processing: true | |
- name: Generate that SBOM | |
uses: anchore/sbom-action@v0 | |
with: | |
image: "ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}" | |
artifact-name: "${{ matrix.os }}-${{ matrix.arch }}-${{ env.SHA_SHORT }}.sbom" | |
- name: Install cosign | |
uses: sigstore/cosign-installer@main | |
- name: Log in to GHCR | |
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
- name: Sign the images with GitHub OIDC Token | |
env: | |
DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
TAGS: ${{ steps.docker_meta.outputs.tags }} | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST} " | |
done | |
cosign sign --yes ${images} |