ci: correct image sign verify command #9594

Workflow file for this run

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main
	workflow_dispatch:

	permissions:
	contents: read # for actions/checkout to fetch code

	name: PR CI Workflow
	jobs:
	ci-js:
	name: CI Test JS
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Setup Node.js
	uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
	with:
	node-version-file: package.json
	cache: yarn
	- run: make node_modules
	- name: Check that package.json & package-lock.json were updated in commit
	run: \|
	echo "Using node.js "$(node --version)
	echo "Using Yarn "$(yarn --version)
	git diff --no-ext-diff --exit-code
	- run: make ui-audit
	- run: make ui
	- run: make ui-lint
	- run: make ui-prettify-check
	- run: make ui-test
	- run: make ui-lib

	ci-go:
	name: CI Test Go
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Setup Go
	uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
	with:
	go-version-file: go.mod
	- name: Setup Flux CLI
	uses: fluxcd/flux2/action@5350425cdcd5fa015337e09fa502153c0275bd4b # v2.4.0
	- run: make unit-tests

	ci-static:
	name: CI Check Static Checks
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Setup Go
	uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
	with:
	go-version-file: go.mod
	- run: make check-format
	- run: make lint
	- run: go mod tidy
	- name: Check that go mod tidy has been run
	run: git diff --no-ext-diff --exit-code
	- run: make proto
	- name: Check that make proto has been run
	run: git diff --no-ext-diff --exit-code
	- run: make fakes
	- name: Check that make fakes has been run
	run: git diff --no-ext-diff --exit-code

	build-push-image:
	name: CI Build Image
	runs-on: ubuntu-latest
	env:
	IMAGE_NAME: ghcr.io/${{ github.repository }}/${{ matrix.docker-image }}
	permissions:
	packages: write # for docker/build-push-action to push images
	id-token: write # for Cosign to be able to sign images with GHA token
	strategy:
	matrix:
	docker-image:
	- gitops
	- gitops-server
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Set build-time flags
	run: \|
	echo "LDFLAGS=$(make echo-ldflags)" >> $GITHUB_ENV
	echo "FLUX_VERSION=$(make echo-flux-version)" >> $GITHUB_ENV
	- uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
	id: meta
	with:
	images: ${{ env.IMAGE_NAME }}
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	- uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
	- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
	id: build
	with:
	context: .
	file: ${{ matrix.docker-image }}.dockerfile
	build-args: \|
	FLUX_VERSION=${{ env.FLUX_VERSION }}
	LDFLAGS=${{ env.LDFLAGS }}
	GIT_COMMIT=${{ github.sha }}
	push: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max
	- name: Install cosign
	if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
	- name: Keyless signing of image
	if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
	run: \|
	echo ${{ steps.build.outputs.imageid }}
	echo ${{ steps.build.outputs.digest }}
	cosign sign --yes ${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
	- name: Verify the image signing
	if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
	run: >
	cosign verify ${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
	--certificate-identity "https://github.com/${{ github.workflow_ref }}"
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \| jq .

	ci-upload-binary:
	name: Upload Binary - Disabled
	runs-on: ${{matrix.os}}
	needs: [ci-go, ci-static, ci-js]
	strategy:
	matrix:
	os: [ubuntu-latest, macOS-latest]
	if: github.event_name == 'push'
	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Setup Go
	uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
	with:
	go-version-file: go.mod
	- name: Clean
	run: make clean
	- id: gitsha
	run: \|
	gitsha=$(git rev-parse --short ${{ github.sha }})
	echo "sha=$gitsha" >> $GITHUB_OUTPUT
	- name: build
	run: \|
	make gitops
	# - name: publish to s3
	# uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
	# with:
	# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	# aws-region: us-east-2
	# - run: \|
	# aws s3 cp bin/gitops s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}}
	# aws s3 cp s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}} s3://weave-gitops/gitops-${{matrix.os}}

	ci-publish-js-lib:
	name: Publish js library
	runs-on: ubuntu-latest
	if: "${{ github.repository_owner == 'weaveworks' && github.ref_name == 'main'}}"
	needs: [ci-js]
	permissions:
	packages: write
	outputs:
	js-version: ${{ steps.package-version.outputs.js-version }}
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	# avoid the merge commit that on.pull_request creates
	# fallback to github.sha if not present (e.g. on.push(main))
	# https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit
	# We want the correct sha so we can tag the npm package correctly
	ref: ${{ github.event.pull_request.head.sha \|\| github.sha }}
	fetch-depth: 0
	- name: Setup Node.js
	uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
	with:
	node-version-file: package.json
	registry-url: "https://npm.pkg.github.com"
	scope: "@weaveworks"
	- run: yarn
	- run: make ui-lib
	- name: Update package version
	id: package-version
	run: \|
	GITOPS_VERSION=$(git describe)
	echo "js-version=$GITOPS_VERSION" >> $GITHUB_OUTPUT
	jq '.version = "'$GITOPS_VERSION'" \| .name = "@weaveworks/weave-gitops-main"' < dist/package.json > dist/package-new.json
	mv dist/package-new.json dist/package.json
	cp .npmrc dist
	- run: cd dist && npm publish
	env:
	NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	# release step updates 'release' status check for non releases branches. See ../../doc/incidents/issues-3907 for full context.
	release:
	if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.head.ref, 'releases/') && !github.event.pull_request.head.repo.fork }}
	runs-on: ubuntu-latest
	steps:
	- name: Release
	run: \|
	curl --fail --request POST \
	--url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
	--header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \
	--header 'content-type: application/json' \
	--data '{
	"state":"success",
	"description":"release not required",
	"context":"release"
	}'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: correct image sign verify command #9594

Workflow file

ci: correct image sign verify command #9594

Jobs

Run details

Workflow file for this run