forked from trustification/trustification
-
Notifications
You must be signed in to change notification settings - Fork 0
120 lines (98 loc) · 3.09 KB
/
snapshot.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: snapshot
on:
push:
# Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0".
# Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1".
branches:
- main
concurrency: snapshot
permissions:
contents: write # for creating a release
packages: write # for publishing containers
id-token: write # for using OIDC tokens
env:
SYFT_VERSION: "0.68.1"
jobs:
init:
runs-on: ubuntu-22.04
outputs:
version: ${{steps.version.outputs.version}}
steps:
- name: Set version
id: version
env:
COMMIT: ${{github.sha}}
run: |
echo "version=$COMMIT" >> $GITHUB_OUTPUT
# check that our CI would pass
ci:
uses: ./.github/workflows/ci.yaml
publish:
needs: [ init, ci ]
permissions:
contents: write
packages: write
id-token: write # for using OIDC tokens
runs-on: ubuntu-22.04
env:
CONTAINERS: "trust trust-docs trust-tests"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Check cosign
run: cosign version
- uses: actions/download-artifact@v4
with:
path: ~/download
- name: Display downloaded content
run: ls -R ~/download
- name: Load container
run: |
for container in $CONTAINERS; do
podman load --input ~/download/${container}-container/${container}-image.tar
done
- name: Log in to ghcr.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: "ghcr.io"
- name: Push to ghcr.io
id: push-images
run: |
for container in $CONTAINERS; do
IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:${{ needs.init.outputs.version }}"
podman push \
"${container}:ci" \
"${IMAGE}" \
--digestfile "${RUNNER_TEMP}/push.${container}.digest"
done
- name: Push to ghcr.io (as latest)
id: push-images-latest
run: |
for container in $CONTAINERS; do
IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:latest"
podman push \
"${container}:ci" \
"${IMAGE}"
done
- name: Sign the images with GitHub OIDC Token
env:
COSIGN_EXPERIMENTAL: true
run: |
for container in $CONTAINERS; do
imageDigest="$(cat ${RUNNER_TEMP}/push.${container}.digest)"
echo "Image Digest: ${imageDigest}"
# and then construct the full (pushed) name
cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${container}@${imageDigest}"
done
staging:
needs: [ init, publish ]
uses: ./.github/workflows/staging.yaml
secrets: inherit
with:
releaseTag: ${{ needs.init.outputs.version }}