Skip to content

Generate attestation for gerenated docker image #23

Generate attestation for gerenated docker image

Generate attestation for gerenated docker image #23

Workflow file for this run

---
name: Release
on:
push:
tags:
- 'v*'
jobs:
build:
name: Build
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: write
packages: write
attestations: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
filter: tree:0
- uses: actions/cache@v4
with:
path: |
~/.cache/go-build
~/.cache/golangci-lint
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
${{ runner.os }}-go-
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.22"
cache: false
id: go
- name: Setup docker QEMU
uses: docker/setup-qemu-action@v3
- name: Setup docker buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
image=moby/buildkit:master
network=host
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Crossbuild
run: make crossbuild
- name: Checksums
run: make crossbuild-checksums
- uses: actions/attest-build-provenance@v1
with:
subject-path: |
dist/*
- name: Create release
uses: ncipollo/release-action@v1
with:
artifacts: "./dist/yage-*-*,./dist/checksums"
generateReleaseNotes: true
prerelease: ${{ contains(github.ref, '-rc') && 'true' || 'false' }}
- name: Login to GitHub Docker registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Build and push docker image
id: docker-build
run: |
make docker-buildx-push
jq -r '."image.name" | split(":"; null)[0] | ("image="+.)' < .buildx-metadata.json >> "$GITHUB_OUTPUT"
jq -r '."containerimage.digest" | ("digest="+.)' < .buildx-metadata.json >> "$GITHUB_OUTPUT"
- uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ steps.docker-build.outputs.image }}
subject-digest: ${{ steps.docker-build.outputs.digest }}
push-to-registry: true