This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
169 lines (169 loc) · 6.58 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
name: Salsa build & release
on:
push:
paths-ignore:
- '**.md'
- 'CODEOWNERS'
- 'LICENSE'
- '.gitignore'
- 'doc/**'
- 'Makefile'
env:
VERSION: v0.12
IMAGE_NAME: ghcr.io/${{ github.repository }}
COSIGN_VERSION: v2.2.2
SYFT_VERSION: v0.44.1
GO_RELEASER_VERSION: v1.11.2
GRADLE_VERSION: 7.5.1
PUSH: false
jobs:
set-version:
runs-on: ubuntu-20.04
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
- name: set version
id: set-version
run: |
echo Faking a Semantic Version
echo "version=${{ env.VERSION }}.$(date "+%Y%m%d%H%M%S")" >> $GITHUB_OUTPUT
test:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
with:
go-version-file: ./go.mod
check-latest: true
cache: true
- name: Test Salsa
run: make test
build:
outputs:
cli-tag: ${{ steps.container-tags.outputs.cli-tag }}
action-tag: ${{ steps.container-tags.outputs.action-tag }}
digest: ${{ steps.docker_build.outputs.digest }}
needs:
- set-version
- test
runs-on: ubuntu-20.04
steps:
- name: Checkout latest code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
with:
go-version-file: ./go.mod
check-latest: true
cache: true
- name: Create tag
run: |
git tag ${{ needs.set-version.outputs.version }}
# - uses: navikt/github-app-token-generator@v1
# id: get-homebrew-token
# with:
# private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }}
# app-id: ${{ secrets.NAIS_APP_ID }}
# repo: nais/homebrew-tap
- name: Install cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # ratchet:sigstore/cosign-installer@v3.3.0
with:
cosign-release: ${{ env.COSIGN_VERSION }}
- name: Install Syft
uses: anchore/sbom-action/download-syft@41f7a6c033dbcdf78917f23b652c8b8146298c85 # ratchet:anchore/sbom-action/download-syft@v0.15.4
with:
syft-version: ${{ env.SYFT_VERSION }}
- name: Put key on file
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
- name: Run GoReleaser
if: ${{ github.ref == 'refs/heads/main' }}
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # ratchet:goreleaser/goreleaser-action@v4
with:
distribution: goreleaser
version: ${{ env.GO_RELEASER_VERSION }}
args: release -f .goreleaser.yml --rm-dist --debug
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PUSH_TOKEN: ${{ steps.get-homebrew-token.outputs.token }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # ratchet:docker/setup-buildx-action@v2
with:
provenance: false
- name: Login to Docker
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create tags
id: container-tags
run: |
echo "cli-tag=${{ env.IMAGE_NAME }}:${{ needs.set-version.outputs.version }}" >> $GITHUB_OUTPUT
echo "action-tag=${{ env.IMAGE_NAME }}:${{ env.VERSION }}" >> $GITHUB_OUTPUT
- name: Only push from main
if: ${{ github.ref == 'refs/heads/main' }}
run: |
echo "PUSH=true" >> $GITHUB_ENV
- name: Build and push
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # ratchet:docker/build-push-action@v4
id: docker_build
with:
push: ${{ env.PUSH }}
tags: ${{ steps.container-tags.outputs.cli-tag }},${{ steps.container-tags.outputs.action-tag }}
labels: version=${{ needs.set-version.outputs.version }},revision=${{ github.sha }}
build-args: |
COSIGN_VERSION=${{ env.COSIGN_VERSION }}
GRADLE_VERSION=${{ env.GRADLE_VERSION }}
- name: Update major/minor version tag
if: ${{ github.ref == 'refs/heads/main' }}
run: "git tag -f ${{ env.VERSION }}\ngit push -f origin ${{ env.VERSION }} \n"
- name: Clean up
if: ${{ always() }}
run: "rm -f cosign.key \n"
sign-attest:
needs:
- build
runs-on: ubuntu-20.04
permissions:
packages: write
contents: read
id-token: write
if: ${{ github.ref == 'refs/heads/main' }}
env:
DIGEST: "${{ needs.build.outputs.digest }}"
steps:
- name: Install cosign
uses: sigstore/cosign-installer@ce50ea946c19e4bdba9127f76ba2fb00d8e95a96 # ratchet:sigstore/cosign-installer@v2.5.1
with:
cosign-release: ${{ env.COSIGN_VERSION }}
- name: Login to Docker
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate SBOM
id: sbom
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # ratchet:aquasecurity/trivy-action@master
with:
scan-type: 'image'
format: 'cyclonedx'
output: 'sbom.json'
image-ref: ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
- name: Sign Docker image and and add signed attest
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
cosign attest --yes --tlog-upload=false --key cosign.key --predicate sbom.json --type cyclonedx ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Clean up
if: ${{ always() }}
run: |
rm -f cosign.key