Use upstream setup-kind action (#38) #30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
jobs: | |
release-container-images: | |
name: build and push to ghcr.io | |
strategy: | |
matrix: | |
component: | |
- informer | |
- webhook | |
runs-on: ubuntu-22.04 | |
permissions: | |
packages: write | |
outputs: | |
informer_image: ${{ steps.release.outputs.informer_image }} | |
informer_digest: ${{ steps.release.outputs.informer_digest }} | |
informer_sbom_image: ${{ steps.release.outputs.informer_sbom_image }} | |
informer_sbom_digest: ${{ steps.release.outputs.informer_sbom_digest }} | |
webhook_image: ${{ steps.release.outputs.webhook_image }} | |
webhook_digest: ${{ steps.release.outputs.webhook_digest }} | |
webhook_sbom_image: ${{ steps.release.outputs.webhook_sbom_image }} | |
webhook_sbom_digest: ${{ steps.release.outputs.webhook_sbom_digest }} | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: 1.21.x | |
- uses: ko-build/setup-ko@v0.6 | |
- name: Install crane | |
run: go install github.com/google/go-containerregistry/cmd/crane@v0.19.1 | |
- uses: actions/checkout@v4 | |
- id: release | |
name: Build and push | |
env: | |
KO_DOCKER_REPO: ghcr.io/norbjd/k8s-pod-cpu-booster | |
run: | | |
# something like 202403241909-abcdef01 if we want to use a specific version | |
UNIQUE_TAG="$(TZ=UTC0 git log -1 --format=%cd --date=format-local:%Y%m%d%H%M)-$(git rev-parse --short HEAD)" | |
ko build ./cmd/${{ matrix.component }} \ | |
--base-import-paths \ | |
--image-refs=.digest \ | |
--tags=$GITHUB_REF_NAME,$UNIQUE_TAG | |
image=$(cat .digest | cut -d'@' -f1 | cut -d':' -f1) | |
digest=$(cat .digest| cut -d'@' -f2) | |
echo "${{ matrix.component }}_image=$image" >> "$GITHUB_OUTPUT" | |
echo "${{ matrix.component }}_digest=$digest" >> "$GITHUB_OUTPUT" | |
# this is probably not the best way to sign the SBOM: | |
# - requires crane to get the SBOM image pushed above | |
# - is vulnerable to TOCTOU attacks if someone updates the sbom between "ko build" and "crane digest" | |
# but, it's good enough for now, until I have a better solution | |
sbom_digest=$(crane digest $image:sha256-$(echo $digest | cut -d':' -f2).sbom) | |
echo "${{ matrix.component }}_sbom_image=$image" >> "$GITHUB_OUTPUT" | |
echo "${{ matrix.component }}_sbom_digest=$sbom_digest" >> "$GITHUB_OUTPUT" | |
# see https://github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/internal/builders/container/README.md#ko | |
provenance: | |
needs: | |
- release-container-images | |
strategy: | |
matrix: | |
component: | |
- informer | |
- informer_sbom | |
- webhook | |
- webhook_sbom | |
permissions: | |
actions: read | |
id-token: write | |
packages: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 | |
with: | |
image: "${{ needs.release-container-images.outputs[format('{0}_image', matrix.component)] }}" | |
digest: "${{ needs.release-container-images.outputs[format('{0}_digest', matrix.component)] }}" | |
registry-username: ${{ github.actor }} | |
compile-generator: true | |
secrets: | |
registry-password: ${{ secrets.GITHUB_TOKEN }} | |
release-helm-chart: | |
name: release helm chart | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
- name: Install helm | |
run: | | |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash | |
- name: Run chart-releaser | |
uses: helm/chart-releaser-action@v1.6.0 | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |