Skip to content

Commit

Permalink
Add SLSA generator (#35)
Browse files Browse the repository at this point in the history
  • Loading branch information
norbjd authored Mar 26, 2024
1 parent db00403 commit 2a129a6
Showing 1 changed file with 42 additions and 2 deletions.
44 changes: 42 additions & 2 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,29 +8,69 @@ on:
jobs:
release-container-images:
name: build and push to ghcr.io
strategy:
matrix:
component:
- informer
- webhook
runs-on: ubuntu-22.04
permissions:
packages: write

outputs:
informer_image: ${{ steps.release.outputs.informer_image }}
informer_digest: ${{ steps.release.outputs.informer_digest }}
webhook_image: ${{ steps.release.outputs.webhook_image }}
webhook_digest: ${{ steps.release.outputs.webhook_digest }}

steps:
- uses: actions/setup-go@v4
with:
go-version: 1.21.x
- uses: ko-build/setup-ko@v0.6
- uses: actions/checkout@v4

- name: Build and push
- id: release
name: Build and push
env:
KO_DOCKER_REPO: ghcr.io/norbjd/k8s-pod-cpu-booster
run: |
# something like 202403241909-abcdef01 if we want to use a specific version
UNIQUE_TAG="$(TZ=UTC0 git log -1 --format=%cd --date=format-local:%Y%m%d%H%M)-$(git rev-parse --short HEAD)"
ko build ./cmd/informer ./cmd/webhook \
ko build ./cmd/${{ matrix.component }} \
--base-import-paths \
--sbom=none \
--image-refs=.digest \
--tags=$GITHUB_REF_NAME,$UNIQUE_TAG
image=$(cat .digest | cut -d'@' -f1 | cut -d':' -f1)
digest=$(cat .digest| cut -d'@' -f2)
echo "${{ matrix.component }}_image=$image" >> "$GITHUB_OUTPUT"
echo "${{ matrix.component }}_digest=$digest" >> "$GITHUB_OUTPUT"
# see https://github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/internal/builders/container/README.md#ko
provenance:
needs:
- release-container-images
strategy:
matrix:
component:
- informer
- webhook
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
with:
image: "${{ needs.release-container-images.outputs[format('{0}_image', matrix.component)] }}"
digest: "${{ needs.release-container-images.outputs[format('{0}_digest', matrix.component)] }}"
registry-username: ${{ github.actor }}
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}

release-helm-chart:
name: release helm chart
runs-on: ubuntu-latest
Expand Down

0 comments on commit 2a129a6

Please sign in to comment.