test

Signed-off-by: Adam Cmiel <[email protected]>
chmeliik · Jun 12, 2024 · 27dd641 · 27dd641
1 parent 017c7bf
commit 27dd641
Showing 1 changed file with 120 additions and 0 deletions.
diff --git a/.github/workflows/push-image.yaml b/.github/workflows/push-image.yaml
@@ -0,0 +1,120 @@
+# https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-a-registry-using-a-personal-access-token
+name: Build Image
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - image/v*
+  pull_request:
+
+env:
+  REGISTRY: ghcr.io
+  SCOPED_NAME: ${{ github.repository_owner }}/checkton
+  IMAGE: ghcr.io/${{ github.repository_owner }}/checkton
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
+      contents: read
+
+    outputs:
+      versioned_image: ${{ steps.tag.outputs.versioned_image }}
+      digest: ${{ steps.push.outputs.digest }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          containerfiles: Dockerfile
+          image: ${{ env.IMAGE }}
+          tags: |
+            ${{ github.sha }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.IMAGE }}:${{ github.sha }}
+          format: cyclonedx-json
+          output-file: .sbom.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Login to registry
+        uses: redhat-actions/podman-login@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image
+        id: push
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          image: ${{ env.SCOPED_NAME }}
+          tags: |
+            ${{ github.sha }}
+
+      - name: Generate image attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.IMAGE }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@v1
+        with:
+          subject-name: ${{ env.IMAGE }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          sbom-path: .sbom.json
+          push-to-registry: true
+
+      - name: Tag with release version
+        if: ${{ startsWith(github.ref, 'refs/tags/image/v') || true }}
+        id: tag
+        run: |
+          #!/bin/bash
+          set -e
+
+          version=test
+          skopeo copy "docker://$IMAGE:$GITHUB_SHA" "docker://$IMAGE:$version"
+          echo "versioned_image=$IMAGE:$version" >> "$GITHUB_OUTPUT"
+
+  bump-image:
+    if: ${{ startsWith(github.ref, 'refs/tags/image/v') || true }}
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Bump image ref in action.yaml
+        env:
+          VERSIONED_IMAGE: ${{ jobs.build.outputs.versioned_image }}
+          DIGEST: ${{ jobs.build.outputs.digest }}
+        run: |
+          #!/bin/bash
+          set -e
+
+          sed -E "s;(\s*)image: .*;\1image: ${VERSIONED_IMAGE}@${DIGEST};" -i action.yaml
+
+          if [[ -z "$(git diff)" ]]; then
+              exit
+          fi
+
+          git checkout -b "selfupdate/$version"
+
+          version=${VERSIONED_IMAGE##*:}  # extract the tag
+          git add action.yaml
+          git commit \
+              --author "Checkton Bot <[email protected]>" \
+              -m "action.yaml: update to $version"
+
+          git push --set-upstream origin "selfupdate/$version"
+          gh pr create --fill