From 27dd6414912e83fdb4e636f8f9e78c52ba796e34 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 12 Jun 2024 11:03:21 +0200 Subject: [PATCH] test Signed-off-by: Adam Cmiel --- .github/workflows/push-image.yaml | 120 ++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 .github/workflows/push-image.yaml diff --git a/.github/workflows/push-image.yaml b/.github/workflows/push-image.yaml new file mode 100644 index 0000000..028abd1 --- /dev/null +++ b/.github/workflows/push-image.yaml @@ -0,0 +1,120 @@ +# https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-a-registry-using-a-personal-access-token +name: Build Image +on: + push: + branches: + - main + tags: + - image/v* + pull_request: + +env: + REGISTRY: ghcr.io + SCOPED_NAME: ${{ github.repository_owner }}/checkton + IMAGE: ghcr.io/${{ github.repository_owner }}/checkton + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + attestations: write + packages: write + contents: read + + outputs: + versioned_image: ${{ steps.tag.outputs.versioned_image }} + digest: ${{ steps.push.outputs.digest }} + + steps: + - uses: actions/checkout@v4 + + - name: Build image + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: Dockerfile + image: ${{ env.IMAGE }} + tags: | + ${{ github.sha }} + + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + image: ${{ env.IMAGE }}:${{ github.sha }} + format: cyclonedx-json + output-file: .sbom.json + upload-artifact: false + upload-release-assets: false + + - name: Login to registry + uses: redhat-actions/podman-login@v1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push image + id: push + uses: redhat-actions/push-to-registry@v2 + with: + registry: ${{ env.REGISTRY }} + image: ${{ env.SCOPED_NAME }} + tags: | + ${{ github.sha }} + + - name: Generate image attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.IMAGE }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Generate SBOM attestation + uses: actions/attest-sbom@v1 + with: + subject-name: ${{ env.IMAGE }} + subject-digest: ${{ steps.push.outputs.digest }} + sbom-path: .sbom.json + push-to-registry: true + + - name: Tag with release version + if: ${{ startsWith(github.ref, 'refs/tags/image/v') || true }} + id: tag + run: | + #!/bin/bash + set -e + + version=test + skopeo copy "docker://$IMAGE:$GITHUB_SHA" "docker://$IMAGE:$version" + echo "versioned_image=$IMAGE:$version" >> "$GITHUB_OUTPUT" + + bump-image: + if: ${{ startsWith(github.ref, 'refs/tags/image/v') || true }} + needs: [build] + steps: + - uses: actions/checkout@v4 + + - name: Bump image ref in action.yaml + env: + VERSIONED_IMAGE: ${{ jobs.build.outputs.versioned_image }} + DIGEST: ${{ jobs.build.outputs.digest }} + run: | + #!/bin/bash + set -e + + sed -E "s;(\s*)image: .*;\1image: ${VERSIONED_IMAGE}@${DIGEST};" -i action.yaml + + if [[ -z "$(git diff)" ]]; then + exit + fi + + git checkout -b "selfupdate/$version" + + version=${VERSIONED_IMAGE##*:} # extract the tag + git add action.yaml + git commit \ + --author "Checkton Bot " \ + -m "action.yaml: update to $version" + + git push --set-upstream origin "selfupdate/$version" + gh pr create --fill