ci: bump cosign #214
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- v* | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: setup go environment | |
uses: actions/setup-go@v2 | |
with: | |
go-version: '1.20' | |
- name: download dependencies | |
run: make bootstrap | |
- name: run unit tests | |
run: make test | |
- name: build binaries | |
run: make build-cross | |
- name: run acceptance tests | |
run: sudo pip install virtualenv && make acceptance | |
- name: Prepare | |
id: prepare | |
run: | | |
DOCKER_IMAGE=ghcr.io/helm/chartmuseum | |
DOCKER_PLATFORMS=linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386 | |
VERSION=canary | |
if [[ $GITHUB_REF == refs/tags/* ]]; then | |
VERSION=${GITHUB_REF#refs/tags/} | |
fi | |
TAGS="--tag ${DOCKER_IMAGE}:${VERSION}" | |
echo ::set-output name=docker_image::${DOCKER_IMAGE} | |
echo ::set-output name=version::${VERSION} | |
echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \ | |
--build-arg revision=$(git rev-parse --short HEAD) \ | |
${TAGS} . | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v1 | |
with: | |
platforms: all | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
version: v0.9.1 | |
- name: Available platforms | |
run: echo ${{ steps.buildx.outputs.platforms }} | |
- name: Docker Login | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Docker Buildx (build and push) | |
run: | | |
docker buildx build --no-cache --pull --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }} | |
- name: Docker Check Manifest | |
run: | | |
docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} | |
- name: Install Kubernetes SBOM Tool | |
uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4 | |
- name: Install sigstore cosign | |
uses: sigstore/[email protected] | |
- name: Release artifacts (includes SBOM and signatures) | |
id: release-artifacts | |
env: | |
AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }} | |
AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }} | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
SKIP_BUILD=true VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh | |
- name: Sign the published images (via GitHub OIDC token) | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
cosign sign ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} | |
- name: Attach SBOM to published images | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} | |
- name: Clear | |
if: always() | |
run: | | |
rm -f ${HOME}/.docker/config.json | |
- name: upload coverage report | |
uses: actions/upload-artifact@main | |
with: | |
name: chartmuseum-coverage-report-${{ github.sha }} | |
path: .cover/ | |
if: always() | |
- name: upload acceptance test report | |
uses: actions/upload-artifact@main | |
with: | |
name: chartmuseum-acceptance-report-${{ github.sha }} | |
path: .robot/ | |
if: always() |