diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..4045c71 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,67 @@ +name: compage-template-python-ci +on: + push: + branches: + - main +jobs: + build-and-push: + permissions: + id-token: write # Required for keyless signing + contents: read + runs-on: ubuntu-latest + env: + REGISTRY: ghcr.io + GH_URL: https://github.com + steps: + - name: Check out the repo + uses: actions/checkout@v4 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GH_TOKEN }} + - name: Create JSON file + run: | + cat < /tmp/annotations.json + { + "\$manifest": { + "org.opencontainers.image.authors": "${{ github.actor }}", + "org.opencontainers.image.url": "${{ env.REGISTRY }}/${{ github.repository }}", + "org.opencontainers.image.source": "https://github.com/intelops/compage-template-python", + "org.opencontainers.image.version": "${{ github.run_id }}", + "org.opencontainers.image.vendor": "Intelops Inc.", + "org.opencontainers.image.licenses": "Apache License Version 2.0", + "org.opencontainers.image.title": "compage-template-python", + "org.opencontainers.image.description": "The compage-template-python has templates for python" + } + } + EOF + - uses: oras-project/setup-oras@v1 + with: + version: 1.1.0 + - run: | + oras push --annotation-file /tmp/annotations.json ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.run_id }} ./:application/vnd.common.templates.layer.v1+tar + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + - name: Check install! + run: cosign version + - name: Sign the images + run: | + cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.run_id }} + env: + COSIGN_EXPERIMENTAL: 1 + - name: Verify the pushed tags + run: | + cosign verify ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/ci.yml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com + env: + COSIGN_EXPERIMENTAL: 1 + - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'github' + output: 'dependency-results.sbom.json' + image-ref: '.' + github-pat: ${{ secrets.GH_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..73dbf58 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,81 @@ +name: compage-template-python-release +on: + push: + tags: + - "v*.*.*" +permissions: + contents: write # needed to write releases + id-token: write # needed for keyless signing + packages: write # needed for ghcr access + +jobs: + push_to_registry: + name: Build and push oci image to github container registry. + runs-on: ubuntu-20.04 + permissions: + packages: write + id-token: write + contents: read + actions: read + security-events: write + env: + REGISTRY: ghcr.io + GH_URL: https://github.com + steps: + - name: Set environment variable + run: | + echo "RELEASE_VERSION=${GITHUB_REF:10}" >> $GITHUB_ENV + - name: Test environment variable + run: echo ${{ env.RELEASE_VERSION }} + - name: Check out the repo + uses: actions/checkout@v4 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GH_TOKEN }} + - name: Create JSON file + run: | + cat < /tmp/annotations.json + { + "\$manifest": { + "org.opencontainers.image.authors": "${{ github.actor }}", + "org.opencontainers.image.url": "${{ env.REGISTRY }}/${{ github.repository }}", + "org.opencontainers.image.source": "https://github.com/intelops/compage-template-python", + "org.opencontainers.image.version": "${{ github.run_id }}", + "org.opencontainers.image.vendor": "Intelops Inc.", + "org.opencontainers.image.licenses": "Apache License Version 2.0", + "org.opencontainers.image.title": "compage-template-python", + "org.opencontainers.image.description": "The compage-template-python has templates for python" + } + } + EOF + - uses: oras-project/setup-oras@v1 + with: + version: 1.1.0 + - run: | + oras push --annotation-file /tmp/annotations.json ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }} ./:application/vnd.common.templates.layer.v1+tar + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + - name: Check install! + run: cosign version + - name: Sign the images + run: | + cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }} + env: + COSIGN_EXPERIMENTAL: 1 + - name: Verify the pushed tags + run: | + cosign verify ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/release.yml@refs/tags/${{ env.RELEASE_VERSION }} --certificate-oidc-issuer https://token.actions.githubusercontent.com + env: + COSIGN_EXPERIMENTAL: 1 + - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'github' + output: 'dependency-results.sbom.json' + image-ref: '.' + github-pat: ${{ secrets.GH_TOKEN }} diff --git a/devspace/devspace.yaml.tmpl b/code/devspace/devspace.yaml.tmpl similarity index 100% rename from devspace/devspace.yaml.tmpl rename to code/devspace/devspace.yaml.tmpl diff --git a/devspace/devspace_start.sh.tmpl b/code/devspace/devspace_start.sh.tmpl similarity index 100% rename from devspace/devspace_start.sh.tmpl rename to code/devspace/devspace_start.sh.tmpl diff --git a/kubernetes/deployment.yaml.tmpl b/code/kubernetes/deployment.yaml.tmpl similarity index 100% rename from kubernetes/deployment.yaml.tmpl rename to code/kubernetes/deployment.yaml.tmpl diff --git a/kubernetes/service.yaml.tmpl b/code/kubernetes/service.yaml.tmpl similarity index 100% rename from kubernetes/service.yaml.tmpl rename to code/kubernetes/service.yaml.tmpl