⬆️ Bump docker/login-action from 3.2.0 to 3.3.0 #744
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Continuous integration | |
on: | |
push: | |
pull_request: | |
types: [ opened, reopened ] | |
workflow_dispatch: | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-20.04 | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/[email protected] | |
with: | |
go-version-file: go.mod | |
check-latest: true | |
- name: Get dependencies | |
run: make download | |
- name: Lint | |
run: | | |
result="$(make lint)" | |
echo "$result" | |
[ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0 | |
- name: Build | |
run: make build | |
- name: Test | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
run: make test | |
- name: Coverage | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
run: make coverage-out | |
- name: Upload Code Coverage | |
uses: codecov/[email protected] | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: ./coverage.out | |
flags: unittests | |
name: codecov-umbrella | |
fail_ci_if_error: true | |
verbose: true | |
release: | |
name: release | |
needs: [build] | |
outputs: | |
container_digest: ${{ steps.container_info.outputs.container_digest }} | |
container_tags: ${{ steps.container_info.outputs.container_tags }} | |
runs-on: ubuntu-20.04 | |
permissions: | |
contents: write | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/[email protected] | |
with: | |
go-version-file: go.mod | |
check-latest: true | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Install Syft | |
uses: anchore/sbom-action/[email protected] | |
- name: Login to ghcr.io | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set release variables | |
id: release-vars | |
run: | | |
make release-vars > /tmp/fatt-release-vars.env | |
source /tmp/fatt-release-vars.env | |
if [[ -n "$LDFLAGS" ]]; then | |
echo "LDFLAGS=$LDFLAGS" >>"${GITHUB_OUTPUT}" | |
fi | |
if [[ -n "$GIT_HASH" ]]; then | |
echo "GIT_HASH=$GIT_HASH" >>"${GITHUB_OUTPUT}" | |
fi | |
rm -f /tmp/fatt-release-vars.env | |
- name: Install signing key | |
run: echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
version: latest | |
args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} | |
GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Get container info | |
id: container_info | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }}) | |
echo "container_digest=$CONTAINER_DIGEST" >>"${GITHUB_OUTPUT}" | |
echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >>"${GITHUB_OUTPUT}" | |
- name: Cleanup signing keys | |
if: ${{ always() }} | |
run: rm -f cosign.key | |
sbom: | |
name: sbom | |
needs: [release] | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-20.04 | |
env: | |
TAGS: "${{ needs.release.outputs.container_tags }}" | |
steps: | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Install Syft | |
uses: anchore/sbom-action/[email protected] | |
- name: Login to ghcr.io | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Attach SBOM | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
REPO: ghcr.io/philips-labs/fatt | |
run: | | |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
IFS=, | |
for t in ${TAGS}; do | |
cosign verify --key cosign.pub ${REPO}:${t} | |
syft ${REPO}:${t} -o spdx-json > sbom-spdx.json | |
cosign attach sbom --sbom sbom-spdx.json --type spdx ${REPO}:${t} | |
cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${REPO}:${t} | |
cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${REPO}:${t} | |
done | |
- name: Clean up signing keys | |
if: ${{ always() }} | |
run: | | |
rm -f cosign.key | |
provenance: | |
name: provenance | |
needs: [release] | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Generate provenance for Release | |
uses: philips-labs/[email protected] | |
with: | |
command: generate | |
subcommand: github-release | |
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Sign provenance | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att | |
cat "${SIGNATURE}" | |
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}") | |
curl_args+=(-H "Accept: application/vnd.github.v3+json") | |
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')" | |
echo "Upload ${SIGNATURE} to release with id ${release_id}…" | |
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")") | |
curl "${curl_args[@]}" \ | |
--data-binary @"${SIGNATURE}" \ | |
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
SIGNATURE: provenance.att.sig | |
container-provenance: | |
name: container-provenance | |
needs: [release] | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-20.04 | |
env: | |
REPO: ghcr.io/philips-labs/fatt | |
steps: | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.0' | |
- name: Generate provenance for ${REPO} | |
uses: philips-labs/[email protected] | |
with: | |
command: generate | |
subcommand: container | |
arguments: --repository ${REPO} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Get slsa-provenance predicate | |
run: | | |
cat provenance.att | jq .predicate > provenance-predicate.att | |
- name: Login to ghcr.io | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Attach provenance to image | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${REPO}@${{ needs.release.outputs.container_digest }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Verify attestation | |
run: | | |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
cosign verify-attestation --key cosign.pub ${REPO}@${{ needs.release.outputs.container_digest }} | |
- name: Cleanup signing keys | |
if: ${{ always() }} | |
run: | | |
rm -f cosign.key |