Merge pull request #31 from coreruleset/renovate/all-minor-patch #17

Workflow file for this run

.github/workflows/release.yml at d63181f

	name: release

	on:
	push:
	tags:
	- '*'

	# Declare default permissions as read only.
	permissions: read-all

	env:
	REPO: ghcr.io/coreruleset/albedo

	jobs:
	goreleaser:
	runs-on: ubuntu-latest
	permissions:
	# https://goreleaser.com/ci/actions/#token-permissions
	contents: write
	packages: write

	steps:
	-
	name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
	with:
	fetch-depth: 0
	-
	name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
	-
	name: Set up Go
	uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
	with:
	go-version: ^1.22
	cache: true
	-
	name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	-
	name: Run GoReleaser
	uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
	if: startsWith(github.ref, 'refs/tags/')
	with:
	version: latest
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	publish-images:
	name: Build images
	runs-on: ubuntu-latest
	needs:
	- goreleaser
	permissions:
	contents: read
	packages: write
	id-token: write # needed for signing the images with GitHub OIDC Token
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
	with:
	fetch-depth: 1

	- name: Install Cosign
	uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0

	# https://github.com/docker/setup-qemu-action
	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3

	# https://github.com/docker/setup-buildx-action
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
	with:
	driver-opts: image=moby/buildkit:master

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build images
	id: build-and-push
	env:
	GIT_TAG: ${{ github.ref_name }}
	uses: docker/bake-action@e626c7390c9f95508a135a89e65ec698e061fb2a # v5.8.0
	with:
	files: \|
	./docker-bake.hcl
	targets: default
	push: true
	provenance: true
	sbom: true
	- name: Sign the images with GitHub OIDC Token
	env:
	METADATA: ${{ steps.build-and-push.outputs.metadata }}
	run: \|
	DIGEST=$(echo ${METADATA} \| jq -r '.[] \| ."containerimage.digest"')
	TAGS=$(echo ${METADATA} \| jq -r '.[] \| ."image.name" \| tostring' \| tr ',' '\n')
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@${DIGEST} "
	done
	cosign sign --yes ${images}

	verify-images:
	name: Verify images
	runs-on: ubuntu-latest
	needs:
	- publish-images
	steps:
	- name: Run container
	run: \|
	tag="$(sed 's/^v//' <<<"${{ github.ref_name }}")"
	image_ref="${REPO}:${tag}"
	echo "Pulling ${image_ref} ..."
	docker pull "${image_ref}"
	echo "Starting container ${image_ref} ..."
	docker run --pull "never" -d --name albedo-test "${image_ref}"
	docker logs albedo-test

	- name: Verify container
	run: \|
	[ $(docker inspect albedo-test --format='{{.State.Running}}') = 'true' ]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #31 from coreruleset/renovate/all-minor-patch #17

Workflow file

Merge pull request #31 from coreruleset/renovate/all-minor-patch #17

Jobs

Run details

Workflow file for this run