-
Notifications
You must be signed in to change notification settings - Fork 1
134 lines (121 loc) · 3.83 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: release
on:
push:
tags:
- '*'
# Declare default permissions as read only.
permissions: read-all
env:
REPO: ghcr.io/coreruleset/albedo
jobs:
goreleaser:
runs-on: ubuntu-latest
permissions:
# https://goreleaser.com/ci/actions/#token-permissions
contents: write
packages: write
steps:
-
name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
fetch-depth: 0
-
name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
-
name: Set up Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ^1.22
cache: true
-
name: Login to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
if: startsWith(github.ref, 'refs/tags/')
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish-images:
name: Build images
runs-on: ubuntu-latest
needs:
- goreleaser
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Install Cosign
uses: sigstore/[email protected]
# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
driver-opts: image=moby/buildkit:master
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build images
id: build-and-push
env:
GIT_TAG: ${{ github.ref_name }}
uses: docker/[email protected]
with:
files: |
./docker-bake.hcl
targets: default
push: false
provenance: true
sbom: true
- name: Sign the images with GitHub OIDC Token
env:
METADATA: ${{ steps.build-and-push.outputs.metadata }}
run: |
DIGEST=$(echo ${METADATA} | jq -r '.[] | ."containerimage.digest"')
TAGS=$(echo ${METADATA} | jq -r '.[] | ."image.name" | tostring' | tr ',' '\n')
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
verify-images:
name: Verify images
runs-on: ubuntu-latest
needs:
- publish-images
steps:
- name: Run container
run: |
tag="$(sed 's/^v//' <<<"${{ github.ref_name }}")"
image_ref="${REPO}:${tag}"
echo "Pulling ${image_ref} ..."
docker pull "${image_ref}"
echo "Starting container ${image_ref} ..."
docker run --pull "never" -d --name albedo-test "${image_ref}"
docker logs albedo-test
- name: Verify container
run: |
[ $(docker inspect albedo-test --format='{{.State.Running}}') = 'true' ]