fix: source CSAF justification and comment from the status-setting as… #328
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and push dev images | |
| on: | |
| push: | |
| branches: | |
| - stackable | |
| permissions: | |
| id-token: write | |
| jobs: | |
| docker_backend_dev: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| outputs: | |
| digest: ${{ steps.build-and-push-backend.outputs.digest }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 | |
| with: | |
| persist-credentials: false | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - | |
| name: Login to Stackable Harbor | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| registry: oci.stackable.tech | |
| username: robot$stackable+github-action-build | |
| password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }} | |
| - | |
| name: Set up Cosign | |
| uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # tag=v3.3.0 | |
| - | |
| name: Set current date as env variable | |
| run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV | |
| - | |
| name: Build and push backend | |
| id: build-and-push-backend | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| with: | |
| context: . | |
| file: ./docker/backend/prod/django/Dockerfile | |
| platforms: linux/amd64 | |
| push: true | |
| # Disable buildkit attestations so the pushed reference is the image | |
| # manifest digest (not an index), which the SLSA generator requires. | |
| provenance: false | |
| tags: oci.stackable.tech/stackable/secobserve-backend:dev | |
| build-args: | | |
| CREATED=${{ env.CREATED }} | |
| REVISION=${{ github.sha }} | |
| VERSION=dev | |
| - | |
| name: Sign the published backend image | |
| run: cosign sign -y oci.stackable.tech/stackable/secobserve-backend@${{ steps.build-and-push-backend.outputs.digest }} | |
| provenance_backend_dev: | |
| needs: [docker_backend_dev] | |
| permissions: | |
| actions: read # detect the build workflow that generated the image | |
| id-token: write # mint the OIDC token for keyless signing | |
| packages: write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved | |
| # MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the | |
| # reusable workflow cannot verify its own provenance. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 | |
| with: | |
| image: oci.stackable.tech/stackable/secobserve-backend | |
| digest: ${{ needs.docker_backend_dev.outputs.digest }} | |
| registry-username: robot$stackable+github-action-build | |
| secrets: | |
| registry-password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }} | |
| docker_frontend_dev: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| outputs: | |
| digest: ${{ steps.build-and-push-frontend.outputs.digest }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 | |
| with: | |
| persist-credentials: false | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - | |
| name: Login to Stackable Harbor | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| registry: oci.stackable.tech | |
| username: robot$stackable+github-action-build | |
| password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }} | |
| - name: Set up Cosign | |
| uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # tag=v3.3.0 | |
| - | |
| name: Set current date as env variable | |
| run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV | |
| - | |
| name: Build and push frontend | |
| id: build-and-push-frontend | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| with: | |
| context: . | |
| file: ./docker/frontend/prod/Dockerfile | |
| platforms: linux/amd64 | |
| push: true | |
| # Disable buildkit attestations so the pushed reference is the image | |
| # manifest digest (not an index), which the SLSA generator requires. | |
| provenance: false | |
| tags: oci.stackable.tech/stackable/secobserve-frontend:dev | |
| build-args: | | |
| CREATED=${{ env.CREATED }} | |
| REVISION=${{ github.sha }} | |
| VERSION=dev | |
| - | |
| name: Sign the published frontend image | |
| run: cosign sign -y oci.stackable.tech/stackable/secobserve-frontend@${{ steps.build-and-push-frontend.outputs.digest }} | |
| provenance_frontend_dev: | |
| needs: [docker_frontend_dev] | |
| permissions: | |
| actions: read # detect the build workflow that generated the image | |
| id-token: write # mint the OIDC token for keyless signing | |
| packages: write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved | |
| # MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the | |
| # reusable workflow cannot verify its own provenance. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 | |
| with: | |
| image: oci.stackable.tech/stackable/secobserve-frontend | |
| digest: ${{ needs.docker_frontend_dev.outputs.digest }} | |
| registry-username: robot$stackable+github-action-build | |
| secrets: | |
| registry-password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }} |