⬆️ Bump github.com/google/go-containerregistry #1487
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous integration | |
| on: | |
| push: | |
| pull_request: | |
| types: [ opened, reopened, synchronize ] | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| contents: write # tests create releases | |
| packages: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/[email protected] | |
| - name: Set up Go | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # ratchet:actions/[email protected] | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| cache: true | |
| - name: Get dependencies | |
| run: make download | |
| - name: Lint | |
| run: | | |
| result="$(make lint)" | |
| echo "$result" | |
| [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0 | |
| - name: Build | |
| run: make build | |
| - name: Test | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| run: make test-race | |
| - name: Coverage | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| run: make coverage-out | |
| - name: Upload Code Coverage | |
| uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # ratchet:codecov/[email protected] | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: ./coverage.out | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: true | |
| verbose: true | |
| release: | |
| name: release | |
| needs: [build] | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write | |
| outputs: | |
| container_digest: ${{ steps.container_info.outputs.container_digest }} | |
| container_tags: ${{ steps.container_info.outputs.container_tags }} | |
| container_repos: ${{ steps.container_info.outputs.container_repos }} | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/[email protected] | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # ratchet:actions/[email protected] | |
| with: | |
| go-version-file: ./go.mod | |
| check-latest: true | |
| cache: true | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.4' | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # ratchet:anchore/sbom-action/[email protected] | |
| - name: Login to Container registries | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | |
| - name: Set release variables | |
| id: release-vars | |
| run: | | |
| make release-vars > /tmp/spiffe-vault-release-vars.env | |
| source /tmp/spiffe-vault-release-vars.env | |
| if [[ -n "$LDFLAGS" ]]; then | |
| echo "LDFLAGS=$LDFLAGS" >> $GITHUB_OUTPUT | |
| fi | |
| if [[ -n "$GIT_HASH" ]]; then | |
| echo "GIT_HASH=$GIT_HASH" >> $GITHUB_OUTPUT | |
| fi | |
| rm -f /tmp/spiffe-vault-release-vars.env | |
| - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} | |
| uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # ratchet:goreleaser/goreleaser-action@v4 | |
| with: | |
| version: latest | |
| args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} ${{ ((startsWith(github.ref, 'refs/tags/') && endsWith(github.ref, '-draft')) && '-f .goreleaser.draft.yml') || '' }} | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} | |
| GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Get container info | |
| id: container_info | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| export CONTAINER_DIGEST="$(make container-digest GITHUB_REF=${{ github.ref_name }})" | |
| echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT | |
| echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >> $GITHUB_OUTPUT | |
| echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" >> $GITHUB_OUTPUT | |
| - name: Logout from Container registries | |
| if: ${{ always() }} | |
| run: | | |
| docker logout | |
| docker logout ghcr.io | |
| sbom: | |
| name: sbom | |
| needs: [release] | |
| if: startsWith(github.ref, 'refs/tags/') | |
| runs-on: ubuntu-20.04 | |
| env: | |
| TAGS: "${{ needs.release.outputs.container_tags }}" | |
| strategy: | |
| matrix: | |
| repo: ${{ fromJSON(needs.release.outputs.container_repos) }} | |
| steps: | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.4' | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # ratchet:anchore/sbom-action/[email protected] | |
| - name: Login to Container registries | |
| run: | | |
| echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | |
| - name: Attach SBOM | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| run: | | |
| echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
| IFS=, | |
| for t in ${TAGS}; do | |
| cosign verify --key cosign.pub ${{ matrix.repo }}:${t} | |
| syft ${{ matrix.repo }}:${t} -o spdx-json > sbom-spdx.json | |
| cosign attest --predicate sbom-spdx.json --type spdx --yes --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}:${t} | |
| cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t} | |
| done | |
| - name: Clean up & Logout from Container registries | |
| if: ${{ always() }} | |
| run: | | |
| docker logout | |
| docker logout ghcr.io | |
| provenance: | |
| name: provenance | |
| needs: [release] | |
| if: startsWith(github.ref, 'refs/tags/') | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Generate provenance for Release | |
| uses: philips-labs/slsa-provenance-action@6b2fd198d38ba72fb3cc08fbc52da2ebaef2efad # ratchet:philips-labs/[email protected] | |
| with: | |
| command: generate | |
| subcommand: github-release | |
| arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }} | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.4' | |
| - name: Sign provenance | |
| run: | | |
| cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature "${SIGNATURE}" provenance.att | |
| cat "${SIGNATURE}" | |
| curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}") | |
| curl_args+=(-H "Accept: application/vnd.github.v3+json") | |
| release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')" | |
| echo "Upload ${SIGNATURE} to release with id ${release_id}…" | |
| curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")") | |
| curl "${curl_args[@]}" \ | |
| --data-binary @"${SIGNATURE}" \ | |
| "https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}" | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| SIGNATURE: provenance.att.sig | |
| container-provenance: | |
| name: container-provenance | |
| needs: [release] | |
| if: startsWith(github.ref, 'refs/tags/') | |
| runs-on: ubuntu-20.04 | |
| strategy: | |
| matrix: | |
| repo: ${{ fromJSON(needs.release.outputs.container_repos) }} | |
| steps: | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # ratchet:sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.4' | |
| - name: Generate provenance for ${{ matrix.repo }} | |
| uses: philips-labs/slsa-provenance-action@6b2fd198d38ba72fb3cc08fbc52da2ebaef2efad # ratchet:philips-labs/[email protected] | |
| with: | |
| command: generate | |
| subcommand: container | |
| arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Get slsa-provenance predicate | |
| run: | | |
| cat provenance.att | jq .predicate > provenance-predicate.att | |
| - name: Login to Container registries | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | |
| - name: Attach provenance to image | |
| run: | | |
| cosign attest --predicate provenance-predicate.att --type slsaprovenance --yes --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| - name: Verify attestation | |
| run: | | |
| echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
| cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | |
| - name: Logout from Container registries | |
| if: ${{ always() }} | |
| run: | | |
| docker logout | |
| docker logout ghcr.io |