This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Using Kaniko: refer to the following documentations: | |
# * https://github.com/marketplace/actions/kaniko-action | |
# * https://github.com/int128/kaniko-action#inputs | |
name: "Build a container that ship with goreleaser, cosign, ko-build, trivy, syft and push to GitHub Container Registry (GHCR)" | |
on: | |
pull_request: | |
branches: | |
- main | |
- release/* | |
push: | |
branches: | |
- main | |
- containerfiles # TODO: remove after testing | |
- cosign-slsa # TODO: remove after testing | |
# Global KANIKO Variables: | |
# See: https://github.com/int128/kaniko-action | |
# - KANIKO_BUILD_CONTEXT is the path to the location of the Containerfile. | |
# - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint. | |
# - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ] | |
env: | |
KANIKO_BUILD_CONTEXT: "${{ github.workspace }}" | |
BASE_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr.base" | |
GOREL_ENTRYP_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr" | |
OCI_REGISTRY: "ghcr.io" | |
jobs: | |
set-lowercase-repository: | |
runs-on: ubuntu-latest | |
outputs: | |
lowercase-github-repository: ${{ steps.convert.outputs.lowercase }} | |
steps: | |
- name: Convert repository name to lowercase | |
id: convert | |
run: | | |
echo "::set-output name=lowercase::$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" | |
use-lowercase-repo: | |
needs: set-lowercase-repository | |
runs-on: ubuntu-latest | |
steps: | |
- name: Access lowercase repository name | |
run: | | |
echo "Original Repository: ${{ github.repository }}" | |
echo "Lowercase Repository: ${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}" | |
# Kaniko job to build a container image "goreleaser-glibc-image-base" has a /bin/bash entrypoint | |
build-base-image: | |
needs: set-lowercase-repository | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Extract Tools Versions from Containerfile as we use this in tags names | |
id: extract | |
run: | | |
# Extract values from the Containerfile | |
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT | |
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT | |
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT | |
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT | |
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT | |
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT | |
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT | |
- uses: docker/login-action@v3 | |
id: login | |
with: | |
registry: ${{ env.OCI_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Container metadata and tags | |
id: metadata | |
uses: docker/metadata-action@v5 | |
with: | |
# image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization | |
images: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}-base | |
tags: | | |
type=ref,event=branch | |
# use tools version as tags | |
type=raw,value=golang-${{ steps.extract.outputs.golang_version }} | |
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }} | |
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }} | |
type=raw,value=ko-${{ steps.extract.outputs.ko_version }} | |
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }} | |
type=raw,value=syft-${{ steps.extract.outputs.syft_version }} | |
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}} | |
# minimal (short sha) | |
type=sha | |
# full length sha | |
type=sha,format=long | |
- name: Build the OCI image (base image entrytoint /bin/bash) | |
id: kaniko | |
uses: int128/kaniko-action@v1 | |
with: | |
push: true | |
tags: ${{ steps.metadata.outputs.tags }} | |
labels: ${{ steps.metadata.outputs.labels }} | |
cache: true | |
cache-repository: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}/cache | |
file: ${{ env.BASE_CONTAINERFILE_NAME }} | |
context: ${{ env.KANIKO_BUILD_CONTEXT }} | |
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity | |
outputs: | |
oci-image-digest: ${{ steps.kaniko.outputs.digest }} | |
oci-image-url: ${{ steps.metadata.outputs.images }} # needs to be lowercase | |
# Job to build a SLSA provenance attestation | |
base-image-provenance: | |
name: Generate SLSA provenance attestation for OCI | |
needs: build-base-image # Ensure this job runs after build-base-image | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: ${{ needs.build-base-image.outputs.oci-image-url }} # needs to be lowercase | |
digest: ${{ needs.build-base-image.outputs.oci-image-digest }} | |
secrets: | |
registry-username: ${{ github.actor }} | |
registry-password: ${{ secrets.GITHUB_TOKEN }} | |
# Kaniko job to build a container image "goreleaser-glibc-image" that has a goreleaser entrypoint | |
build-goreleaser-entryp-image: | |
needs: build-base-image # Ensure this job runs after build-base-image | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Extract Tools Versions from Containerfile as we use this in tags names | |
id: extract | |
run: | | |
# Extract values from the Containerfile | |
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT | |
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT | |
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT | |
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT | |
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT | |
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT | |
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | |
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT | |
- uses: docker/login-action@v3 | |
id: login | |
with: | |
registry: ${{ env.OCI_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Container metadata and tags | |
id: metadata | |
uses: docker/metadata-action@v5 | |
with: | |
# image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization | |
images: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }} | |
tags: | | |
type=ref,event=branch | |
# use tools version as tags | |
type=raw,value=golang-${{ steps.extract.outputs.golang_version }} | |
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }} | |
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }} | |
type=raw,value=ko-${{ steps.extract.outputs.ko_version }} | |
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }} | |
type=raw,value=syft-${{ steps.extract.outputs.syft_version }} | |
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}} | |
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}} | |
# minimal (short sha) | |
type=sha | |
# full length sha | |
type=sha,format=long | |
- name: Build the OCI image | |
id: kaniko | |
uses: int128/kaniko-action@v1 | |
with: | |
push: true | |
tags: ${{ steps.metadata.outputs.tags }} | |
labels: ${{ steps.metadata.outputs.labels }} | |
cache: true | |
cache-repository: ${{ steps.login.outputs.registry }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}/cache | |
file: ${{ env.GOREL_ENTRYP_CONTAINERFILE_NAME }} | |
context: ${{ env.KANIKO_BUILD_CONTEXT }} | |
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity | |
outputs: | |
oci-image-digest: ${{ steps.kaniko.outputs.digest }} | |
oci-image-url: ${{ steps.metadata.outputs.images }} # needs to be lowercase | |
goreleaser-entryp-image-provenance: | |
name: Generate SLSA provenance attestation for OCI | |
needs: build-goreleaser-entryp-image # Ensure this job runs after build-base-image | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign | |
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | |
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-url }} # needs to be lowercase | |
digest: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-digest }} | |
secrets: | |
registry-username: ${{ github.actor }} | |
registry-password: ${{ secrets.GITHUB_TOKEN }} |