publish-dev-assets #40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: publish-dev-assets | |
| on: | |
| schedule: | |
| - cron: "30 8 * * 0" # early morning (08:30 UTC) every Sunday | |
| workflow_dispatch: | |
| permissions: read-all | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| contents: read | |
| id-token: write | |
| environment: azure-publish | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| - name: Install Notation | |
| uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Az CLI login | |
| uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Cache AAD tokens | |
| run: | | |
| az version | |
| # Key Vault: | |
| az account get-access-token --scope https://vault.azure.net/.default --output none | |
| - name: prepare | |
| id: prepare | |
| run: | | |
| DATE=$(date +'%Y%m%d') | |
| COMMIT=${{ github.sha }} | |
| REPOSITORY=ghcr.io/${{ github.repository }} | |
| CHART_REPOSITORY=${REPOSITORY}-chart-dev | |
| VERSION=dev.${DATE}.${COMMIT:0:7} | |
| SEM_VERSION=0-${VERSION} | |
| SEM_VERSION_ROLLING=0-dev | |
| REPOSITORY_PLUGINS=${REPOSITORY}-dev | |
| REPOSITORYBASE=${REPOSITORY}-base-dev | |
| REPOSITORYCRD=${REPOSITORY}-crds-dev | |
| echo ::set-output name=version::${VERSION} | |
| echo ::set-output name=semversion::${SEM_VERSION} | |
| echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING} | |
| echo ::set-output name=chartrepo::${CHART_REPOSITORY} | |
| echo ::set-output name=ref::${REPOSITORY_PLUGINS} | |
| echo ::set-output name=baseref::${REPOSITORYBASE} | |
| echo ::set-output name=crdref::${REPOSITORYCRD} | |
| - name: docker login | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: docker build ratify-crds | |
| run: | | |
| docker buildx create --use | |
| docker buildx build \ | |
| --attest type=sbom \ | |
| --attest type=provenance,mode=max \ | |
| --build-arg KUBE_VERSION="1.29.2" \ | |
| -f crd.Dockerfile \ | |
| --platform linux/amd64,linux/arm64,linux/arm/v7 \ | |
| --label org.opencontainers.image.revision=${{ github.sha }} \ | |
| -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} \ | |
| -t ${{ steps.prepare.outputs.crdref }} \ | |
| --push ./charts/ratify/crds | |
| - name: docker build ratify base | |
| run: | | |
| docker buildx create --use | |
| docker buildx build -f ./httpserver/Dockerfile \ | |
| --attest type=sbom \ | |
| --attest type=provenance,mode=max \ | |
| --platform linux/amd64,linux/arm64,linux/arm/v7 \ | |
| --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \ | |
| --label org.opencontainers.image.revision=${{ github.sha }} \ | |
| -t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \ | |
| -t ${{ steps.prepare.outputs.baseref }} \ | |
| --push . | |
| - name: docker build ratify with plugin | |
| run: | | |
| docker buildx create --use | |
| docker buildx build -f ./httpserver/Dockerfile \ | |
| --attest type=sbom \ | |
| --attest type=provenance,mode=max \ | |
| --platform linux/amd64,linux/arm64,linux/arm/v7 \ | |
| --build-arg build_sbom=true \ | |
| --build-arg build_licensechecker=true \ | |
| --build-arg build_schemavalidator=true \ | |
| --build-arg build_vulnerabilityreport=true \ | |
| --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \ | |
| --label org.opencontainers.image.revision=${{ github.sha }} \ | |
| -t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \ | |
| -t ${{ steps.prepare.outputs.ref }} \ | |
| --push . | |
| - name: replace version | |
| run: | | |
| sed -i '/^ repository:/c\ repository: ghcr.io/ratify-project/ratify-dev' charts/ratify/values.yaml | |
| sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/ratify-project/ratify-crds-dev' charts/ratify/values.yaml | |
| sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml | |
| - name: helm package | |
| run: | | |
| helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }} | |
| helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }} | |
| - name: helm push | |
| run: | | |
| helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} | |
| helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} | |
| - name: Sign with Notation | |
| uses: notaryproject/notation-action/sign@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0 | |
| with: | |
| plugin_name: azure-kv | |
| plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }} | |
| plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }} | |
| key_id: ${{ secrets.AZURE_KV_KEY_ID }} | |
| target_artifact_reference: |- | |
| ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} | |
| ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} | |
| ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} | |
| ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }} | |
| ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }} | |
| signature_format: cose | |
| - name: Sign with Cosign | |
| run: | | |
| cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} | |
| cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} | |
| cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} | |
| cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }} | |
| cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }} | |
| - name: clear | |
| if: always() | |
| run: | | |
| rm -f ${HOME}/.docker/config.json |