.github/workflows/publish-dev-assets.yml

name: publish-dev-assets

on:
  schedule:
    - cron: "30 8 * * 0" # early morning (08:30 UTC) every Sunday
  workflow_dispatch:

permissions: read-all

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      id-token: write
    environment: azure-publish
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
      - name: Install Notation
        uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
      - name: Install cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
      - name: Az CLI login
        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - name: Cache AAD tokens
        run: |
          az version
          # Key Vault: 
          az account get-access-token --scope https://vault.azure.net/.default --output none
      - name: prepare
        id: prepare
        run: |
          DATE=$(date +'%Y%m%d')
          COMMIT=${{ github.sha }}
          REPOSITORY=ghcr.io/${{ github.repository }}
          CHART_REPOSITORY=${REPOSITORY}-chart-dev
          VERSION=dev.${DATE}.${COMMIT:0:7}
          SEM_VERSION=0-${VERSION}
          SEM_VERSION_ROLLING=0-dev
          REPOSITORY_PLUGINS=${REPOSITORY}-dev
          REPOSITORYBASE=${REPOSITORY}-base-dev
          REPOSITORYCRD=${REPOSITORY}-crds-dev
          echo ::set-output name=version::${VERSION}
          echo ::set-output name=semversion::${SEM_VERSION}
          echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING}
          echo ::set-output name=chartrepo::${CHART_REPOSITORY}
          echo ::set-output name=ref::${REPOSITORY_PLUGINS}
          echo ::set-output name=baseref::${REPOSITORYBASE}
          echo ::set-output name=crdref::${REPOSITORYCRD}
      - name: docker login
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: docker build ratify-crds
        run: |
          docker buildx create --use
          docker buildx build \
            --attest type=sbom \
            --attest type=provenance,mode=max \
            --build-arg KUBE_VERSION="1.29.2" \
            -f crd.Dockerfile \
            --platform linux/amd64,linux/arm64,linux/arm/v7 \
            --label org.opencontainers.image.revision=${{ github.sha }} \
            -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} \
            -t ${{ steps.prepare.outputs.crdref }} \
            --push ./charts/ratify/crds
      - name: docker build ratify base
        run: |
          docker buildx create --use         
          docker buildx build -f ./httpserver/Dockerfile \
            --attest type=sbom \
            --attest type=provenance,mode=max \
            --platform linux/amd64,linux/arm64,linux/arm/v7 \
            --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
            --label org.opencontainers.image.revision=${{ github.sha }} \
            -t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \
            -t ${{ steps.prepare.outputs.baseref }} \
            --push .
      - name: docker build ratify with plugin
        run: |
          docker buildx create --use
          docker buildx build -f ./httpserver/Dockerfile \
            --attest type=sbom \
            --attest type=provenance,mode=max \
            --platform linux/amd64,linux/arm64,linux/arm/v7 \
            --build-arg build_sbom=true \
            --build-arg build_licensechecker=true \
            --build-arg build_schemavalidator=true \
            --build-arg build_vulnerabilityreport=true \
            --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
            --label org.opencontainers.image.revision=${{ github.sha }} \
            -t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \
            -t ${{ steps.prepare.outputs.ref }} \
            --push .
      - name: replace version
        run: |
          sed -i '/^  repository:/c\  repository: ghcr.io/ratify-project/ratify-dev' charts/ratify/values.yaml
          sed -i '/^  crdRepository:/c\  crdRepository: ghcr.io/ratify-project/ratify-crds-dev' charts/ratify/values.yaml
          sed -i '/^  tag:/c\  tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml
      - name: helm package
        run: |
          helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }}
          helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }}
      - name: helm push
        run: |
          helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
          helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
      - name: Sign with Notation
        uses: notaryproject/notation-action/sign@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
        with:
          plugin_name: azure-kv
          plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
          plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
          key_id: ${{ secrets.AZURE_KV_KEY_ID }}
          target_artifact_reference: |-
            ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
            ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
            ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
          signature_format: cose
      - name: Sign with Cosign
        run: |
          cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
          cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
          cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
          cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
          cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
      - name: clear
        if: always()
        run: |
          rm -f ${HOME}/.docker/config.json