chore(docs): add verify attribute to OCI Repository #106

Workflow file for this run

	---
	name: ci

	concurrency:
	cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
	group: ci-${{ github.ref_name }}-${{ github.event_name }}

	on:
	push:
	branches:
	- main
	tags:
	- v*
	pull_request:
	branches:
	- main

	env:
	ANSIBLE_FORCE_COLOR: "1"
	PY_COLORS: "1"

	jobs:
	checkov:
	if: \|
	contains(fromJson('["schedule", "pull_request", "push"]'), github.event_name)
	permissions:
	contents: read
	security-events: write
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Checkov GitHub Action
	uses: bridgecrewio/checkov-action@v12
	with:
	config_file: .checkov_config.yaml
	output_format: cli,sarif
	output_file_path: console,results.sarif

	trivy:
	if: github.event_name == 'push' \|\| github.event_name == 'pull_request'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	scan-type:
	- fs
	- config
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Cache trivy db
	uses: actions/cache@v4
	with:
	path: \|
	~/.cache/trivy
	~/work/temp
	key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
	- name: Run Trivy vulnerability scanner in fs mode
	uses: aquasecurity/trivy-action@master
	with:
	format: sarif
	ignore-unfixed: true
	output: trivy-results.sarif
	scan-ref: .
	scan-type: ${{ matrix.scan-type }}
	severity: CRITICAL,HIGH
	trivy-config: trivy.yaml
	token-setup-trivy: ${{ secrets.GH_PAT }}
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: trivy-results.sarif

	ansible-lint:
	if: github.event_name == 'push' \|\| github.event_name == 'pull_request'
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Run ansible-lint
	uses: ansible/ansible-lint@main

	release-edge:
	needs:
	- checkov
	- ansible-lint
	- trivy
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	permissions:
	packages: write
	id-token: write
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Cosign CLI
	uses: sigstore/cosign-installer@v3
	- name: Setup Notation CLI
	uses: notaryproject/notation-action/setup@v1
	with:
	version: "1.1.0"
	- name: Setup Notation signing keys
	run: \|
	mkdir -p ~/.config/notation/localkeys/
	cp ./.notation/signingkeys.json ~/.config/notation/
	cp ./.notation/notation.crt ~/.config/notation/localkeys/
	echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
	env:
	NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
	- name: Setup Flux CLI
	uses: fluxcd/flux2/action@main
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ github.token }}
	- name: Build source
	run: tar cvzf kustomizations.tar.gz $(find . -maxdepth 1 -type d ! -name '.*' \| grep -v -f .buildignore)
	- id: push
	name: Push to ghcr OCI registry
	run: \|
	digest_url=$(flux push artifact oci://ghcr.io/${{ github.repository }}:${{ github.run_id }} \
	--path=kustomizations.tar.gz \
	--source=${{ github.server_url }}/${{ github.repository }} \
	--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
	--annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
	--annotations="org.opencontainers.image.description=OCI artifact containing Kustomizations" \
	--annotations="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \
	--annotations="org.opencontainers.image.licenses=Apache-2.0" \
	--annotations="org.opencontainers.image.revision=$(git rev-parse HEAD)" \
	--annotations="org.opencontainers.image.title=Kustomizations" \
	--annotations="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \
	--annotations="org.opencontainers.image.version=$(git tag --points-at HEAD)" \
	--output json \| jq -r '. \| .repository + "@" + .digest')
	flux tag artifact oci://ghcr.io/${{ github.repository }}:${{ github.run_id }} --tag latest
	echo "digest-url=$digest_url" >> $GITHUB_OUTPUT
	- name: Sign artifacts with cosign
	run: \|
	cosign sign --yes ${{ steps.push.outputs.digest-url }}
	- name: Sign artifacts with Notation
	run: \|
	notation sign --signature-format cose ghcr.io/${{ github.repository }}:${{ github.run_id }}
	notation sign --signature-format cose ghcr.io/${{ github.repository }}:latest

	release-please:
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write
	outputs:
	releases_created: ${{ steps.release-please.outputs.releases_created }}
	tag_name: ${{ steps.release-please.outputs.tag_name }}
	steps:
	- id: release-please
	name: Release please
	uses: googleapis/release-please-action@v4
	with:
	release-type: simple

	release-stable:
	needs:
	- release-please
	if: needs.release-please.outputs.releases_created == 'true'
	permissions:
	packages: write
	id-token: write
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Cosign CLI
	uses: sigstore/cosign-installer@v3
	- name: Setup Notation CLI
	uses: notaryproject/notation-action/setup@v1
	with:
	version: "1.1.0"
	- name: Setup Notation signing keys
	run: \|
	mkdir -p ~/.config/notation/localkeys/
	cp ./.notation/signingkeys.json ~/.config/notation/
	cp ./.notation/notation.crt ~/.config/notation/localkeys/
	echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
	env:
	NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
	- name: Setup Flux CLI
	uses: fluxcd/flux2/action@main
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ github.token }}
	- name: Build source
	run: tar cvzf kustomizations.tar.gz $(find . -maxdepth 1 -type d ! -name '.*' \| grep -v -f .buildignore)
	- id: push
	name: Push to ghcr OCI registry
	run: \|
	digest_url=$(flux push artifact oci://ghcr.io/${{ github.repository }}:${{ needs.release-please.outputs.tag_name }} \
	--path=kustomizations.tar.gz \
	--source=${{ github.server_url }}/${{ github.repository }} \
	--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
	--annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
	--annotations="org.opencontainers.image.description=OCI artifact containing Kustomizations" \
	--annotations="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \
	--annotations="org.opencontainers.image.licenses=Apache-2.0" \
	--annotations="org.opencontainers.image.revision=$(git rev-parse HEAD)" \
	--annotations="org.opencontainers.image.title=Kustomizations" \
	--annotations="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \
	--annotations="org.opencontainers.image.version=$(git tag --points-at HEAD)" \
	--output json \| jq -r '. \| .repository + "@" + .digest')
	echo "digest-url=$digest_url" >> $GITHUB_OUTPUT
	- name: Sign artifacts with cosign
	run: \|
	cosign sign --yes ${{ steps.push.outputs.digest-url }}
	- name: Sign artifacts with Notation
	run: \|
	notation sign --signature-format cose ghcr.io/${{ github.repository }}:${{ needs.release-please.outputs.tag_name }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(docs): add verify attribute to OCI Repository #106

Workflow file

chore(docs): add verify attribute to OCI Repository #106

Jobs

Run details

Workflow file for this run