-
-
Notifications
You must be signed in to change notification settings - Fork 20
145 lines (128 loc) · 5.86 KB
/
age.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: age
on:
push:
branches:
- main
paths:
- age/*
- .github/workflows/age.yml
workflow_dispatch:
schedule:
- cron: "0 8 * * 1"
env:
BUILD_VERSION: "v1.2.1"
DOCKER_CLI_EXPERIMENTAL: enabled
REPOSITORY: ${{ github.actor }}/${{ github.workflow }}
permissions: read-all
jobs:
deploy:
runs-on: ubuntu-24.04
permissions:
packages: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e
with:
disable-sudo: true
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
dl-cdn.alpinelinux.org:443
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
index.docker.io:443
production.cloudflare.docker.com:443
proxy.golang.org:443
registry-1.docker.io:443
sum.golang.org:443
- name: Source checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2
- name: Setup QEMU
id: qemu
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v1.2.0
- name: Setup Buildx
id: buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v1
- name: Set Docker metadata
id: docker_meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v3
with:
images: ${{ env.REPOSITORY }}
tags: |
type=sha,format=long,prefix=sha256:
labels: |
org.opencontainers.image.version=${{ env.BUILD_VERSION }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.title=${{ env.REPOSITORY }}
- name: GitHub login
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v1.12.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: DockerHub login
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v1.12.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Build and push
id: push-step
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v2.8.0
with:
push: ${{ github.event_name != 'pull_request' }}
context: ${{ github.workflow }}
#platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le,linux/s390x
#platforms: linux/amd64,linux/arm64
#platforms: linux/amd64
#platforms: ${{ matrix.arch }}
build-args: |
BUILD_VERSION
sbom: true
provenance: true
cache-from: type=gha, scope=${{ github.workflow }}
cache-to: type=gha, scope=${{ github.workflow }}
labels: ${{ steps.docker_meta.outputs.labels }}
tags: |
docker.io/${{ env.REPOSITORY }}:${{ env.BUILD_VERSION }}
docker.io/${{ env.REPOSITORY }}:latest
ghcr.io/${{ env.REPOSITORY }}:${{ env.BUILD_VERSION }}
ghcr.io/${{ env.REPOSITORY }}:latest
# The following is for testing container signing and generating SBOMs
# Workaround for buildx bug: https://github.com/docker/build-push-action/issues/461
#
# Links
# https://githubhelp.com/chrisns/cosign-keyless-demo
# https://blog.chainguard.dev/zero-friction-keyless-signing-with-github-actions/
# https://github.com/mattmoor/zero-friction-actions/blob/main/.github/workflows/docker-publish.yml
# https://github.com/docker/roadmap/issues/269
# https://github.com/anchore/syft
#- name: Install cosign
# uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v1.4.1
#- name: Install syft
# uses: anchore/sbom-action/download-syft@54e36e45f34bc64728f51adb8044404daca492a6 # v0.6.0
#- name: Sign the image digest and generate SBOM
# run: |
# cosign sign ghcr.io/${{ env.REPOSITORY }}@${{ steps.push-step.outputs.digest }}
# syft ghcr.io/${{ env.REPOSITORY }}@${{ steps.push-step.outputs.digest }} -o json > ghcr_sbom.json
# cosign attest --predicate ghcr_sbom.json ghcr.io/${{ env.REPOSITORY }}@${{ steps.push-step.outputs.digest }}
# cosign sign registry.gitlab.com/${{ github.repository }}/${{ github.workflow }}@${{ steps.push-step.outputs.digest }}
# syft registry.gitlab.com/${{ github.repository }}/${{ github.workflow }}@${{ steps.push-step.outputs.digest }} -o json > gitlab_sbom.json
# cosign attest --predicate gitlab_sbom.json registry.gitlab.com/${{ github.repository }}/${{ github.workflow }}@${{ steps.push-step.outputs.digest }}
# env:
# COSIGN_EXPERIMENTAL: 1
#- name: Verify the image digest and SBOM
# run: |
# cosign verify ghcr.io/${{ env.REPOSITORY }}@${{ steps.push-step.outputs.digest }}
# cosign verify-attestation ghcr.io/${{ env.REPOSITORY }}@${{ steps.push-step.outputs.digest }}
# cosign verify registry.gitlab.com/${{ github.repository }}/${{ github.workflow }}@${{ steps.push-step.outputs.digest }}
# cosign verify-attestation registry.gitlab.com/${{ github.repository }}/${{ github.workflow }}@${{ steps.push-step.outputs.digest }}
# env:
# COSIGN_EXPERIMENTAL: 1