-
Notifications
You must be signed in to change notification settings - Fork 3
140 lines (138 loc) · 5.25 KB
/
insights-scanner-image.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Publish insights-scanner image
on:
push:
branches:
- 'main'
- 'build-image'
paths:
- 'insights-scanner/**'
- '.github/workflows/insights-scanner-image.yaml'
tags:
- 'insights-scanner-v*.*.*'
pull_request:
branches:
- 'main'
paths:
- 'insights-scanner/**'
- '.github/workflows/insights-scanner-image.yaml'
jobs:
docker:
permissions:
attestations: write
contents: write
id-token: write
packages: write
runs-on: ubuntu-latest
steps:
-
name: Checkout PR
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
if: ${{ github.event_name == 'pull_request' }}
with:
fetch-depth: "0"
ref: ${{ github.event.pull_request.head.sha }}
-
name: Checkout Branch or Tag
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
if: ${{ github.event_name != 'pull_request' }}
with:
fetch-depth: "0"
-
name: Create SERVICE_TAG variable
id: service_tag_var
run: |
RAW_TAG=$(git describe --abbrev=0 --tags --match 'insights-scanner-*')
SERVICE_TAG=${RAW_TAG#"insights-scanner-"}
echo "using insights-scanner tag $SERVICE_TAG"
echo "SERVICE_TAG=$SERVICE_TAG" >> "$GITHUB_ENV"
-
name: Set version for non-tag build
if: "!startsWith(github.ref, 'refs/tags/insights-scanner')"
id: version_non-tag_build
run: |
DOCKER_TAG="${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)"
echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
echo "insights-scanner version $DOCKER_TAG"
-
name: Set version for tag build
if: "startsWith(github.ref, 'refs/tags/insights-scanner')"
id: version_tag_build
run: |
DOCKER_TAG=${{ env.SERVICE_TAG }}
echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
echo "insights-scanner version $DOCKER_TAG"
-
name: Docker meta
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
with:
# list of Docker images to use as base name for tags
images: |
${{ github.repository_owner }}/insights-scanner
ghcr.io/${{ github.repository_owner }}/insights-scanner
tags: |
# set edge tag for default branch
type=edge,enable={{is_default_branch}}
# set tag+build for default branch
type=raw,value=${{ env.DOCKER_TAG}},enable={{is_default_branch}}
# tag event
type=raw,value=${{ env.DOCKER_TAG}},enable=${{ startsWith(github.ref, 'refs/tags/insights-scanner') }}
type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/insights-scanner') }}
# pull request event
type=ref,event=pr
# pull request event
type=ref,event=branch
-
name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
-
name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
id: build-and-push
with:
context: insights-scanner
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Attest dockerhub image
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
with:
subject-digest: ${{steps.build-and-push.outputs.digest}}
subject-name: index.docker.io/${{ github.repository_owner }}/insights-scanner
push-to-registry: true
- name: Attest ghcr image
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
with:
subject-digest: ${{steps.build-and-push.outputs.digest}}
subject-name: ghcr.io/${{ github.repository_owner }}/insights-scanner
push-to-registry: true
- uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
if: startsWith(github.ref, 'refs/tags/')
with:
image: ghcr.io/${{ github.repository_owner }}/insights-scanner@${{steps.build-and-push.outputs.digest}}
output-file: sbom.spdx.json
upload-artifact: false
upload-release-assets: false
- name: Release
uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
sbom.spdx.json