build #735
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE refs | |
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions | |
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script | |
name: build | |
on: | |
push: | |
paths: | |
- .github/workflows/build.yml | |
- "images/**" | |
- config.yaml | |
schedule: | |
- cron: "0 0 * * MON" | |
workflow_dispatch: {} | |
permissions: | |
id-token: write | |
packages: write | |
contents: write | |
concurrency: | |
group: ${{ github.run_id }} | |
cancel-in-progress: false | |
jobs: | |
prepare: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix-docker: ${{ steps.set.outputs.matrix-docker }} | |
matrix-apko: ${{ steps.set.outputs.matrix-apko }} | |
matrix-arm: ${{ steps.set.outputs.matrix-arm }} | |
steps: | |
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 | |
- id: set | |
env: | |
REF: ${{ github.ref }} | |
run: | | |
echo "matrix-docker=$(jq --arg REF "$REF" -rMc '.build[] | select(.source | contains("Dockerfile")) | select(.buildOnMainOnly == null or $REF == "refs/heads/main") | . as $config | .destination | capture("(?<registry>.*)/(?<imageName>.*):(?<tag>.*)") | . as $imgSplit | $config | .source | capture("(?<context>.*)/Dockerfile") | . as $context | $config + $imgSplit + $context' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT | |
echo "matrix-apko=$(jq -rMc '.build[] | select(.source | contains("image.yaml"))' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT | |
- name: check output | |
run: | | |
jq . <<< '${{ steps.set.outputs.matrix-docker }}' | |
jq . <<< '${{ steps.set.outputs.matrix-apko }}' | |
build-docker: | |
needs: prepare | |
if: fromJSON(needs.prepare.outputs.matrix-docker) != null | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.prepare.outputs.matrix-docker) }} | |
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main | |
with: | |
context: ${{ fromJSON(toJSON(matrix)).context }} | |
dockerfile: ${{ fromJSON(toJSON(matrix)).source }} | |
imageName: ${{ fromJSON(toJSON(matrix)).imageName }} | |
tags: ${{ fromJSON(toJSON(matrix)).tag }} | |
platforms: linux/amd64 | |
push: ${{ github.ref == 'refs/heads/main' }} | |
build-apko: | |
needs: prepare | |
if: fromJSON(needs.prepare.outputs.matrix-apko) != null | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.prepare.outputs.matrix-apko) }} | |
steps: | |
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 | |
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main | |
- id: apko-options | |
env: | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
REF: ${{ github.ref }} | |
run: | | |
TAG="$DESTINATION" | |
if [ ! "$REF" = "refs/heads/main" ]; then | |
TAG="${DESTINATION//ghcr.io\/geonet/localhost}" | |
fi | |
echo "tag=$TAG" >> $GITHUB_OUTPUT | |
- uses: GeoNet/chainguard-images-actions/apko-publish@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main | |
if: ${{ github.ref == 'refs/heads/main' }} | |
id: build | |
name: apko build | |
with: | |
tag: ${{ fromJSON(toJSON(matrix)).destination }} | |
config: ${{ fromJSON(toJSON(matrix)).source }} | |
source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }} | |
apko-image: "ghcr.io/wolfi-dev/apko@sha256:ed7bbf853ec77fa4b5ad4840fd42c1391a0341b86541063217277b678e324686" | |
- uses: GeoNet/chainguard-images-actions/apko-build@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main | |
if: ${{ github.ref != 'refs/heads/main' }} | |
id: build-local | |
name: apko build local | |
with: | |
tag: ${{ steps.apko-options.outputs.tag }} | |
config: ${{ fromJSON(toJSON(matrix)).source }} | |
source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }} | |
apko-image: "ghcr.io/wolfi-dev/apko@sha256:ed7bbf853ec77fa4b5ad4840fd42c1391a0341b86541063217277b678e324686" | |
- name: crane get-digests | |
id: get-digests | |
if: ${{ github.ref == 'refs/heads/main' }} | |
env: | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
( | |
echo "DESTINATION_DIGEST" | |
echo "${DESTINATION_DIGEST}" | |
) | column -t | |
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
- name: cosign sign image with a key | |
if: ${{ github.ref == 'refs/heads/main' }} | |
env: | |
COSIGN_YES: "true" | |
run: | | |
cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y | |
- uses: anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8 | |
name: sbom generate | |
if: ${{ steps.determine-type.outputs.typeIsDocker == 'true' && github.ref == 'refs/heads/main' }} | |
with: | |
image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} | |
artifact-name: sbom-spdx.json | |
output-file: /tmp/sbom-spdx.json | |
- name: cosign download unsigned sbom | |
if: ${{ steps.determine-type.outputs.typeIsDocker != 'true' && github.ref == 'refs/heads/main' }} | |
run: | | |
cosign download sbom ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} > /tmp/sbom-spdx.json | |
- name: cosign publish sbom blob as blob | |
if: ${{ github.ref == 'refs/heads/main' }} | |
env: | |
COSIGN_YES: "true" | |
run: | | |
cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y |