build(deps): bump docker/build-push-action from 4.2.1 to 5.0.0 #94
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE refs | |
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions | |
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script | |
name: sync | |
on: | |
push: | |
branches: | |
- main | |
schedule: | |
- cron: "0 0 * * MON" | |
workflow_dispatch: {} | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
security-events: write | |
concurrency: | |
group: ${{ github.run_id }} | |
cancel-in-progress: false | |
jobs: | |
prepare: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- uses: GeoNet/yq@bbe305500687a5fe8498d74883c17f0f06431ac4 # master | |
- id: set | |
run: | | |
echo "matrix=$(jq '.sync | {"include":.}' -r -c <<< "$(yq e . -o json config.yaml)")" >> $GITHUB_OUTPUT | |
- name: check output | |
run: | | |
jq . <<< '${{ steps.set.outputs.matrix }}' | |
sync: | |
if: ${{ fromJSON(needs.prepare.outputs.matrix) != null }} | |
needs: prepare | |
runs-on: ubuntu-latest | |
outputs: | |
source: ${{ steps.get-digests.outputs.source }} | |
destination: ${{ steps.get-digests.outputs.destination }} | |
strategy: | |
matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }} | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main | |
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: get-digests | |
if: ${{ fromJSON(toJSON(matrix)).always != true }} | |
id: get-digests | |
env: | |
SOURCE: ${{ fromJSON(toJSON(matrix)).source }} | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
SOURCE_DIGEST="$(crane digest "${SOURCE}" || true)" | |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
( | |
echo "SOURCE-DIGEST DESTINATION-DIGEST" | |
echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" | |
) | column -t | |
echo "source=${SOURCE_DIGEST}" >> $GITHUB_OUTPUT | |
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
- name: copy | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} | |
env: | |
SOURCE: ${{ fromJSON(toJSON(matrix)).source }} | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
crane cp $SOURCE $DESTINATION | |
- name: add source labels | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} | |
env: | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
LABELS=( | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.source=${{ github.repositoryUrl }} | |
) | |
for LABEL in "${LABELS[@]}"; do | |
crane mutate $DESTINATION --label "${LABEL}" | |
done | |
- name: get-synced-digests | |
id: get-synced-digests | |
env: | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
( | |
echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" | |
) | column -t | |
HAS_SIGNATURES="$(cosign tree ${DESTINATION}@${DESTINATION_DIGEST} 2>&1 | grep -q 'Signatures for an image tag' && echo true || echo false)" | |
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
echo "has-signatures=${HAS_SIGNATURES}" >> $GITHUB_OUTPUT | |
- name: Clean signatures | |
if: ${{ fromJSON(toJSON(matrix)).always == true }} | |
run: | | |
cosign clean -f ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} | |
- name: Sign image with a key | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
COSIGN_YES: "true" | |
run: | | |
cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y | |
- uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
with: | |
image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} | |
artifact-name: sbom-spdx.json | |
output-file: /tmp/sbom-spdx.json | |
- name: publish sbom blob as blob | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
env: | |
COSIGN_YES: "true" | |
run: | | |
cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y |