fix: update reference to update sync image digests #100
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE refs | |
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions | |
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script | |
name: sync | |
on: | |
push: | |
branches: | |
- main | |
schedule: | |
- cron: "0 0 * * MON" | |
workflow_dispatch: {} | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
security-events: write | |
concurrency: | |
group: ${{ github.run_id }} | |
cancel-in-progress: false | |
jobs: | |
prepare: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- uses: GeoNet/yq@bbe305500687a5fe8498d74883c17f0f06431ac4 # master | |
- id: set | |
run: | | |
echo "matrix=$(jq '.sync | {"include":.}' -r -c <<< "$(yq e . -o json config.yaml)")" >> $GITHUB_OUTPUT | |
- name: check output | |
run: | | |
jq . <<< '${{ steps.set.outputs.matrix }}' | |
sync: | |
if: ${{ fromJSON(needs.prepare.outputs.matrix) != null }} | |
needs: prepare | |
runs-on: ubuntu-latest | |
outputs: | |
source: ${{ steps.get-digests.outputs.source }} | |
destination: ${{ steps.get-digests.outputs.destination }} | |
strategy: | |
matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }} | |
steps: | |
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main | |
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: get-digests | |
if: ${{ fromJSON(toJSON(matrix)).always != true }} | |
id: get-digests | |
env: | |
SOURCE: ${{ fromJSON(toJSON(matrix)).source }} | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
SOURCE_DIGEST="$(crane digest "${SOURCE}" || true)" | |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
( | |
echo "SOURCE-DIGEST DESTINATION-DIGEST" | |
echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" | |
) | column -t | |
echo "source=${SOURCE_DIGEST}" >> $GITHUB_OUTPUT | |
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
- name: copy | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} | |
env: | |
SOURCE: ${{ fromJSON(toJSON(matrix)).source }} | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
crane cp $SOURCE $DESTINATION | |
- name: add source labels | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} | |
env: | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
LABELS=( | |
org.opencontainers.image.revision=${{ github.sha }} | |
org.opencontainers.image.source=${{ github.repositoryUrl }} | |
) | |
for LABEL in "${LABELS[@]}"; do | |
crane mutate $DESTINATION --label "${LABEL}" | |
done | |
- name: get-synced-digests | |
id: get-synced-digests | |
env: | |
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
run: | | |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
( | |
echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" | |
) | column -t | |
HAS_SIGNATURES="$(cosign tree ${DESTINATION}@${DESTINATION_DIGEST} 2>&1 | grep -q 'Signatures for an image tag' && echo true || echo false)" | |
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
echo "has-signatures=${HAS_SIGNATURES}" >> $GITHUB_OUTPUT | |
- name: Clean signatures | |
if: ${{ fromJSON(toJSON(matrix)).always == true }} | |
run: | | |
cosign clean -f ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} | |
- name: Sign image with a key | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
COSIGN_YES: "true" | |
run: | | |
cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y | |
- uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
with: | |
image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} | |
artifact-name: sbom-spdx.json | |
output-file: /tmp/sbom-spdx.json | |
- name: publish sbom blob as blob | |
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
env: | |
COSIGN_YES: "true" | |
run: | | |
cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y |