Skip to content

chore: update sync config.yaml images for 2023-10-03-13-19 #114

chore: update sync config.yaml images for 2023-10-03-13-19

chore: update sync config.yaml images for 2023-10-03-13-19 #114

Workflow file for this run

# NOTE refs
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script
name: sync
on:
push:
branches:
- main
schedule:
- cron: "0 0 * * MON"
workflow_dispatch: {}
permissions:
contents: read
id-token: write
packages: write
security-events: write
concurrency:
group: ${{ github.run_id }}
cancel-in-progress: false
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set.outputs.matrix }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- id: set
run: |
echo "matrix=$(jq '.sync | {"include":.}' -r -c <<< "$(yq e . -o json config.yaml)")" >> $GITHUB_OUTPUT
- name: check output
run: |
jq . <<< '${{ steps.set.outputs.matrix }}'
sync:
if: ${{ fromJSON(needs.prepare.outputs.matrix) != null }}
needs: prepare
runs-on: ubuntu-latest
outputs:
source: ${{ steps.get-digests.outputs.source }}
destination: ${{ steps.get-digests.outputs.destination }}
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: get-digests
if: ${{ fromJSON(toJSON(matrix)).always != true }}
id: get-digests
env:
SOURCE: ${{ fromJSON(toJSON(matrix)).source }}
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
run: |
SOURCE_DIGEST="$(crane digest "${SOURCE}" || true)"
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)"
(
echo "SOURCE-DIGEST DESTINATION-DIGEST"
echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}"
) | column -t
echo "source=${SOURCE_DIGEST}" >> $GITHUB_OUTPUT
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT
- name: copy
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }}
env:
SOURCE: ${{ fromJSON(toJSON(matrix)).source }}
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
run: |
crane cp $SOURCE $DESTINATION
- name: add source labels
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }}
env:
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
run: |
LABELS=(
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.source=${{ github.repositoryUrl }}
)
for LABEL in "${LABELS[@]}"; do
crane mutate $DESTINATION --label "${LABEL}"
done
- name: get-synced-digests
id: get-synced-digests
env:
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
run: |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)"
(
echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}"
) | column -t
HAS_SIGNATURES="$(cosign tree ${DESTINATION}@${DESTINATION_DIGEST} 2>&1 | grep -q 'Signatures for an image tag' && echo true || echo false)"
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT
echo "has-signatures=${HAS_SIGNATURES}" >> $GITHUB_OUTPUT
- name: Clean signatures
if: ${{ fromJSON(toJSON(matrix)).always == true }}
run: |
cosign clean -f ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }}
- name: Sign image with a key
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_YES: "true"
run: |
cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y
- uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }}
with:
image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }}
artifact-name: sbom-spdx.json
output-file: /tmp/sbom-spdx.json
- name: publish sbom blob as blob
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }}
env:
COSIGN_YES: "true"
run: |
cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y