-
Notifications
You must be signed in to change notification settings - Fork 2
128 lines (127 loc) · 5.77 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# NOTE refs
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script
name: build
on:
push:
paths:
- .github/workflows/build.yml
- "images/**"
- config.yaml
schedule:
- cron: "0 0 * * MON"
workflow_dispatch: {}
permissions:
id-token: write
packages: write
contents: write
concurrency:
group: ${{ github.run_id }}
cancel-in-progress: false
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
matrix-docker: ${{ steps.set.outputs.matrix-docker }}
matrix-apko: ${{ steps.set.outputs.matrix-apko }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: GeoNet/yq@bbe305500687a5fe8498d74883c17f0f06431ac4 # master
- id: set
env:
REF: ${{ github.ref }}
run: |
echo "matrix-docker=$(jq --arg REF "$REF" -rMc '.build[] | select(.source | contains("Dockerfile")) | select(.buildOnMainOnly == null or $REF == "refs/heads/main") | . as $config | .destination | capture("(?<registry>.*)/(?<imageName>.*):(?<tag>.*)") | . as $imgSplit | $config | .source | capture("(?<context>.*)/Dockerfile") | . as $context | $config + $imgSplit + $context' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT
echo "matrix-apko=$(jq -rMc '.build[] | select(.source | contains("image.yaml"))' -r -c <<< "$(yq e . -o json config.yaml)" | jq -rcsM '{"include":.}')" >> $GITHUB_OUTPUT
- name: check output
run: |
jq . <<< '${{ steps.set.outputs.matrix-docker }}'
jq . <<< '${{ steps.set.outputs.matrix-apko }}'
build-docker:
needs: prepare
if: fromJSON(needs.prepare.outputs.matrix-docker) != null
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare.outputs.matrix-docker) }}
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: ${{ fromJSON(toJSON(matrix)).context }}
dockerfile: ${{ fromJSON(toJSON(matrix)).source }}
imageName: ${{ fromJSON(toJSON(matrix)).imageName }}
tags: ${{ fromJSON(toJSON(matrix)).tag }}
platforms: linux/amd64
push: ${{ github.ref == 'refs/heads/main' }}
build-apko:
needs: prepare
if: fromJSON(needs.prepare.outputs.matrix-apko) != null
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare.outputs.matrix-apko) }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: GeoNet/yq@bbe305500687a5fe8498d74883c17f0f06431ac4 # master
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main
- id: apko-options
env:
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
REF: ${{ github.ref }}
run: |
TAG="$DESTINATION"
if [ ! "$REF" = "refs/heads/main" ]; then
TAG="${DESTINATION//ghcr.io\/geonet/localhost}"
fi
echo "tag=$TAG" >> $GITHUB_OUTPUT
- uses: GeoNet/chainguard-images-actions/apko-publish@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main
if: ${{ github.ref == 'refs/heads/main' }}
id: build
name: apko build
with:
tag: ${{ fromJSON(toJSON(matrix)).destination }}
config: ${{ fromJSON(toJSON(matrix)).source }}
source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }}
- uses: GeoNet/chainguard-images-actions/apko-build@cfc56ba1a26d410474fe453d9c9a865fdd422fa7 # main
if: ${{ github.ref != 'refs/heads/main' }}
id: build-local
name: apko build local
with:
tag: ${{ steps.apko-options.outputs.tag }}
config: ${{ fromJSON(toJSON(matrix)).source }}
source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }}
- name: crane get-digests
id: get-digests
if: ${{ github.ref == 'refs/heads/main' }}
env:
DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }}
run: |
DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)"
(
echo "DESTINATION_DIGEST"
echo "${DESTINATION_DIGEST}"
) | column -t
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT
- name: cosign sign image with a key
if: ${{ github.ref == 'refs/heads/main' }}
env:
COSIGN_YES: "true"
run: |
cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y
- uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
name: sbom generate
if: ${{ steps.determine-type.outputs.typeIsDocker == 'true' && github.ref == 'refs/heads/main' }}
with:
image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }}
artifact-name: sbom-spdx.json
output-file: /tmp/sbom-spdx.json
- name: cosign download unsigned sbom
if: ${{ steps.determine-type.outputs.typeIsDocker != 'true' && github.ref == 'refs/heads/main' }}
run: |
cosign download sbom ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} > /tmp/sbom-spdx.json
- name: cosign publish sbom blob as blob
if: ${{ github.ref == 'refs/heads/main' }}
env:
COSIGN_YES: "true"
run: |
cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-digests.outputs.destination }} -y