Skip to content

publish-dev-assets

publish-dev-assets #39

name: publish-dev-assets
on:
schedule:
- cron: "30 8 * * 0" # early morning (08:30 UTC) every Sunday
workflow_dispatch:
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
id-token: write
environment: azure-publish
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install Notation
uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Az CLI login
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Cache AAD tokens
run: |
az version
# Key Vault:
az account get-access-token --scope https://vault.azure.net/.default --output none
- name: prepare
id: prepare
run: |
DATE=$(date +'%Y%m%d')
COMMIT=${{ github.sha }}
REPOSITORY=ghcr.io/${{ github.repository }}
CHART_REPOSITORY=${REPOSITORY}-chart-dev
VERSION=dev.${DATE}.${COMMIT:0:7}
SEM_VERSION=0-${VERSION}
SEM_VERSION_ROLLING=0-dev
REPOSITORY_PLUGINS=${REPOSITORY}-dev
REPOSITORYBASE=${REPOSITORY}-base-dev
REPOSITORYCRD=${REPOSITORY}-crds-dev
echo ::set-output name=version::${VERSION}
echo ::set-output name=semversion::${SEM_VERSION}
echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING}
echo ::set-output name=chartrepo::${CHART_REPOSITORY}
echo ::set-output name=ref::${REPOSITORY_PLUGINS}
echo ::set-output name=baseref::${REPOSITORYBASE}
echo ::set-output name=crdref::${REPOSITORYCRD}
- name: docker login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: docker build ratify-crds
run: |
docker buildx create --use
docker buildx build \
--attest type=sbom \
--attest type=provenance,mode=max \
--build-arg KUBE_VERSION="1.29.2" \
-f crd.Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.crdref }} \
--push ./charts/ratify/crds
- name: docker build ratify base
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--attest type=sbom \
--attest type=provenance,mode=max \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.baseref }} \
--push .
- name: docker build ratify with plugin
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--attest type=sbom \
--attest type=provenance,mode=max \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg build_sbom=true \
--build-arg build_licensechecker=true \
--build-arg build_schemavalidator=true \
--build-arg build_vulnerabilityreport=true \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.ref }} \
--push .
- name: replace version
run: |
sed -i '/^ repository:/c\ repository: ghcr.io/ratify-project/ratify-dev' charts/ratify/values.yaml
sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/ratify-project/ratify-crds-dev' charts/ratify/values.yaml
sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml
- name: helm package
run: |
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }}
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }}
- name: helm push
run: |
helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
- name: Sign with Notation
uses: notaryproject/notation-action/sign@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
with:
plugin_name: azure-kv
plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
key_id: ${{ secrets.AZURE_KV_KEY_ID }}
target_artifact_reference: |-
${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
signature_format: cose
- name: Sign with Cosign
run: |
cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
- name: clear
if: always()
run: |
rm -f ${HOME}/.docker/config.json