forked from ratify-project/ratify
-
Notifications
You must be signed in to change notification settings - Fork 1
144 lines (141 loc) · 6.82 KB
/
publish-dev-assets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: publish-dev-assets
on:
schedule:
- cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday
workflow_dispatch:
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
id-token: write
environment: azure-publish
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Install Notation
uses: notaryproject/notation-action/setup@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
- name: Install cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Az CLI login
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Cache AAD tokens
run: |
az version
# Key Vault:
az account get-access-token --scope https://vault.azure.net/.default --output none
- name: prepare
id: prepare
run: |
DATE=$(date +'%Y%m%d')
COMMIT=${{ github.sha }}
REPOSITORY=ghcr.io/${{ github.repository }}
CHART_REPOSITORY=${REPOSITORY}-chart-dev
VERSION=dev.${DATE}.${COMMIT:0:7}
SEM_VERSION=0-${VERSION}
SEM_VERSION_ROLLING=0-dev
REPOSITORY_PLUGINS=${REPOSITORY}-dev
REPOSITORYBASE=${REPOSITORY}-base-dev
REPOSITORYCRD=${REPOSITORY}-crds-dev
echo ::set-output name=version::${VERSION}
echo ::set-output name=semversion::${SEM_VERSION}
echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING}
echo ::set-output name=chartrepo::${CHART_REPOSITORY}
echo ::set-output name=ref::${REPOSITORY_PLUGINS}
echo ::set-output name=baseref::${REPOSITORYBASE}
echo ::set-output name=crdref::${REPOSITORYCRD}
- name: docker login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: docker build ratify-crds
run: |
docker buildx create --use
docker buildx build \
--attest type=sbom \
--attest type=provenance,mode=max \
--build-arg KUBE_VERSION="1.29.2" \
-f crd.Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.crdref }} \
--push ./charts/ratify/crds
- name: docker build ratify base
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--attest type=sbom \
--attest type=provenance,mode=max \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.baseref }} \
--push .
- name: docker build ratify with plugin
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--attest type=sbom \
--attest type=provenance,mode=max \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg build_sbom=true \
--build-arg build_licensechecker=true \
--build-arg build_schemavalidator=true \
--build-arg build_vulnerabilityreport=true \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.ref }} \
--push .
- name: replace version
run: |
sed -i '/^ repository:/c\ repository: ghcr.io/ratify-project/ratify-dev' charts/ratify/values.yaml
sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/ratify-project/ratify-crds-dev' charts/ratify/values.yaml
sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml
- name: helm package
run: |
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }}
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }}
- name: helm push
run: |
helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
- name: Sign with Notation
uses: notaryproject/notation-action/sign@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
with:
plugin_name: azure-kv
plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
key_id: ${{ secrets.AZURE_KV_KEY_ID }}
target_artifact_reference: |-
${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
signature_format: cose
- name: Sign with Cosign
run: |
cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
- name: clear
if: always()
run: |
rm -f ${HOME}/.docker/config.json