Skip to content

Bump actions/cache from 4.1.2 to 4.2.0 (#2349) #1149

Bump actions/cache from 4.1.2 to 4.2.0 (#2349)

Bump actions/cache from 4.1.2 to 4.2.0 (#2349) #1149

Workflow file for this run

#
# Copyright 2022 The GUAC Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: release
on:
workflow_dispatch: # testing only, trigger manually to test it works
push:
branches:
- main
tags:
- "v*"
permissions:
actions: read # for detecting the Github Actions environment.
packages: read # for reading from GHCR
jobs:
goreleaser:
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image: ${{ steps.hash.outputs.image }}
digest: ${{ steps.hash.outputs.digest }}
permissions:
packages: write # To publish container images to GHCR
id-token: write # To use our OIDC token
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.21"
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # main
- name: Install syft
uses: anchore/sbom-action/download-syft@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
- name: Run GoReleaser Snapshot
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
id: run-goreleaser-snapshot
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
distribution: goreleaser
version: latest
args: release --clean --snapshot --skip=sign
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: v0.0.0-snapshot-tag
DOCKER_CONTEXT: default
- name: Run GoReleaser Release
if: startsWith(github.ref, 'refs/tags/')
id: run-goreleaser-release
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
distribution: goreleaser
version: latest
# use .goreleaser-nightly.yaml for nightly build; otherwise use the default
args: ${{ contains( github.ref, 'nightly' ) && 'release --clean -f .goreleaser-nightly.yaml' || 'release --clean' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKER_CONTEXT: default
- name: Generate hashes and extract image digest
id: hash
if: startsWith(github.ref, 'refs/tags/')
env:
ARTIFACTS: "${{ steps.run-goreleaser-release.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
image=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).name | split(":")[0]')
echo "image=$image" >> $GITHUB_OUTPUT
digest=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).extra.Digest')
echo "digest=$digest" >> $GITHUB_OUTPUT
build-atlas:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
packages: write # To publish container images to GHCR
id-token: write # To use our OIDC token
steps:
- name: Check out the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Log in to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push the Docker image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: ./pkg/assembler/backends/ent/migrate
push: true
tags: ghcr.io/${{ github.repository }}/atlas-migration:${{ github.ref_name }}
- name: Log out of GitHub Container Registry
run: docker logout ghcr.io
sbom-container:
# generate sbom for container as goreleaser can't - https://goreleaser.com/customization/sbom/#limitations
name: generate sbom for container
runs-on: ubuntu-latest
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
permissions:
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v3
with:
persist-credentials: false
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy in fs mode to generate SBOM
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # master
with:
scan-type: "fs"
format: "spdx-json"
output: "spdx.sbom.json"
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # main
- name: Sign image and sbom
run: |
#!/usr/bin/env bash
set -euo pipefail
cosign attach sbom --sbom spdx.sbom.json ${IMAGE_URI_DIGEST}
cosign sign -a git_sha=$GITHUB_SHA --attachment sbom ${IMAGE_URI_DIGEST} --yes
shell: bash
env:
IMAGE_URI_DIGEST: ${{ needs.goreleaser.outputs.image }}@${{ needs.goreleaser.outputs.digest }}
provenance-bins:
name: generate provenance for binaries
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
permissions:
id-token: write # To sign the provenance
contents: write # To upload assets to release
actions: read # To read the workflow path
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
provenance-container:
name: generate provenance for container
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
permissions:
id-token: write # To sign the provenance
contents: write # To upload assets to release
packages: write # To publish container images to GHCR
actions: read # To read the workflow path
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
image: ${{ needs.goreleaser.outputs.image }}
digest: ${{ needs.goreleaser.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
compose-tarball:
runs-on: ubuntu-latest
name: generate compose tarball
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write # To upload assets to release.
packages: write # To publish container images to GHCR
id-token: write # To use our GitHub token
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v3
with:
persist-credentials: false
- name: Create and publish compose tarball
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
#!/usr/bin/env bash
set -euo pipefail
mkdir guac-compose
cp .env guac-compose/
cp docker-compose.yml guac-compose/
cp -r container_files guac-compose/
sed -i s/local-organic-guac/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-compose/.env
tar -zcvf guac-compose.tar.gz guac-compose/
rm -rf guac-compose/
gh release upload ${{ github.ref_name }} guac-compose.tar.gz
rm guac-compose.tar.gz
shell: bash
- name: Modify and publish demo compose yaml
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
#!/usr/bin/env bash
set -euo pipefail
cp container_files/guac-demo-compose.yaml .
sed -i s/\$GUAC_IMAGE/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-demo-compose.yaml
gh release upload ${{ github.ref_name }} guac-demo-compose.yaml
rm guac-demo-compose.yaml
shell: bash
- name: Modify and publish postgres compose yaml
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
#!/usr/bin/env bash
set -euo pipefail
cp container_files/guac-postgres-compose.yaml .
sed -i s/\$GUAC_IMAGE/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-postgres-compose.yaml
gh release upload ${{ github.ref_name }} guac-postgres-compose.yaml
rm guac-postgres-compose.yaml
shell: bash