-
-
Notifications
You must be signed in to change notification settings - Fork 4
146 lines (132 loc) · 5.19 KB
/
image.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Create and publish a Docker image
on:
push:
tags:
- '*'
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
VALKEY_VERSION: 8.0.2
RELEASE_VERSION: ${{ github.ref_name }}
jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: read # for trivy scan upload
packages: write
id-token: write
security-events: write
attestations: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (Controller tags, labels) for Docker
id: meta_controller
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
- name: Extract metadata (Sidecar tags, labels) for Docker
id: meta_sidecar
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
with:
images: ${{ env.REGISTRY }}/hyperspike/valkey-sidecar:${{ env.RELEASE_VERSION }}
- name: Extract metadata (Valkey tags, labels) for Docker
id: meta_valkey
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
with:
images: ${{ env.REGISTRY }}/hyperspike/valkey:${{ env.VALKEY_VERSION }}
- name: Setup Go ${{ matrix.go-version }}
uses: actions/setup-go@v5
with:
go-version: 1.23
# You can test your matrix by printing the current Go version
- name: Display Go version
run: go version
- name: Build it
id: go_build
run: make V=1
- name: Build and push Docker image
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
id: docker_build_controller
with:
file: Dockerfile.controller
context: .
push: true
visibility: public
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
labels: ${{ steps.meta_manager.outputs.labels }}
- name: Build and push Sidecar image
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
id: docker_build_sidecar
with:
file: Dockerfile.sidecar
context: .
push: true
visibility: public
tags: ${{ env.REGISTRY }}/hyperspike/valkey-sidecar:${{ env.RELEASE_VERSION }}
labels: ${{ steps.meta_sidecar.outputs.labels }}
- name: Build and push Valkey image
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
id: docker_build_valkey
with:
file: Dockerfile.valkey
context: .
push: true
visibility: public
tags: ${{ env.REGISTRY }}/hyperspike/valkey:${{ env.VALKEY_VERSION }}
labels: ${{ steps.meta_valkey.outputs.labels }}
- name: Set up Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Sign Controller image with GitHub OIDC Token
run: |
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}@${{ steps.docker_build_controller.outputs.digest }}
- name: Sign Sidecar image with GitHub OIDC Token
run: |
cosign sign --yes ${{ env.REGISTRY }}/hyperspike/valkey-sidecar:${{ env.RELEASE_VERSION }}@${{ steps.docker_build_sidecar.outputs.digest }}
- name: Sign Valkey image with GitHub OIDC Token
run: |
cosign sign --yes ${{ env.REGISTRY }}/hyperspike/valkey:${{ env.VALKEY_VERSION }}@${{ steps.docker_build_valkey.outputs.digest }}
- name: Attest the Controller image
uses: actions/attest-build-provenance@v2
id: attest
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.docker_build_controller.outputs.digest }}
push-to-registry: true
- name: Attest the Sidecar image
uses: actions/attest-build-provenance@v2
id: attest
with:
subject-name: ${{ env.REGISTRY }}/hyperspike/valkey-sidecar
subject-digest: ${{ steps.docker_build_sidecar.outputs.digest }}
push-to-registry: true
- name: Attest the Valkey image
uses: actions/attest-build-provenance@v2
id: attest
with:
subject-name: ${{ env.REGISTRY }}/hyperspike/valkey
subject-digest: ${{ steps.docker_build_valkey.outputs.digest }}
push-to-registry: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
#env:
# GITHUB_TOKEN: ${{ secrets.TOKEN }}