Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

chore: fix #261, use go-jose/go-jose instead of square/go-jose #1003

chore: fix #261, use go-jose/go-jose instead of square/go-jose

chore: fix #261, use go-jose/go-jose instead of square/go-jose #1003

Workflow file for this run

name: Salsa build & release
on:
push:
paths-ignore:
- '**.md'
- 'CODEOWNERS'
- 'LICENSE'
- '.gitignore'
- 'doc/**'
- 'Makefile'
env:
VERSION: v0.12
IMAGE_NAME: ghcr.io/${{ github.repository }}
COSIGN_VERSION: v2.2.2
SYFT_VERSION: v0.44.1
GO_RELEASER_VERSION: v1.11.2
GRADLE_VERSION: 7.5.1
PUSH: false
jobs:
set-version:
runs-on: ubuntu-20.04
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
- name: set version
id: set-version
run: |
echo Faking a Semantic Version
echo "version=${{ env.VERSION }}.$(date "+%Y%m%d%H%M%S")" >> $GITHUB_OUTPUT
test:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
with:
go-version-file: ./go.mod
check-latest: true
cache: true
- name: Test Salsa
run: make test
build:
outputs:
cli-tag: ${{ steps.container-tags.outputs.cli-tag }}
action-tag: ${{ steps.container-tags.outputs.action-tag }}
digest: ${{ steps.docker_build.outputs.digest }}
needs:
- set-version
- test
runs-on: ubuntu-20.04
steps:
- name: Checkout latest code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
with:
go-version-file: ./go.mod
check-latest: true
cache: true
- name: Create tag
run: |
git tag ${{ needs.set-version.outputs.version }}
# - uses: navikt/github-app-token-generator@v1
# id: get-homebrew-token
# with:
# private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }}
# app-id: ${{ secrets.NAIS_APP_ID }}
# repo: nais/homebrew-tap
- name: Install cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # ratchet:sigstore/[email protected]
with:
cosign-release: ${{ env.COSIGN_VERSION }}
- name: Install Syft
uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # ratchet:anchore/sbom-action/[email protected]
with:
syft-version: ${{ env.SYFT_VERSION }}
- name: Put key on file
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
- name: Run GoReleaser
if: ${{ github.ref == 'refs/heads/main' }}
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # ratchet:goreleaser/goreleaser-action@v4
with:
distribution: goreleaser
version: ${{ env.GO_RELEASER_VERSION }}
args: release -f .goreleaser.yml --rm-dist --debug
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PUSH_TOKEN: ${{ steps.get-homebrew-token.outputs.token }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # ratchet:docker/setup-buildx-action@v2
with:
provenance: false
- name: Login to Docker
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create tags
id: container-tags
run: |
echo "cli-tag=${{ env.IMAGE_NAME }}:${{ needs.set-version.outputs.version }}" >> $GITHUB_OUTPUT
echo "action-tag=${{ env.IMAGE_NAME }}:${{ env.VERSION }}" >> $GITHUB_OUTPUT
- name: Only push from main
if: ${{ github.ref == 'refs/heads/main' }}
run: |
echo "PUSH=true" >> $GITHUB_ENV
- name: Build and push
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # ratchet:docker/build-push-action@v4
id: docker_build
with:
push: ${{ env.PUSH }}
tags: ${{ steps.container-tags.outputs.cli-tag }},${{ steps.container-tags.outputs.action-tag }}
labels: version=${{ needs.set-version.outputs.version }},revision=${{ github.sha }}
build-args: |
COSIGN_VERSION=${{ env.COSIGN_VERSION }}
GRADLE_VERSION=${{ env.GRADLE_VERSION }}
- name: Update major/minor version tag
if: ${{ github.ref == 'refs/heads/main' }}
run: "git tag -f ${{ env.VERSION }}\ngit push -f origin ${{ env.VERSION }} \n"
- name: Clean up
if: ${{ always() }}
run: "rm -f cosign.key \n"
sign-attest:
needs:
- build
runs-on: ubuntu-20.04
permissions:
packages: write
contents: read
id-token: write
if: ${{ github.ref == 'refs/heads/main' }}
env:
DIGEST: "${{ needs.build.outputs.digest }}"
steps:
- name: Install cosign
uses: sigstore/cosign-installer@ce50ea946c19e4bdba9127f76ba2fb00d8e95a96 # ratchet:sigstore/[email protected]
with:
cosign-release: ${{ env.COSIGN_VERSION }}
- name: Login to Docker
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate SBOM
id: sbom
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # ratchet:aquasecurity/trivy-action@master
with:
scan-type: 'image'
format: 'cyclonedx'
output: 'sbom.json'
image-ref: ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
- name: Sign Docker image and and add signed attest
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
cosign attest --yes --tlog-upload=false --key cosign.key --predicate sbom.json --type cyclonedx ${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Clean up
if: ${{ always() }}
run: |
rm -f cosign.key