This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
chore: fix #261, use go-jose/go-jose instead of square/go-jose #1003
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Salsa build & release | |
on: | |
push: | |
paths-ignore: | |
- '**.md' | |
- 'CODEOWNERS' | |
- 'LICENSE' | |
- '.gitignore' | |
- 'doc/**' | |
- 'Makefile' | |
env: | |
VERSION: v0.12 | |
IMAGE_NAME: ghcr.io/${{ github.repository }} | |
COSIGN_VERSION: v2.2.2 | |
SYFT_VERSION: v0.44.1 | |
GO_RELEASER_VERSION: v1.11.2 | |
GRADLE_VERSION: 7.5.1 | |
PUSH: false | |
jobs: | |
set-version: | |
runs-on: ubuntu-20.04 | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 | |
- name: set version | |
id: set-version | |
run: | | |
echo Faking a Semantic Version | |
echo "version=${{ env.VERSION }}.$(date "+%Y%m%d%H%M%S")" >> $GITHUB_OUTPUT | |
test: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 | |
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 | |
with: | |
go-version-file: ./go.mod | |
check-latest: true | |
cache: true | |
- name: Test Salsa | |
run: make test | |
build: | |
outputs: | |
cli-tag: ${{ steps.container-tags.outputs.cli-tag }} | |
action-tag: ${{ steps.container-tags.outputs.action-tag }} | |
digest: ${{ steps.docker_build.outputs.digest }} | |
needs: | |
- set-version | |
- test | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout latest code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 | |
with: | |
go-version-file: ./go.mod | |
check-latest: true | |
cache: true | |
- name: Create tag | |
run: | | |
git tag ${{ needs.set-version.outputs.version }} | |
# - uses: navikt/github-app-token-generator@v1 | |
# id: get-homebrew-token | |
# with: | |
# private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }} | |
# app-id: ${{ secrets.NAIS_APP_ID }} | |
# repo: nais/homebrew-tap | |
- name: Install cosign | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # ratchet:sigstore/[email protected] | |
with: | |
cosign-release: ${{ env.COSIGN_VERSION }} | |
- name: Install Syft | |
uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # ratchet:anchore/sbom-action/[email protected] | |
with: | |
syft-version: ${{ env.SYFT_VERSION }} | |
- name: Put key on file | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
- name: Run GoReleaser | |
if: ${{ github.ref == 'refs/heads/main' }} | |
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # ratchet:goreleaser/goreleaser-action@v4 | |
with: | |
distribution: goreleaser | |
version: ${{ env.GO_RELEASER_VERSION }} | |
args: release -f .goreleaser.yml --rm-dist --debug | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
PUSH_TOKEN: ${{ steps.get-homebrew-token.outputs.token }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # ratchet:docker/setup-buildx-action@v2 | |
with: | |
provenance: false | |
- name: Login to Docker | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create tags | |
id: container-tags | |
run: | | |
echo "cli-tag=${{ env.IMAGE_NAME }}:${{ needs.set-version.outputs.version }}" >> $GITHUB_OUTPUT | |
echo "action-tag=${{ env.IMAGE_NAME }}:${{ env.VERSION }}" >> $GITHUB_OUTPUT | |
- name: Only push from main | |
if: ${{ github.ref == 'refs/heads/main' }} | |
run: | | |
echo "PUSH=true" >> $GITHUB_ENV | |
- name: Build and push | |
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # ratchet:docker/build-push-action@v4 | |
id: docker_build | |
with: | |
push: ${{ env.PUSH }} | |
tags: ${{ steps.container-tags.outputs.cli-tag }},${{ steps.container-tags.outputs.action-tag }} | |
labels: version=${{ needs.set-version.outputs.version }},revision=${{ github.sha }} | |
build-args: | | |
COSIGN_VERSION=${{ env.COSIGN_VERSION }} | |
GRADLE_VERSION=${{ env.GRADLE_VERSION }} | |
- name: Update major/minor version tag | |
if: ${{ github.ref == 'refs/heads/main' }} | |
run: "git tag -f ${{ env.VERSION }}\ngit push -f origin ${{ env.VERSION }} \n" | |
- name: Clean up | |
if: ${{ always() }} | |
run: "rm -f cosign.key \n" | |
sign-attest: | |
needs: | |
- build | |
runs-on: ubuntu-20.04 | |
permissions: | |
packages: write | |
contents: read | |
id-token: write | |
if: ${{ github.ref == 'refs/heads/main' }} | |
env: | |
DIGEST: "${{ needs.build.outputs.digest }}" | |
steps: | |
- name: Install cosign | |
uses: sigstore/cosign-installer@ce50ea946c19e4bdba9127f76ba2fb00d8e95a96 # ratchet:sigstore/[email protected] | |
with: | |
cosign-release: ${{ env.COSIGN_VERSION }} | |
- name: Login to Docker | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate SBOM | |
id: sbom | |
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # ratchet:aquasecurity/trivy-action@master | |
with: | |
scan-type: 'image' | |
format: 'cyclonedx' | |
output: 'sbom.json' | |
image-ref: ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
- name: Sign Docker image and and add signed attest | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
cosign attest --yes --tlog-upload=false --key cosign.key --predicate sbom.json --type cyclonedx ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Clean up | |
if: ${{ always() }} | |
run: | | |
rm -f cosign.key |