Skip to content

Merge pull request #42 from mlbiam/master #46

Merge pull request #42 from mlbiam/master

Merge pull request #42 from mlbiam/master #46

Workflow file for this run

name: build
on:
push:
branches:
- 'master'
permissions:
id-token: write
packages: write
jobs:
docker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
-
name: Set up QEMU
uses: docker/setup-qemu-action@v1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- uses: actions/checkout@v1
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: "^1.20.0"
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Update go deps
run: go mod tidy
- name: install go mock
run: go install github.com/golang/mock/[email protected]
- name: install go-junit
run: go get -u github.com/jstemmer/go-junit-report
- name: run tests
run: make test
- name: build executable
run: make build; ls; ls bin
-
name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.OU_REG_USER }}
password: ${{ secrets.OU_REG_PASSWORD }}
- name: Login to container Registry
uses: docker/login-action@v2
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
- name: downcase REPO
run: |
echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
- name: generate tag
run: |-
export PROJ_VERSION="1.0.5"
echo "Project Version: $PROJ_VERSION"
echo "TAG=$PROJ_VERSION-$(echo $GITHUB_SHA | cut -c 1-6)" >> $GITHUB_ENV
echo "SHORT_TAG=$PROJ_VERSION" >> $GITHUB_ENV
-
name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
context: "."
push: true
tags: |
${{ secrets.OU_CONTAINER_DEST }}:${{ env.TAG }}
${{ secrets.OU_CONTAINER_DEST }}:${{ env.SHORT_TAG }}
${{ secrets.OU_CONTAINER_DEST }}
ghcr.io/${{ env.REPO }}:${{ env.TAG }}
ghcr.io/${{ env.REPO }}:${{ env.SHORT_TAG }}
ghcr.io/${{ env.REPO }}:latest
- name: sign images
run: |-
cosign sign -y ${{ secrets.OU_CONTAINER_DEST }}:${{ env.TAG }}
cosign sign -y ghcr.io/${{ env.REPO }}:${{ env.TAG }}
- uses: anchore/sbom-action@v0
with:
image: ${{ secrets.OU_CONTAINER_DEST }}:${{ env.TAG }}
format: spdx
output-file: /tmp/spdxd
- uses: anchore/sbom-action@v0
with:
image: ghcr.io/${{ env.REPO }}:${{ env.TAG }}
format: spdx
output-file: /tmp/spdxg
- name: attach sbom to images
run: |-
cosign attach sbom --sbom /tmp/spdxd ${{ secrets.OU_CONTAINER_DEST }}:${{ env.TAG }}
cosign attach sbom --sbom /tmp/spdxg ghcr.io/${{ env.REPO }}:${{ env.TAG }}
DH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' ${{ secrets.OU_CONTAINER_DEST }}:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-)
GH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' ghcr.io/${{ env.REPO }}:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-)
echo "DH_SBOM_SHA: $DH_SBOM_SHA"
echo "GH_SBOM_SHA: $GH_SBOM_SHA"
cosign sign -y ${{ secrets.OU_CONTAINER_DEST }}:sha256-$DH_SBOM_SHA.sbom
cosign sign -y ghcr.io/${{ env.REPO }}:sha256-$GH_SBOM_SHA.sbom