Add SLSA generator (#35) #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| release-container-images: | |
| name: build and push to ghcr.io | |
| strategy: | |
| matrix: | |
| component: | |
| - informer | |
| - webhook | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| packages: write | |
| outputs: | |
| informer_image: ${{ steps.release.outputs.informer_image }} | |
| informer_digest: ${{ steps.release.outputs.informer_digest }} | |
| webhook_image: ${{ steps.release.outputs.webhook_image }} | |
| webhook_digest: ${{ steps.release.outputs.webhook_digest }} | |
| steps: | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: 1.21.x | |
| - uses: ko-build/[email protected] | |
| - uses: actions/checkout@v4 | |
| - id: release | |
| name: Build and push | |
| env: | |
| KO_DOCKER_REPO: ghcr.io/norbjd/k8s-pod-cpu-booster | |
| run: | | |
| # something like 202403241909-abcdef01 if we want to use a specific version | |
| UNIQUE_TAG="$(TZ=UTC0 git log -1 --format=%cd --date=format-local:%Y%m%d%H%M)-$(git rev-parse --short HEAD)" | |
| ko build ./cmd/${{ matrix.component }} \ | |
| --base-import-paths \ | |
| --sbom=none \ | |
| --image-refs=.digest \ | |
| --tags=$GITHUB_REF_NAME,$UNIQUE_TAG | |
| image=$(cat .digest | cut -d'@' -f1 | cut -d':' -f1) | |
| digest=$(cat .digest| cut -d'@' -f2) | |
| echo "${{ matrix.component }}_image=$image" >> "$GITHUB_OUTPUT" | |
| echo "${{ matrix.component }}_digest=$digest" >> "$GITHUB_OUTPUT" | |
| # see https://github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/internal/builders/container/README.md#ko | |
| provenance: | |
| needs: | |
| - release-container-images | |
| strategy: | |
| matrix: | |
| component: | |
| - informer | |
| - webhook | |
| permissions: | |
| actions: read | |
| id-token: write | |
| packages: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| image: "${{ needs.release-container-images.outputs[format('{0}_image', matrix.component)] }}" | |
| digest: "${{ needs.release-container-images.outputs[format('{0}_digest', matrix.component)] }}" | |
| registry-username: ${{ github.actor }} | |
| compile-generator: true | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| release-helm-chart: | |
| name: release helm chart | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - name: Install helm | |
| run: | | |
| curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash | |
| - name: Run chart-releaser | |
| uses: helm/[email protected] | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |