Sign SBOM images #27
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| release-container-images: | |
| name: build and push to ghcr.io | |
| strategy: | |
| matrix: | |
| component: | |
| - informer | |
| - webhook | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| packages: write | |
| outputs: | |
| informer_image: ${{ steps.release.outputs.informer_image }} | |
| informer_digest: ${{ steps.release.outputs.informer_digest }} | |
| informer_sbom_image: ${{ steps.release.outputs.informer_sbom_image }} | |
| informer_sbom_digest: ${{ steps.release.outputs.informer_sbom_digest }} | |
| webhook_image: ${{ steps.release.outputs.webhook_image }} | |
| webhook_digest: ${{ steps.release.outputs.webhook_digest }} | |
| webhook_sbom_image: ${{ steps.release.outputs.webhook_sbom_image }} | |
| webhook_sbom_digest: ${{ steps.release.outputs.webhook_sbom_digest }} | |
| steps: | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: 1.21.x | |
| - uses: ko-build/[email protected] | |
| - name: Install crane | |
| run: go install github.com/google/go-containerregistry/cmd/[email protected] | |
| - uses: actions/checkout@v4 | |
| - id: release | |
| name: Build and push | |
| env: | |
| KO_DOCKER_REPO: ghcr.io/norbjd/k8s-pod-cpu-booster | |
| run: | | |
| # something like 202403241909-abcdef01 if we want to use a specific version | |
| UNIQUE_TAG="$(TZ=UTC0 git log -1 --format=%cd --date=format-local:%Y%m%d%H%M)-$(git rev-parse --short HEAD)" | |
| ko build ./cmd/${{ matrix.component }} \ | |
| --base-import-paths \ | |
| --image-refs=.digest \ | |
| --tags=$UNIQUE_TAG # --tags=$GITHUB_REF_NAME,$UNIQUE_TAG | |
| image=$(cat .digest | cut -d'@' -f1 | cut -d':' -f1) | |
| digest=$(cat .digest| cut -d'@' -f2) | |
| echo "${{ matrix.component }}_image=$image" >> "$GITHUB_OUTPUT" | |
| echo "${{ matrix.component }}_digest=$digest" >> "$GITHUB_OUTPUT" | |
| # this is probably not the best way to sign the SBOM: | |
| # - requires crane to get the SBOM image pushed above | |
| # - is vulnerable to TOCTOU attacks if someone updates the sbom between "ko build" and now | |
| # but, it's good enough for now, until I have a better solution | |
| sbom_digest=$(crane digest $image:sha256-$digest.sbom) | |
| echo "${{ matrix.component }}_sbom_image=$image" >> "$GITHUB_OUTPUT" | |
| echo "${{ matrix.component }}_sbom_digest=$sbom_digest" >> "$GITHUB_OUTPUT" | |
| # see https://github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/internal/builders/container/README.md#ko | |
| provenance: | |
| needs: | |
| - release-container-images | |
| strategy: | |
| matrix: | |
| component: | |
| - informer | |
| - informer_sbom | |
| - webhook | |
| - webhook_sbom | |
| permissions: | |
| actions: read | |
| id-token: write | |
| packages: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| image: "${{ needs.release-container-images.outputs[format('{0}_image', matrix.component)] }}" | |
| digest: "${{ needs.release-container-images.outputs[format('{0}_digest', matrix.component)] }}" | |
| registry-username: ${{ github.actor }} | |
| compile-generator: true | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| release-helm-chart: | |
| name: release helm chart | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - name: Install helm | |
| run: | | |
| curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash | |
| - name: Run chart-releaser | |
| uses: helm/[email protected] | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |