Skip to content

🌱 Update Github Actions group to v1.9.3 (#59) #40

🌱 Update Github Actions group to v1.9.3 (#59)

🌱 Update Github Actions group to v1.9.3 (#59) #40

Workflow file for this run

name: Build cspo Image
# yamllint disable rule:line-length
on: # yamllint disable-line rule:truthy
push:
branches:
- main
# If the cache was cleaned we should re-build the cache with the latest commit
workflow_run:
workflows:
- "cspo Image Cache Cleaner"
branches:
- main
types:
- completed
workflow_dispatch:
env:
REGISTRY: ghcr.io/sovereigncloudstack
metadata_flavor: latest=true
metadata_tags: type=sha,prefix=sha-,format=short
permissions:
contents: read
packages: write
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
id-token: write
jobs:
manager-image:
name: Build and push manager image
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
- name: Generate metadata cspo
id: metacspo
uses: ./.github/actions/metadata
env:
IMAGE_NAME: cspo-staging
with:
metadata_flavor: ${{ env.metadata_flavor }}
metadata_tags: ${{ env.metadata_tags }}
- name: Login to ghcr.io for CI
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
- name: Install Bom
shell: bash
run: |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.5.1/bom-amd64-linux -o bom
sudo mv ./bom /usr/local/bin/bom
sudo chmod +x /usr/local/bin/bom
- name: Setup Env
run: |
echo 'DOCKER_BUILD_LDFLAGS<<EOF' >> $GITHUB_ENV
echo $DOCKER_BUILD_LDFLAGS >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
# Load Golang cache build from GitHub
- name: Load cspo Golang cache build from GitHub
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
id: cache
with:
path: /tmp/.cache/cspo
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-cspo-${{ github.sha }}
restore-keys: |
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-cspo-
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-
${{ runner.os }}-go-
- name: Create cspo cache directory
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
shell: bash
run: |
mkdir -p /tmp/.cache/cspo
# Import GitHub's cache build to docker cache
- name: Copy cspo Golang cache to docker cache
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
provenance: false
context: /tmp/.cache/cspo
file: ./images/cache/Dockerfile
push: false
platforms: linux/amd64
target: import-cache
- name: Build and push cspo image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
id: docker_build_release_cspo
with:
provenance: false
context: .
file: ./images/cspo/Dockerfile
push: true
build-args: |
LDFLAGS=${{ env.DOCKER_BUILD_LDFLAGS }}
tags: ${{ steps.metacspo.outputs.tags }}
labels: ${{ steps.metacspo.outputs.labels }}
platforms: linux/amd64
- name: Sign Container Images
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes ghcr.io/sovereigncloudstack/cspo-staging@${{ steps.docker_build_release_cspo.outputs.digest }}
- name: Generate SBOM
shell: bash
run: |
bom generate -o sbom_ci_main_cspo_${{ steps.metacspo.outputs.version }}.spdx \
--image=ghcr.io/sovereigncloudstack/cspo-staging:${{ steps.metacspo.outputs.version }}
- name: Attach SBOM to Container Images
run: |
cosign attach sbom --sbom sbom_ci_main_cspo_${{ steps.metacspo.outputs.version }}.spdx ghcr.io/sovereigncloudstack/cspo-staging@${{ steps.docker_build_release_cspo.outputs.digest }}
- name: Sign SBOM Images
run: |
docker_build_release_cspo_digest="${{ steps.docker_build_release_cspo.outputs.digest }}"
image_name="ghcr.io/sovereigncloudstack/cspo-staging:${docker_build_release_cspo_digest/:/-}.sbom"
docker_build_release_cspo_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign --yes "ghcr.io/sovereigncloudstack/cspo-staging@${docker_build_release_cspo_sbom_digest}"
- name: Image Releases digests cspo
shell: bash
run: |
mkdir -p image-digest/
echo "ghcr.io/sovereigncloudstack/cspo-staging:{{ steps.metacspo.outputs.tags }}@${{ steps.docker_build_release_cspo.outputs.digest }}" >> image-digest/cspo.txt
# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: image-digest
path: image-digest
retention-days: 90
# Store docker's golang's cache build locally only on the main branch
- name: Store cspo Golang cache build locally
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
provenance: false
context: .
file: ./images/cache/Dockerfile
push: false
outputs: type=local,dest=/tmp/docker-cache-cspo
platforms: linux/amd64
target: export-cache
# Store docker's golang's cache build locally only on the main branch
- name: Store cspo Golang cache in GitHub cache path
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
shell: bash
run: |
mkdir -p /tmp/.cache/cspo/
if [ -f /tmp/docker-cache-cspo/tmp/go-build-cache.tar.gz ]; then
cp /tmp/docker-cache-cspo/tmp/go-build-cache.tar.gz /tmp/.cache/cspo/
fi
if [ -f /tmp/docker-cache-cspo/tmp/go-pkg-cache.tar.gz ]; then
cp /tmp/docker-cache-cspo/tmp/go-pkg-cache.tar.gz /tmp/.cache/cspo/
fi
- name: Image Digests Output
shell: bash
run: |
cd image-digest/
find -type f | sort | xargs -d '\n' cat