Upgrade kubectl, github actions, add attestation

cash-track · Nov 15, 2024 · 8024709 · 8024709
1 parent d905709
commit 8024709
Show file tree

Hide file tree

Showing 4 changed files with 646 additions and 553 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,6 +6,7 @@ on:
     types: [ published ]
 
 env:
+  REGISTRY: docker.io
   REPO: cashtrack/api
 
 jobs:
@@ -14,6 +15,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -52,7 +55,8 @@ jobs:
       # Build and push Docker image with Build (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
@@ -61,3 +65,11 @@ jobs:
           build-args: |
             GIT_COMMIT=${{ github.sha }}
             GIT_TAG=${{ github.ref_name }}
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.REPO }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -13,7 +13,7 @@ env:
   INFRA_REPO_REF: main
   CLUSTER: k8s-cash-track
   NAMESPACE: cash-track
-  KUBECTL_BIN: https://storage.googleapis.com/kubernetes-release/release/v1.27.4/bin/linux/amd64/kubectl
+  KUBECTL_BIN: https://storage.googleapis.com/kubernetes-release/release/v1.31.0/bin/linux/amd64/kubectl
 
 jobs:
   deploy:

diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -144,7 +144,7 @@ jobs:
 
       - name: Upload Coverage To Codecov
         continue-on-error: true
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./coverage.xml