Merge pull request #1059 from kubereboot/dependabot/github_actions/do… #32
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # when we add a tag to the repo, we should publish the kured image to a public repository | |
| # if it's safe. | |
| # It doesn't mean it's ready for release, but at least it's getting us started. | |
| # The next step is to have a PR with the helm chart, to bump the version of the image used | |
| name: Tag repo | |
| on: | |
| push: | |
| tags: | |
| - "*" | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| permissions: | |
| contents: read | |
| jobs: | |
| tag-scan-and-push-final-image: | |
| name: "Build, scan, and publish tagged image" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| packages: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Ensure go version | |
| uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - name: Find current tag version | |
| run: echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| id: tags | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
| - name: Setup GoReleaser | |
| run: make bootstrap-tools | |
| - name: Build binaries | |
| run: make kured-release-tag | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build single image for scan | |
| uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0 | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 | |
| with: | |
| image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| - name: Build release images | |
| uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0 | |
| with: | |
| context: . | |
| platforms: linux/arm64, linux/amd64, linux/arm/v7, linux/arm/v6, linux/386 | |
| push: true | |
| labels: ${{ steps.meta.outputs.labels }} | |
| tags: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} | |
| - name: Generate SBOM | |
| run: | | |
| hack/bin/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} -o spdx > kured.sbom | |
| - name: Sign and attest artifacts | |
| run: | | |
| hack/bin/cosign sign -y -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} | |
| hack/bin/cosign sign-blob -y --output-signature kured.sbom.sig kured.sbom | |
| hack/bin/cosign attest -y --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} | |
| hack/bin/cosign attach sbom --type spdx --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} |