-
Notifications
You must be signed in to change notification settings - Fork 8
63 lines (56 loc) · 1.6 KB
/
source-bundle-upload.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
---
name: Source Bundle Upload
on:
push:
paths-ignore:
- 'LICENSE'
- 'OWNERS'
- 'README.md'
branches:
- main
jobs:
source-bundle-upload:
runs-on: ubuntu-latest
permissions:
id-token: write # To be able to get OIDC ID token to sign images.
packages: write # To be able to push images and signatures.
steps:
- uses: actions/checkout@v2
- uses: sigstore/[email protected]
- uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup temporary Dockerfile for source bundle build
run: |
cat <<EOF >Dockerfile
FROM scratch
COPY . .
EOF
cat <<EOF >.dockerignore
.dockerignore
.git
.github
.shpignore
Dockerfile
EOF
- name: Build and push source bundle image
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}/source-bundle:latest
- name: Sign source bundle image
env:
# This enables keyless mode
# (https://github.com/sigstore/cosign/blob/main/KEYLESS.md) which signs
# images using an ephemeral key tied to the GitHub Actions identity via
# OIDC.
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }} \
ghcr.io/${{ github.repository }}/source-bundle:latest