-
Notifications
You must be signed in to change notification settings - Fork 14
132 lines (116 loc) · 4.52 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Publish Image to Quay
on:
release:
types: [published]
workflow_dispatch:
inputs:
tag:
description: "Name of the tag for the published image"
type: string
required: true
skip_tests:
description: "Skip end to end tests when publishing an image."
type: boolean
required: false
default: false
no_cache:
description: "Skip using cache when building the image."
type: boolean
required: false
default: false
env:
IMAGE_NAME: trestle-bot
IMAGE_REGISTRY: quay.io
jobs:
publish-image:
runs-on: 'ubuntu-latest'
permissions:
contents: read
# kics-scan ignore-line
id-token: write # needed for signing the images with GitHub OIDC Token
outputs:
skip_tests: ${{ steps.check_event.outputs.event_type == 'release' ||
(steps.check_event.outputs.event_type == 'workflow_dispatch' &&
github.event.inputs.skip_tests == 'true') }}
image: ${{ steps.set_image_repo.outputs.image_repo }}@${{ steps.build-and-push.outputs.digest }}
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up cosign
uses: sigstore/[email protected]
- name: Login to Quay
uses: docker/login-action@v3
with:
username: ${{ secrets.QUAY_USER }}
password: ${{ secrets.QUAY_TOKEN }}
registry: ${{ env.IMAGE_REGISTRY }}
- name: Set image repository
id: set_image_repo
run: |
echo "image_repo=${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}" >> "$GITHUB_OUTPUT"
- name: Check if triggered by release or workflow dispatch
id: check_event
run: echo "event_type=${{ toJson(github.event_name) }}" >> "$GITHUB_OUTPUT"
# Using intermediary variable to process event based input
- name: Set TAG environment variable for Release
if: ${{ steps.check_event.outputs.event_type == 'release' }}
run: |
echo "TAG=$RELEASE_VERSION" >> "$GITHUB_ENV"
echo "NO_CACHE=true" >> "$GITHUB_ENV"
env:
RELEASE_VERSION: ${{ github.event.release.tag_name }}
- name: Set TAG environment variable for Workflow Dispatch
if: ${{ steps.check_event.outputs.event_type == 'workflow_dispatch' }}
run: |
echo "TAG=$INPUT_VERSION" >> "$GITHUB_ENV"
echo "NO_CACHE=$INPUT_NO_CACHE" >> "$GITHUB_ENV"
env:
INPUT_VERSION: ${{ github.event.inputs.tag }}
INPUT_NO_CACHE: ${{ github.event.inputs.no_cache }}
- name: Build and export to Docker
uses: docker/build-push-action@v5
id: build-and-export
with:
load: true
no-cache: ${{ env.NO_CACHE == 'true' }}
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ steps.set_image_repo.outputs.image_repo }}:${{ env.TAG }}
- name: Pre-push Image Scan
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.set_image_repo.outputs.image_repo }}:${{ env.TAG }}
exit-code: 1
skip-files: "**/.venv/lib/**/METADATA"
scanners: secret
severity: HIGH,CRITICAL,MEDIUM
# Does not rebuild. Uses internal cache from previous step.
- name: Build and Push
uses: docker/build-push-action@v5
id: build-and-push
with:
push: true
tags: ${{ steps.set_image_repo.outputs.image_repo }}:${{ env.TAG }}
- name: Sign the image with GitHub OIDC Token
run: cosign sign --yes "$IMAGE@$DIGEST"
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}
- name: Verify image
run: |
cosign verify "$IMAGE@$DIGEST" --certificate-identity-regexp="$SUBJECT" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
env:
SUBJECT: https://github\.com/${{ github.repository_owner }}/trestle-bot/\.github/.+
IMAGE: ${{ steps.set_image_repo.outputs.image_repo }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
test:
permissions:
contents: read
needs: publish-image
if: ${{ needs.publish-image.outputs.skip_tests != 'true' }}
uses: ./.github/workflows/e2e.yml
with:
image: ${{ needs.publish-image.outputs.image }}