Release run by found-it #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Artifacts | |
| run-name: 'Release run by ${{ github.actor }}' | |
| on: | |
| # Official stable versioned release | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-push-image: | |
| name: 'Build and publish protect-${{ matrix.component }} images' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| component: | |
| - webhook | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # Needed for cosign to use github OIDC token | |
| steps: | |
| - name: 'Harden runner' | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: 'Checkout repository' | |
| uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb # v4.2.0 | |
| with: | |
| submodules: recursive | |
| persist-credentials: false | |
| - name: 'Setup docker buildx' | |
| uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| - name: 'Login to ghcr' | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: '${{ github.actor }}' | |
| password: '${{ github.token }}' | |
| - name: Docker meta | |
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
| id: meta | |
| with: | |
| images: | | |
| ghcr.io/edera-dev/protect-${{ matrix.component }} | |
| tags: | | |
| # Tag with branch on push | |
| type=ref,event=branch | |
| # Tag with short sha on all events | |
| type=sha,prefix= | |
| # Tag version and stable on tag push | |
| type=semver,pattern={{raw}} | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern=stable | |
| # Tag nightly on schedule event | |
| type=schedule,pattern=nightly | |
| - name: 'Docker build and push protect-${{ matrix.component }}' | |
| uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
| id: push | |
| with: | |
| file: Dockerfile | |
| platforms: linux/amd64 | |
| tags: '${{ steps.meta.outputs.tags }}' | |
| push: true | |
| - name: 'Install cosign' | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: 'Cosign sign all images' | |
| shell: bash | |
| run: | | |
| images="" | |
| for tag in ${TAGS}; do | |
| pullstring="${tag}@${DIGEST}" | |
| echo "Signing ${pullstring}" | |
| cosign sign --yes "${pullstring}" | |
| done | |
| env: | |
| TAGS: '${{ steps.meta.outputs.tags }}' | |
| DIGEST: '${{ steps.push.outputs.digest }}' | |
| publish-helm-chart: | |
| needs: build-push-image | |
| name: Publish Helm chart for protect-webhook | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: 'Harden runner' | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| persist-credentials: false | |
| - name: Resolve parameters | |
| id: resolve_parameters | |
| run: | | |
| echo "INFO: Resolving short SHA for ${GITHUB_REF}" | |
| echo "short_sha=$(git rev-parse --short ${GITHUB_REF})" >> $GITHUB_OUTPUT | |
| echo "INFO: Normalizing repository name (lowercase)" | |
| echo "repository_owner=$(echo ${GITHUB_REPOSITORY_OWNER} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT | |
| env: | |
| GITHUB_REF: '${{ github.ref }}' | |
| GITHUB_REPOSITORY_OWNER: '${{ github.repository_owner }}' | |
| - name: Set up Helm | |
| uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2 | |
| - name: Publish new helm chart for protect-webhook | |
| run: | | |
| echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${GITHUB_ACTOR} --password-stdin | |
| PROTECT_WEBHOOK_CHART_VERSION_TAG=$(cat charts/protect-webhook/Chart.yaml | grep version: | cut -d " " -f 2) | |
| echo "PROTECT_WEBHOOK_CHART_VERSION_TAG=${PROTECT_WEBHOOK_CHART_VERSION_TAG}" >> $GITHUB_ENV | |
| helm package charts/protect-webhook/ --version="${PROTECT_WEBHOOK_CHART_VERSION_TAG}" | |
| helm push protect-webhook-"${PROTECT_WEBHOOK_CHART_VERSION_TAG}".tgz oci://ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/charts | |
| env: | |
| GITHUB_ACTOR: '${{ github.actor }}' | |
| GITHUB_REPOSITORY_OWNER: '${{ github.repository_owner }}' | |
| - name: Job summary | |
| run: | | |
| echo "New helm chart for protect-webhook published successfully!" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY | |
| echo "- Ref: ${{ steps.resolve_parameters.outputs.resolved_ref }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Short SHA: ${{ steps.resolve_parameters.outputs.short_sha }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- protect-webhook Chart version: ${{ env.PROTECT_WEBHOOK_CHART_VERSION_TAG }}" >> $GITHUB_STEP_SUMMARY |