chore: Updated changelog for v2.17.2 release #33

Workflow file for this run

.github/workflows/release.yaml at db2e621

	name: Release

	on:
	push:
	tags:
	- v*

	jobs:
	build:
	name: Build & Push OCI Image
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	variant: [musl, glibc]
	permissions: write-all
	defaults:
	run:
	shell: bash
	env:
	PLATFORMS: "linux/amd64,linux/arm64"
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Setup
	id: setup
	run: \|
	set -euo pipefail

	source_date_epoch="$(git log -1 --pretty=%ct)"

	echo "source_date_epoch=${source_date_epoch}" >> "${GITHUB_OUTPUT}"
	echo "SOURCE_DATE_EPOCH=${source_date_epoch}" >> "${GITHUB_ENV}"

	- name: Install Crane
	uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4

	- name: Install Syft
	uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
	with:
	syft-version: latest

	- name: Install Grype
	uses: anchore/scan-action/download-grype@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
	with:
	grype-version: latest

	- name: Install Cosign
	uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0

	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

	- name: Install Hadolint
	uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	owner: hadolint
	repository: hadolint
	arch_amd64: x86_64
	os_linux: Linux
	extract: false
	filename_format: "{name}-{os}-{arch}"
	check_command: hadolint --version
	version: latest

	- name: Run Hadolint
	run: \|
	set -euo pipefail
	hadolint --no-fail --format sarif ./${{ matrix.variant }}.dockerfile > ./hadolint-${{ matrix.variant }}.sarif

	- name: Upload Hadolint SARIF report
	uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
	with:
	category: hadolint-${{ matrix.variant }}
	sarif_file: hadolint-${{ matrix.variant }}.sarif

	- name: Generate OCI image metadata
	id: metadata
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	flavor: \|
	latest=false
	images: \|
	ghcr.io/${{ github.repository }}
	tags: \|
	type=sha
	labels: \|
	org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image.
	org.opencontainers.image.authors=Steve Hipwell <[email protected]>
	org.opencontainers.image.version=${{ github.ref_name }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build OCI image
	id: build
	uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
	with:
	file: ./${{ matrix.variant }}.dockerfile
	context: .
	provenance: false
	sbom: false
	platforms: ${{ env.PLATFORMS }}
	cache-from: type=gha,scope=buildkit-${{ matrix.variant }}
	cache-to: type=gha,scope=buildkit-${{ matrix.variant }},mode=max
	tags: ${{ steps.metadata.outputs.tags }}
	labels: ${{ steps.metadata.outputs.labels }}
	push: true
	build-args: \|
	SOURCE_DATE_EPOCH=${{ steps.setup.outputs.source_date_epoch }}

	- name: Generate SBOMs
	id: sboms
	run: \|
	set -euo pipefail

	default_image="ghcr.io/${{ github.repository }}"
	sha_tag="${{ steps.metadata.outputs.version }}"
	sbom_paths=""

	for platform in ${PLATFORMS//,/ }
	do
	digest="$(crane digest "${default_image}:${sha_tag}" --platform="${platform}")"

	sbom_path="syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json"
	syft --source-name "${{ github.repository }}" --source-version "${digest}" --platform "${platform}" -o "spdx-json=${sbom_path}" "${default_image}@${digest}"
	sbom_paths="${sbom_paths}${sbom_path},"
	done

	sbom_paths="${sbom_paths%,}"

	echo "paths=${sbom_paths}" >> $GITHUB_OUTPUT

	- name: Upload SBOM artifacts
	uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
	with:
	name: ${{ matrix.variant }}-sboms
	retention-days: 28
	if-no-files-found: error
	path: "*.spdx.json"

	- name: Upload SBOMs to Dependency Graph
	uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	filePath: "."
	filePattern: "*.spdx.json"

	- name: Scan SBOMs with Grype
	id: grype
	run: \|
	set -euo pipefail

	directory_path="grype-results"
	mkdir -p "${directory_path}"

	for platform in ${PLATFORMS//,/ }
	do
	sarif_path="${directory_path}/grype-scan-${{ matrix.variant }}-${platform#*/}.sarif"
	grype --platform "${platform}" -o "sarif=${sarif_path}" "sbom:syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json"
	done

	echo "path=${directory_path}" >> $GITHUB_OUTPUT

	- name: Upload Grype SARIF report
	uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
	with:
	category: grype-${{ matrix.variant }}
	sarif_file: ${{ steps.grype.outputs.path }}

	- name: Login to DockerHub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ vars.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Push OCI image tags
	id: push
	run: \|
	set -euo pipefail

	default_image="ghcr.io/${{ github.repository }}"
	sha_tag="${{ steps.metadata.outputs.version }}"
	digest="${{ steps.build.outputs.digest }}"

	version="$(echo "${{ github.ref_name }}" \| grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"
	major_minor="$(echo "${version}" \| grep -Eo '^[0-9]+\.[0-9]+')"
	major="$(echo "${major_minor}" \| grep -Eo '^[0-9]+')"

	images="docker.io/${{ github.repository }}"
	tags="${{ matrix.variant }},${{ matrix.variant }}-${version},${{ matrix.variant }}-${major_minor},${{ matrix.variant }}-${major}"

	if [[ "${{ matrix.variant }}" == "musl" ]]
	then
	tags="${tags},latest,${version},${major_minor},${major}"
	fi

	references="${default_image}:${sha_tag}"

	for image in ${images//,/ }
	do
	crane copy --platform all "${default_image}:${sha_tag}@${digest}" "${image}:${sha_tag}"
	references="${references},${image}:${sha_tag}"
	done

	images="${images},${default_image}"

	for image in ${images//,/ }
	do
	for tag in ${tags//,/ }
	do
	crane tag --platform all "${image}:${sha_tag}@${digest}" "${tag}"
	references="${references},${image}:${tag}"
	done
	done

	echo "references=${references}" >> $GITHUB_OUTPUT

	- name: Sign OCI image
	run: \|
	set -euo pipefail

	default_image="ghcr.io/${{ github.repository }}"
	sha_tag="${{ steps.metadata.outputs.version }}"
	references="${{ steps.push.outputs.references }}"

	for reference in ${references//,/ }
	do
	cosign sign --yes=true --recursive "${reference}@${{ steps.build.outputs.digest }}"
	done

	for platform in ${PLATFORMS//,/ }
	do
	digest="$(crane digest "${default_image}:${sha_tag}@${{ steps.build.outputs.digest }}" --platform="${platform}")"

	for reference in ${references//,/ }
	do
	cosign attest --yes --type spdxjson --predicate syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}"
	cosign attach sbom --type spdx --input-format json --sbom syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}"
	sbom_digest="$(crane digest "${reference%:*}:${digest/:/-}.sbom")"
	cosign sign --yes=true "${reference%:*}:${digest/:/-}.sbom@${sbom_digest}"
	done
	done

	publish:
	name: Publish Release
	runs-on: ubuntu-latest
	permissions: write-all
	defaults:
	run:
	shell: bash
	needs: build
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Update Docker repository description
	uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
	with:
	username: ${{ vars.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	repository: ${{ github.repository }}

	- name: Get changelog entry
	id: changelog_reader
	uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3
	with:
	path: ./CHANGELOG.md
	version: ${{ github.ref_name }}

	- name: Create release
	uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	makeLatest: true
	body: ${{ steps.changelog_reader.outputs.changes }}
	allowUpdates: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Updated changelog for v2.17.2 release #33

Workflow file

chore: Updated changelog for v2.17.2 release #33

Jobs

Run details

Workflow file for this run