name: Publish images permissions: {} on: push: tags: - "v*" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: publish-images: runs-on: ubuntu-latest permissions: packages: write id-token: write outputs: capsule-digest: ${{ steps.publish-capsule.outputs.digest }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup caches uses: ./.github/actions/setup-caches timeout-minutes: 5 continue-on-error: true with: build-cache-key: publish-images - name: Run Trivy vulnerability (Repo) uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 with: scan-type: 'fs' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Install Cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Publish Capsule id: publish-capsule uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0 with: makefile-target: ko-publish-capsule registry: ghcr.io registry-username: ${{ github.actor }} registry-password: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository_owner }} version: ${{ github.ref_name }} sign-image: true sbom-name: capsule sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule signature-repository: ghcr.io/${{ github.repository_owner }}/capsule main-path: ./cmd/ env: REPOSITORY: ${{ github.repository }} generate-capsule-provenance: needs: publish-images permissions: id-token: write # To sign the provenance. packages: write # To upload assets to release. actions: read # To read the workflow path. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 with: image: ghcr.io/${{ github.repository_owner }}/capsule digest: "${{ needs.publish-images.outputs.capsule-digest }}" registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }}