github/open-cluster-management
1
0
Fork 0
mirror of https://github.com/open-cluster-management-io/ocm.git synced 2026-05-21 08:33:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
11363f918457eaf170d45551c8d0cccef0ef3ce9
open-cluster-management/.github/workflows/releaseimage.yml
Jian Zhu 4da8678f59
Some checks failed
Scorecard supply-chain security / Scorecard analysis (push) Failing after 1m23s
Post / coverage (push) Failing after 38m6s
Post / images (amd64, addon-manager) (push) Failing after 8m30s
Post / images (amd64, placement) (push) Failing after 7m38s
Post / images (amd64, registration) (push) Failing after 7m41s
Post / images (amd64, registration-operator) (push) Failing after 7m48s
Post / images (amd64, work) (push) Failing after 7m48s
Post / images (arm64, addon-manager) (push) Failing after 7m41s
Post / images (arm64, placement) (push) Failing after 7m43s
Post / images (arm64, registration) (push) Failing after 7m51s
Post / images (arm64, registration-operator) (push) Failing after 7m34s
Post / images (arm64, work) (push) Failing after 7m35s
Post / image manifest (addon-manager) (push) Has been skipped
Post / image manifest (placement) (push) Has been skipped
Post / image manifest (registration) (push) Has been skipped
Post / image manifest (registration-operator) (push) Has been skipped
Post / image manifest (work) (push) Has been skipped
Post / trigger clusteradm e2e (push) Has been skipped
🌱 Generate sbom and attestation for release images (#1115) 
* Generate sbom and attestation for release images

Signed-off-by: zhujian <jiazhu@redhat.com>

* Disable uploading SBOM to release assets for images

Signed-off-by: zhujian <jiazhu@redhat.com>

---------

Signed-off-by: zhujian <jiazhu@redhat.com>
2025-08-07 01:47:59 +00:00

142 lines
5.9 KiB
YAML
Raw Blame History

name: ImageRelease
on:
push:
tags:
- 'v*.*.*'
env:
# Common versions
GO_VERSION: '1.24'
GO_REQUIRED_MIN_VERSION: ''
GOPATH: '/home/runner/work/ocm/ocm/go'
GITHUB_REF: ${{ github.ref }}
defaults:
run:
working-directory: go/src/open-cluster-management.io/ocm
permissions:
contents: read
id-token: write
attestations: write
jobs:
env:
name: prepare release env
runs-on: ubuntu-latest
steps:
- name: checkout code
uses: actions/checkout@v4
with:
fetch-depth: 1
path: go/src/open-cluster-management.io/ocm
- name: get release version
run: |
echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
- name: get major release version
run: |
echo "MAJOR_RELEASE_VERSION=${RELEASE_VERSION%.*}" >> $GITHUB_ENV
echo "TRIMMED_RELEASE_VERSION=${RELEASE_VERSION#v}" >> $GITHUB_ENV
outputs:
MAJOR_RELEASE_VERSION: ${{ env.MAJOR_RELEASE_VERSION }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
images:
name: images
runs-on: ubuntu-latest
needs: [ env ]
strategy:
matrix:
arch: [ amd64, arm64 ]
image-name: [ registration-operator, registration, work, placement, addon-manager ]
steps:
- name: checkout code
uses: actions/checkout@v4
with:
fetch-depth: 1
path: go/src/open-cluster-management.io/ocm
- name: install Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: install imagebuilder
run: go install github.com/openshift/imagebuilder/cmd/imagebuilder@v1.2.3
- name: pull base image
run: docker pull registry.access.redhat.com/ubi9/ubi-minimal:latest --platform=linux/${{ matrix.arch }}
- name: images
run: |
IMAGE_TAG=${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }} \
IMAGE_REGISTRY=quay.io/open-cluster-management \
IMAGE_BUILD_EXTRA_FLAGS="--build-arg OS=linux --build-arg ARCH=${{ matrix.arch }}" \
make image-${{ matrix.image-name }}
- name: push
run: |
echo ${{ secrets.DOCKER_PASSWORD }} | docker login quay.io --username ${{ secrets.DOCKER_USER }} --password-stdin
docker push quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }}
image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }}" | cut -d'@' -f2)
echo "IMAGE_DIGEST=${image_digest}" >> $GITHUB_ENV
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }}
format: 'spdx-json'
output-file: 'sbom.spdx.json'
upload-release-assets: false # disable uploading SBOM to release assets for images
- name: Attest
uses: actions/attest-sbom@v2
id: attest
with:
subject-name: quay.io/open-cluster-management/${{ matrix.image-name }}
subject-digest: ${{ env.IMAGE_DIGEST }}
sbom-path: 'sbom.spdx.json'
push-to-registry: true
image-manifest:
name: image manifest
runs-on: ubuntu-latest
strategy:
matrix:
image-name: [ registration-operator, registration, work, placement, addon-manager ]
needs: [ env, images ]
steps:
- name: checkout code
uses: actions/checkout@v4
with:
fetch-depth: 1
path: go/src/open-cluster-management.io/ocm
# Step to install Skopeo
- name: Install Skopeo and jq
run: |
sudo apt-get update
sudo apt-get install -y skopeo jq
- name: create
run: |
echo ${{ secrets.DOCKER_PASSWORD }} | docker login quay.io --username ${{ secrets.DOCKER_USER }} --password-stdin
docker manifest create quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} \
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-amd64 \
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-arm64
- name: annotate
run: |
docker manifest annotate quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} \
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-amd64 --arch amd64
docker manifest annotate quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} \
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-arm64 --arch arm64
- name: push
run: |
docker manifest push quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}
image_digest_release=$(skopeo inspect docker://quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} | jq -r '.Digest')
echo "IMAGE_DIGEST_RELEASE=${image_digest_release}" >> $GITHUB_ENV
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}
format: 'spdx-json'
output-file: 'sbom.spdx.json'
upload-release-assets: false # disable uploading SBOM to release assets for images
- name: Attest
uses: actions/attest-sbom@v2
id: attest
with:
subject-name: quay.io/open-cluster-management/${{ matrix.image-name }}
subject-digest: ${{ env.IMAGE_DIGEST_RELEASE }}
sbom-path: 'sbom.spdx.json'
push-to-registry: true
Reference in New Issue View Git Blame Copy Permalink