mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-05-13 20:58:11 +00:00
c2052861e0
Bumps the github-actions group with 5 updates: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.14.2` | `2.15.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `6.0.0` | `7.0.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.32.4` | `4.32.5` | | [actions/attest-sbom](https://github.com/actions/attest-sbom) | `3` | `4` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `3` | `4` | Updates `step-security/harden-runner` from 2.14.2 to 2.15.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](5ef0c079ce...a90bcbc653) Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](b7c566a772...bbbca2ddaa) Updates `github/codeql-action` from 4.32.4 to 4.32.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](89a39a4e59...c793b717bc) Updates `actions/attest-sbom` from 3 to 4 - [Release notes](https://github.com/actions/attest-sbom/releases) - [Changelog](https://github.com/actions/attest-sbom/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-sbom/compare/v3...v4) Updates `actions/attest-build-provenance` from 3 to 4 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/v3...v4) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.32.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/attest-sbom dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/attest-build-provenance dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
142 lines
5.9 KiB
YAML
142 lines
5.9 KiB
YAML
name: ImageRelease
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*.*.*'
|
|
env:
|
|
# Common versions
|
|
GO_VERSION: '1.25'
|
|
GO_REQUIRED_MIN_VERSION: ''
|
|
GOPATH: '/home/runner/work/ocm/ocm/go'
|
|
GITHUB_REF: ${{ github.ref }}
|
|
|
|
defaults:
|
|
run:
|
|
working-directory: go/src/open-cluster-management.io/ocm
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
attestations: write
|
|
|
|
jobs:
|
|
env:
|
|
name: prepare release env
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: checkout code
|
|
uses: actions/checkout@v6.0.2
|
|
with:
|
|
fetch-depth: 1
|
|
path: go/src/open-cluster-management.io/ocm
|
|
- name: get release version
|
|
run: |
|
|
echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
|
|
- name: get major release version
|
|
run: |
|
|
echo "MAJOR_RELEASE_VERSION=${RELEASE_VERSION%.*}" >> $GITHUB_ENV
|
|
echo "TRIMMED_RELEASE_VERSION=${RELEASE_VERSION#v}" >> $GITHUB_ENV
|
|
outputs:
|
|
MAJOR_RELEASE_VERSION: ${{ env.MAJOR_RELEASE_VERSION }}
|
|
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
|
|
images:
|
|
name: images
|
|
runs-on: ubuntu-latest
|
|
needs: [ env ]
|
|
strategy:
|
|
matrix:
|
|
arch: [ amd64, arm64 ]
|
|
image-name: [ registration-operator, registration, work, placement, addon-manager ]
|
|
steps:
|
|
- name: checkout code
|
|
uses: actions/checkout@v6.0.2
|
|
with:
|
|
fetch-depth: 1
|
|
path: go/src/open-cluster-management.io/ocm
|
|
- name: install Go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
- name: install imagebuilder
|
|
run: go install github.com/openshift/imagebuilder/cmd/imagebuilder@v1.2.3
|
|
- name: pull base image
|
|
run: docker pull registry.access.redhat.com/ubi9/ubi-minimal:latest --platform=linux/${{ matrix.arch }}
|
|
- name: images
|
|
run: |
|
|
IMAGE_TAG=${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }} \
|
|
IMAGE_REGISTRY=quay.io/open-cluster-management \
|
|
IMAGE_BUILD_EXTRA_FLAGS="--build-arg OS=linux --build-arg ARCH=${{ matrix.arch }}" \
|
|
make image-${{ matrix.image-name }}
|
|
- name: push
|
|
run: |
|
|
echo ${{ secrets.DOCKER_PASSWORD }} | docker login quay.io --username ${{ secrets.DOCKER_USER }} --password-stdin
|
|
docker push quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }}
|
|
image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }}" | cut -d'@' -f2)
|
|
echo "IMAGE_DIGEST=${image_digest}" >> $GITHUB_ENV
|
|
- name: Generate SBOM
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
image: quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-${{ matrix.arch }}
|
|
format: 'spdx-json'
|
|
output-file: 'sbom.spdx.json'
|
|
upload-release-assets: false # disable uploading SBOM to release assets for images
|
|
- name: Attest
|
|
uses: actions/attest-sbom@v4
|
|
id: attest
|
|
with:
|
|
subject-name: quay.io/open-cluster-management/${{ matrix.image-name }}
|
|
subject-digest: ${{ env.IMAGE_DIGEST }}
|
|
sbom-path: 'sbom.spdx.json'
|
|
push-to-registry: true
|
|
image-manifest:
|
|
name: image manifest
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
image-name: [ registration-operator, registration, work, placement, addon-manager ]
|
|
needs: [ env, images ]
|
|
steps:
|
|
- name: checkout code
|
|
uses: actions/checkout@v6.0.2
|
|
with:
|
|
fetch-depth: 1
|
|
path: go/src/open-cluster-management.io/ocm
|
|
# Step to install Skopeo
|
|
- name: Install Skopeo and jq
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y skopeo jq
|
|
- name: create
|
|
run: |
|
|
echo ${{ secrets.DOCKER_PASSWORD }} | docker login quay.io --username ${{ secrets.DOCKER_USER }} --password-stdin
|
|
docker manifest create quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} \
|
|
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-amd64 \
|
|
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-arm64
|
|
- name: annotate
|
|
run: |
|
|
docker manifest annotate quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} \
|
|
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-amd64 --arch amd64
|
|
docker manifest annotate quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} \
|
|
quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}-arm64 --arch arm64
|
|
- name: push
|
|
run: |
|
|
docker manifest push quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}
|
|
image_digest_release=$(skopeo inspect docker://quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }} | jq -r '.Digest')
|
|
echo "IMAGE_DIGEST_RELEASE=${image_digest_release}" >> $GITHUB_ENV
|
|
- name: Generate SBOM
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
image: quay.io/open-cluster-management/${{ matrix.image-name }}:${{ needs.env.outputs.RELEASE_VERSION }}
|
|
format: 'spdx-json'
|
|
output-file: 'sbom.spdx.json'
|
|
upload-release-assets: false # disable uploading SBOM to release assets for images
|
|
- name: Attest
|
|
uses: actions/attest-sbom@v4
|
|
id: attest
|
|
with:
|
|
subject-name: quay.io/open-cluster-management/${{ matrix.image-name }}
|
|
subject-digest: ${{ env.IMAGE_DIGEST_RELEASE }}
|
|
sbom-path: 'sbom.spdx.json'
|
|
push-to-registry: true
|