name: Build wonderwall on: [push] env: GOOGLE_REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images GITHUB_REGISTRY: ghcr.io jobs: test: runs-on: ubuntu-20.04 steps: - name: Checkout latest code uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3 - name: Set up Go uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # ratchet:actions/setup-go@v3 with: go-version: ">=1.20.4" - name: Test Go run: | make test make check publish-images: needs: test name: Publish to Google and GitHub registries if: github.ref == 'refs/heads/master' permissions: contents: "read" id-token: "write" packages: "write" runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3 - name: Install cosign uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # ratchet:sigstore/cosign-installer@main with: cosign-release: 'v2.0.0' - name: Verify builder image run: cosign verify --certificate-identity "https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" cgr.dev/chainguard/go:1.20 - name: Verify runner image run: cosign verify --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@distroless.iam.gserviceaccount.com gcr.io/distroless/static-debian11:nonroot - id: "auth" name: "Authenticate to Google Cloud" uses: "google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033" # ratchet:google-github-actions/auth@v1 with: workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} service_account: "gh-wonderwall@nais-io.iam.gserviceaccount.com" token_format: "access_token" - name: Set up QEMU uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # ratchet:docker/setup-buildx-action@v2 - name: Login to Google Artifact Registry uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: ${{ env.GOOGLE_REGISTRY }} username: "oauth2accesstoken" password: "${{ steps.auth.outputs.access_token }}" - name: Login to GitHub Container Registry uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: ${{ env.GITHUB_REGISTRY }} username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta id: metadata uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # ratchet:docker/metadata-action@v4 with: images: | ${{ env.GOOGLE_REGISTRY }}/wonderwall ${{ env.GITHUB_REGISTRY }}/${{ github.repository }} flavor: | latest=true # Docker tags based on the following events/attributes tags: | type=schedule type=ref,event=branch type=ref,event=pr type=semver,pattern=v{{version}} type=semver,pattern=v{{major}}.{{minor}} type=semver,pattern=v{{major}} type=sha,prefix={{date 'YYYY-MM-DD'}}- - name: Build and push id: build-push uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # ratchet:docker/build-push-action@v4 with: context: . file: Dockerfile platforms: linux/amd64,linux/arm64 pull: true push: true tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - name: Sign the container image for GAR run: cosign sign --yes ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }} - name: Create SBOM uses: aquasecurity/trivy-action@b43daad0c3c96202fc5800b511dfae8e6ecce864 # ratchet:aquasecurity/trivy-action@master with: scan-type: 'image' format: 'cyclonedx' output: 'cyclone.sbom.json' image-ref: ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }} - name: Attest run: cosign attest --yes --predicate cyclone.sbom.json --type cyclonedx ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}