github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 08:57:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a8b3f08b975ffc6cae9922bb3c8af9ca736eb091
wonderwall/.github/workflows/deploy.yml
dependabot[bot] a8b3f08b97 build(deps): bump docker/build-push-action from 4.1.0 to 4.1.1 (#125) 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](44ea916f6c...2eb1c1961a)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-19 20:05:41 +00:00

106 lines
4.8 KiB
YAML
Raw Blame History

name: Build wonderwall
on: [push]
env:
GOOGLE_REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images
GITHUB_REGISTRY: ghcr.io
jobs:
test:
runs-on: ubuntu-20.04
steps:
- name: Checkout latest code
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # ratchet:actions/setup-go@v3
with:
go-version: ">=1.20.5"
- name: Test Go
run: |
make test
make check
publish-images:
needs: test
name: Publish to Google and GitHub registries
if: github.ref == 'refs/heads/master'
permissions:
contents: "read"
id-token: "write"
packages: "write"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
- name: Install cosign
uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # ratchet:sigstore/cosign-installer@main
with:
cosign-release: 'v2.0.0'
- name: Verify builder image
run: cosign verify --certificate-identity "https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" cgr.dev/chainguard/go:1.20
- name: Verify runner image
run: cosign verify --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@distroless.iam.gserviceaccount.com gcr.io/distroless/static-debian11:nonroot
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033" # ratchet:google-github-actions/auth@v1
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "gh-wonderwall@nais-io.iam.gserviceaccount.com"
token_format: "access_token"
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@6a58db7e0d21ca03e6c44877909e80e45217eed2 # ratchet:docker/setup-buildx-action@v2
- name: Login to Google Artifact Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
with:
registry: ${{ env.GOOGLE_REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
with:
registry: ${{ env.GITHUB_REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: metadata
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4
with:
images: |
${{ env.GOOGLE_REGISTRY }}/wonderwall
${{ env.GITHUB_REGISTRY }}/${{ github.repository }}
flavor: |
latest=true
# Docker tags based on the following events/attributes
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern=v{{version}}
type=semver,pattern=v{{major}}.{{minor}}
type=semver,pattern=v{{major}}
type=sha,prefix={{date 'YYYY-MM-DD'}}-
- name: Build and push
id: build-push
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # ratchet:docker/build-push-action@v4
with:
context: .
file: Dockerfile
platforms: linux/amd64,linux/arm64
pull: true
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Sign the container image for GAR
run: cosign sign --yes ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}
- name: Create SBOM
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # ratchet:aquasecurity/trivy-action@master
with:
scan-type: 'image'
format: 'cyclonedx'
output: 'cyclone.sbom.json'
image-ref: ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}
- name: Attest
run: cosign attest --yes --predicate cyclone.sbom.json --type cyclonedx ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}
Reference in New Issue View Git Blame Copy Permalink