This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
build(deps): bump anchore/sbom-action from 0.14.1 to 0.15.10 #1008
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Salsa build & release | |
on: | |
push: | |
paths-ignore: | |
- '**.md' | |
- 'CODEOWNERS' | |
- 'LICENSE' | |
- '.gitignore' | |
- 'doc/**' | |
- 'Makefile' | |
env: | |
VERSION: v0.12 | |
IMAGE_NAME: ghcr.io/${{ github.repository }} | |
COSIGN_VERSION: v2.2.2 | |
SYFT_VERSION: v0.44.1 | |
GO_RELEASER_VERSION: v1.11.2 | |
GRADLE_VERSION: 7.5.1 | |
PUSH: false | |
jobs: | |
set-version: | |
runs-on: ubuntu-20.04 | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 | |
- name: set version | |
id: set-version | |
run: | | |
echo Faking a Semantic Version | |
echo "version=${{ env.VERSION }}.$(date "+%Y%m%d%H%M%S")" >> $GITHUB_OUTPUT | |
test: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 | |
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 | |
with: | |
go-version-file: ./go.mod | |
check-latest: true | |
cache: true | |
- name: Test Salsa | |
run: make test | |
build: | |
outputs: | |
cli-tag: ${{ steps.container-tags.outputs.cli-tag }} | |
action-tag: ${{ steps.container-tags.outputs.action-tag }} | |
digest: ${{ steps.docker_build.outputs.digest }} | |
needs: | |
- set-version | |
- test | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout latest code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 | |
with: | |
go-version-file: ./go.mod | |
check-latest: true | |
cache: true | |
- name: Create tag | |
run: | | |
git tag ${{ needs.set-version.outputs.version }} | |
# - uses: navikt/github-app-token-generator@v1 | |
# id: get-homebrew-token | |
# with: | |
# private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }} | |
# app-id: ${{ secrets.NAIS_APP_ID }} | |
# repo: nais/homebrew-tap | |
- name: Install cosign | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # ratchet:sigstore/cosign-installer@v3.3.0 | |
with: | |
cosign-release: ${{ env.COSIGN_VERSION }} | |
- name: Install Syft | |
uses: anchore/sbom-action/download-syft@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # ratchet:anchore/sbom-action/download-syft@v0.15.10 | |
with: | |
syft-version: ${{ env.SYFT_VERSION }} | |
- name: Put key on file | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
- name: Run GoReleaser | |
if: ${{ github.ref == 'refs/heads/main' }} | |
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # ratchet:goreleaser/goreleaser-action@v4 | |
with: | |
distribution: goreleaser | |
version: ${{ env.GO_RELEASER_VERSION }} | |
args: release -f .goreleaser.yml --rm-dist --debug | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
PUSH_TOKEN: ${{ steps.get-homebrew-token.outputs.token }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # ratchet:docker/setup-buildx-action@v2 | |
with: | |
provenance: false | |
- name: Login to Docker | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create tags | |
id: container-tags | |
run: | | |
echo "cli-tag=${{ env.IMAGE_NAME }}:${{ needs.set-version.outputs.version }}" >> $GITHUB_OUTPUT | |
echo "action-tag=${{ env.IMAGE_NAME }}:${{ env.VERSION }}" >> $GITHUB_OUTPUT | |
- name: Only push from main | |
if: ${{ github.ref == 'refs/heads/main' }} | |
run: | | |
echo "PUSH=true" >> $GITHUB_ENV | |
- name: Build and push | |
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # ratchet:docker/build-push-action@v4 | |
id: docker_build | |
with: | |
push: ${{ env.PUSH }} | |
tags: ${{ steps.container-tags.outputs.cli-tag }},${{ steps.container-tags.outputs.action-tag }} | |
labels: version=${{ needs.set-version.outputs.version }},revision=${{ github.sha }} | |
build-args: | | |
COSIGN_VERSION=${{ env.COSIGN_VERSION }} | |
GRADLE_VERSION=${{ env.GRADLE_VERSION }} | |
- name: Update major/minor version tag | |
if: ${{ github.ref == 'refs/heads/main' }} | |
run: "git tag -f ${{ env.VERSION }}\ngit push -f origin ${{ env.VERSION }} \n" | |
- name: Clean up | |
if: ${{ always() }} | |
run: "rm -f cosign.key \n" | |
sign-attest: | |
needs: | |
- build | |
runs-on: ubuntu-20.04 | |
permissions: | |
packages: write | |
contents: read | |
id-token: write | |
if: ${{ github.ref == 'refs/heads/main' }} | |
env: | |
DIGEST: "${{ needs.build.outputs.digest }}" | |
steps: | |
- name: Install cosign | |
uses: sigstore/cosign-installer@ce50ea946c19e4bdba9127f76ba2fb00d8e95a96 # ratchet:sigstore/cosign-installer@v2.5.1 | |
with: | |
cosign-release: ${{ env.COSIGN_VERSION }} | |
- name: Login to Docker | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate SBOM | |
id: sbom | |
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # ratchet:aquasecurity/trivy-action@master | |
with: | |
scan-type: 'image' | |
format: 'cyclonedx' | |
output: 'sbom.json' | |
image-ref: ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
- name: Sign Docker image and and add signed attest | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
cosign attest --yes --tlog-upload=false --key cosign.key --predicate sbom.json --type cyclonedx ${{ env.IMAGE_NAME }}@${{ env.DIGEST }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Clean up | |
if: ${{ always() }} | |
run: | | |
rm -f cosign.key |