Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implemented publising SBOM with container image #34

Merged
merged 1 commit into from
Dec 5, 2022
Merged

Implemented publising SBOM with container image #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
- 6.0.13
- 6.0.14
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- uses: engineerd/setup-kind@v0.5.0
with:
version: v0.11.1
Expand All @@ -28,4 +28,4 @@ jobs:
- name: Testing
run: |
export PASSENGER_VERSION=${{ matrix.passenger-version }}
./test/kubernetes/run.sh
./test/kubernetes/run.sh
8 changes: 4 additions & 4 deletions .github/workflows/passenger-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,25 +19,25 @@ jobs:
- 6.0.13
steps:
- name: checkout
uses: actions/checkout@v2
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Set env
run: echo "TAG_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v2

- name: Login to GitHub Container Registry
uses: docker/login-action@v1
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ secrets.USERNAME }}
password: ${{ secrets.CR_PAT }}

- name: Build and push
uses: docker/build-push-action@v2
uses: docker/build-push-action@v3
with:
context: ./test/passenger-app
push: true
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/pull-request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ jobs:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: '1.19'
- uses: actions/cache@v2
- uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
Expand All @@ -28,7 +28,7 @@ jobs:
run: go test -json ./... > test.json
- name: annotate tests
if: always()
uses: guyarb/golang-test-annotations@v0.2.0
uses: guyarb/golang-test-annotations@v0.5.1
with:
test-results: test.json
lint:
Expand All @@ -38,11 +38,11 @@ jobs:
go-version: [1.19]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
stable: 'true'
go-version: '1.19'
- uses: golangci/golangci-lint-action@v2
- uses: golangci/golangci-lint-action@v3
with:
skip-go-installation: true
skip-go-installation: true
47 changes: 38 additions & 9 deletions .github/workflows/releease.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,27 +11,33 @@ jobs:
build:
name: build
runs-on: ubuntu-latest
env:
COSIGN_EXPERIMENTAL: "1"
steps:
- name: checkout
uses: actions/checkout@v2
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Install cosign
uses: sigstore/cosign-installer@v2

- name: Set env
run: echo "TAG_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v2

- name: Login to GitHub Container Registry
uses: docker/login-action@v1
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ secrets.USERNAME }}
password: ${{ secrets.CR_PAT }}

- name: Build and push
uses: docker/build-push-action@v2
id: build-and-push
uses: docker/build-push-action@v3
with:
context: .
push: true
Expand All @@ -42,24 +48,47 @@ jobs:
ghcr.io/${{ github.repository }}:latest
ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}
- name: Write signing key
run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
shell: bash

- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}
artifact-name: sbom.spdx.json
output-file: sbom.spdx.json

- name: Attach SBOM file in image
run: |
cosign attest --key cosign.key --type spdx --predicate sbom.spdx.json ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}@${{ steps.build-and-push.outputs.digest }}
cosign attest --key cosign.key --type spdx --predicate sbom.spdx.json ghcr.io/${{ github.repository }}:latest@${{ steps.build-and-push.outputs.digest }}
shell: bash

- name: Published a signed image
env:
COSIGN_EXPERIMENTAL: "1"
run: |
cosign sign --key cosign.key ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}@${{ steps.build-and-push.outputs.digest }}
cosign sign --key cosign.key ghcr.io/${{ github.repository }}:latest@${{ steps.build-and-push.outputs.digest }}
release:
name: release
needs: build
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
uses: actions/setup-go@v3
with:
go-version: 1.19

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
uses: goreleaser/goreleaser-action@v3
with:
version: latest
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.CR_PAT }}
GITHUB_TOKEN: ${{ secrets.CR_PAT }}