diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3ee1458..6a5275c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,12 @@ on: - "go.sum" release: types: [published] + workflow_dispatch: + +permissions: + contents: read + id-token: write + packages: write jobs: build: @@ -21,21 +27,6 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker meta id: docker_meta uses: docker/metadata-action@v5 @@ -49,6 +40,12 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}} type=semver,pattern={{major}}.{{minor}} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Install Cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v3 - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -56,33 +53,57 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Go Build Cache for Docker layers - uses: actions/cache@v4 + - name: Login to DockerHub + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 with: - path: go-build-cache - key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Inject go-build-cache into docker - uses: reproducible-containers/buildkit-cache-dance@v2.1.4 + - name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 with: - cache-source: go-build-cache + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push + id: docker_build uses: docker/build-push-action@v5 with: context: . - file: ./Dockerfile platforms: linux/amd64,linux/arm/v7,linux/arm64 push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.docker_meta.outputs.tags }} + annotations: ${{ steps.docker_meta.outputs.annotations }} labels: ${{ steps.docker_meta.outputs.labels }} + tags: ${{ steps.docker_meta.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max + sbom: true build-args: | TibiaDataBuildBuilder=github TibiaDataBuildRelease=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }} TibiaDataBuildCommit=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }} + - name: Sign the images (with GitHub OIDC Token) + if: github.event_name != 'pull_request' + run: | + cosign sign --yes --recursive \ + tibiadata/tibiadata-api-go@${{ steps.docker_build.outputs.digest }} + + cosign sign --yes --recursive \ + ghcr.io/tibiadata/tibiadata-api-go@${{ steps.docker_build.outputs.digest }} + + dockerhub: + if: github.event_name == 'release' + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Docker Hub Description uses: peter-evans/dockerhub-description@v4 if: github.event_name == 'release' diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 99c1292a..8bd66054 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -4,6 +4,9 @@ on: push: pull_request: +permissions: + contents: read + jobs: codecov: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 856933da..60975bc5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -8,6 +8,10 @@ on: schedule: - cron: "44 15 * * 0" +permissions: + contents: read + security-events: write + jobs: analyze: name: Analyze diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 2816e1e6..942a43e4 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + contents: write + jobs: documentation: runs-on: ubuntu-latest diff --git a/README.md b/README.md index d8fa6b6b..72988054 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ # TibiaData API in Golang -[![GitHub CI](https://github.com/TibiaData/tibiadata-api-go/workflows/build/badge.svg?branch=main)](https://github.com/TibiaData/tibiadata-api-go/actions?query=workflow%3Abuild) +[![GitHub CI](https://img.shields.io/github/actions/workflow/status/tibiadata/tibiadata-api-go/build.yml?branch=main&logo=github)](https://github.com/tibiadata/tibiadata-api-go/actions/workflows/build.yml) [![Codecov](https://codecov.io/gh/TibiaData/tibiadata-api-go/branch/main/graph/badge.svg?token=PSBNLBI10C)](https://codecov.io/gh/TibiaData/tibiadata-api-go) -[![GitHub go.mod version](https://img.shields.io/github/go-mod/go-version/tibiadata/tibiadata-api-go)](https://github.com/tibiadata/tibiadata-api-go/blob/main/go.mod) -[![Docker version](https://img.shields.io/docker/v/tibiadata/tibiadata-api-go/latest)](https://hub.docker.com/r/tibiadata/tibiadata-api-go) -[![Docker size](https://img.shields.io/docker/image-size/tibiadata/tibiadata-api-go/latest)](https://hub.docker.com/r/tibiadata/tibiadata-api-go) +[![GitHub go.mod version](https://img.shields.io/github/go-mod/go-version/tibiadata/tibiadata-api-go?logo=go)](https://github.com/tibiadata/tibiadata-api-go/blob/main/go.mod) +[![GitHub release](https://img.shields.io/github/v/release/tibiadata/tibiadata-api-go?sort=semver&logo=github)](https://github.com/tibiadata/tibiadata-api-go/releases) +[![Docker image size (tag)](https://img.shields.io/docker/image-size/tibiadata/tibiadata-api-go/latest?logo=docker)](https://hub.docker.com/r/tibiadata/tibiadata-api-go) [![GitHub license](https://img.shields.io/github/license/tibiadata/tibiadata-api-go)](https://github.com/tibiadata/tibiadata-api-go/blob/main/LICENSE) TibiaData API written in Golang and deployed in container (version v3 and above).