From 4559ab286ddddb4d06b6c10bbd6355033b6386d7 Mon Sep 17 00:00:00 2001 From: Tobias Lindberg Date: Tue, 9 Apr 2024 19:59:36 +0200 Subject: [PATCH 1/6] add permission blocks --- .github/workflows/build.yml | 5 +++++ .github/workflows/codecov.yml | 3 +++ .github/workflows/codeql-analysis.yml | 4 ++++ .github/workflows/documentation.yml | 3 +++ 4 files changed, 15 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3ee1458..6758b14d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,11 @@ on: release: types: [published] +permissions: + contents: read + id-token: write + packages: write + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 99c1292a..8bd66054 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -4,6 +4,9 @@ on: push: pull_request: +permissions: + contents: read + jobs: codecov: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 856933da..60975bc5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -8,6 +8,10 @@ on: schedule: - cron: "44 15 * * 0" +permissions: + contents: read + security-events: write + jobs: analyze: name: Analyze diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 2816e1e6..942a43e4 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + contents: write + jobs: documentation: runs-on: ubuntu-latest From c2067c85aca49754fe073c5fb57af4a36b8565b5 Mon Sep 17 00:00:00 2001 From: Tobias Lindberg Date: Tue, 9 Apr 2024 20:01:24 +0200 Subject: [PATCH 2/6] removing actions/cache steps --- .github/workflows/build.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6758b14d..d4db11ac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,17 +61,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Go Build Cache for Docker layers - uses: actions/cache@v4 - with: - path: go-build-cache - key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }} - - - name: Inject go-build-cache into docker - uses: reproducible-containers/buildkit-cache-dance@v2.1.4 - with: - cache-source: go-build-cache - - name: Build and push uses: docker/build-push-action@v5 with: From a83104b0c63904369c7d240ac0dad39954d5be51 Mon Sep 17 00:00:00 2001 From: Tobias Lindberg Date: Tue, 9 Apr 2024 20:02:44 +0200 Subject: [PATCH 3/6] add annotations to build step --- .github/workflows/build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d4db11ac..4f2aca1e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,6 +54,8 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}} type=semver,pattern={{major}}.{{minor}} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -65,11 +67,11 @@ jobs: uses: docker/build-push-action@v5 with: context: . - file: ./Dockerfile platforms: linux/amd64,linux/arm/v7,linux/arm64 push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.docker_meta.outputs.tags }} + annotations: ${{ steps.docker_meta.outputs.annotations }} labels: ${{ steps.docker_meta.outputs.labels }} + tags: ${{ steps.docker_meta.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | From 09ea345ef7aa0555dd57496be305ca3274deea93 Mon Sep 17 00:00:00 2001 From: Tobias Lindberg Date: Tue, 9 Apr 2024 20:03:48 +0200 Subject: [PATCH 4/6] reordering parts in workflow --- .github/workflows/build.yml | 40 +++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4f2aca1e..830c7b19 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,7 @@ on: - "go.sum" release: types: [published] + workflow_dispatch: permissions: contents: read @@ -26,21 +27,6 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker meta id: docker_meta uses: docker/metadata-action@v5 @@ -63,6 +49,21 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Login to DockerHub + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push uses: docker/build-push-action@v5 with: @@ -79,6 +80,15 @@ jobs: TibiaDataBuildRelease=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }} TibiaDataBuildCommit=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }} + dockerhub: + if: github.event_name == 'release' + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Docker Hub Description uses: peter-evans/dockerhub-description@v4 if: github.event_name == 'release' From 8ed5f772f8b1e980121c9fdfff0ff292d4b843e8 Mon Sep 17 00:00:00 2001 From: Tobias Lindberg Date: Tue, 9 Apr 2024 20:04:19 +0200 Subject: [PATCH 5/6] add sbom and cosign --- .github/workflows/build.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 830c7b19..6a5275c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,6 +43,10 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + - name: Install Cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v3 + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -65,6 +69,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push + id: docker_build uses: docker/build-push-action@v5 with: context: . @@ -75,11 +80,21 @@ jobs: tags: ${{ steps.docker_meta.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max + sbom: true build-args: | TibiaDataBuildBuilder=github TibiaDataBuildRelease=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }} TibiaDataBuildCommit=${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }} + - name: Sign the images (with GitHub OIDC Token) + if: github.event_name != 'pull_request' + run: | + cosign sign --yes --recursive \ + tibiadata/tibiadata-api-go@${{ steps.docker_build.outputs.digest }} + + cosign sign --yes --recursive \ + ghcr.io/tibiadata/tibiadata-api-go@${{ steps.docker_build.outputs.digest }} + dockerhub: if: github.event_name == 'release' runs-on: ubuntu-latest From c63c3df9cb06deba8d10b72678fad0cb185122c2 Mon Sep 17 00:00:00 2001 From: Tobias Lindberg Date: Tue, 9 Apr 2024 20:04:30 +0200 Subject: [PATCH 6/6] update readme badges --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d8fa6b6b..72988054 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ # TibiaData API in Golang -[![GitHub CI](https://github.com/TibiaData/tibiadata-api-go/workflows/build/badge.svg?branch=main)](https://github.com/TibiaData/tibiadata-api-go/actions?query=workflow%3Abuild) +[![GitHub CI](https://img.shields.io/github/actions/workflow/status/tibiadata/tibiadata-api-go/build.yml?branch=main&logo=github)](https://github.com/tibiadata/tibiadata-api-go/actions/workflows/build.yml) [![Codecov](https://codecov.io/gh/TibiaData/tibiadata-api-go/branch/main/graph/badge.svg?token=PSBNLBI10C)](https://codecov.io/gh/TibiaData/tibiadata-api-go) -[![GitHub go.mod version](https://img.shields.io/github/go-mod/go-version/tibiadata/tibiadata-api-go)](https://github.com/tibiadata/tibiadata-api-go/blob/main/go.mod) -[![Docker version](https://img.shields.io/docker/v/tibiadata/tibiadata-api-go/latest)](https://hub.docker.com/r/tibiadata/tibiadata-api-go) -[![Docker size](https://img.shields.io/docker/image-size/tibiadata/tibiadata-api-go/latest)](https://hub.docker.com/r/tibiadata/tibiadata-api-go) +[![GitHub go.mod version](https://img.shields.io/github/go-mod/go-version/tibiadata/tibiadata-api-go?logo=go)](https://github.com/tibiadata/tibiadata-api-go/blob/main/go.mod) +[![GitHub release](https://img.shields.io/github/v/release/tibiadata/tibiadata-api-go?sort=semver&logo=github)](https://github.com/tibiadata/tibiadata-api-go/releases) +[![Docker image size (tag)](https://img.shields.io/docker/image-size/tibiadata/tibiadata-api-go/latest?logo=docker)](https://hub.docker.com/r/tibiadata/tibiadata-api-go) [![GitHub license](https://img.shields.io/github/license/tibiadata/tibiadata-api-go)](https://github.com/tibiadata/tibiadata-api-go/blob/main/LICENSE) TibiaData API written in Golang and deployed in container (version v3 and above).