Skip to content

release

release #515

Workflow file for this run

name: Release
on:
repository_dispatch:
workflow_dispatch:
push:
branches:
- main
paths-ignore:
- "CONTRIBUTING.md"
- "README.md"
- ".github/**"
- ".gitignore"
- ".pre-commit-config.yaml"
permissions: read-all
env:
PYTHON_VERSION: "3.10"
jobs:
update-checkov:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
outputs:
version: ${{ steps.version.outputs.version }}
major_version: ${{ steps.version.outputs.major_version }}
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Get latest checkov version tag
id: version
run: |
version=$(curl -s curl -s https://api.github.com/repos/bridgecrewio/checkov/tags | jq -r '.[0].name')
echo "version=$version" >> "$GITHUB_OUTPUT"
# grab major version for later image tag usage
major_version=$(echo "${version}" | head -c1)
echo "major_version=$major_version" >> "$GITHUB_OUTPUT"
- name: Update checkov dependency
run: |
# install needed tools
python -m pip install --no-cache-dir --upgrade pipenv
# update Pipfile
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install checkov==${{ steps.version.outputs.version }}
pipenv lock
- uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4
with:
commit_message: Bump checkov version to ${{ steps.version.outputs.version }} [skip ci]
tagging_message: ${{ steps.version.outputs.version }}
publish-image:
needs: update-checkov
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
packages: write
id-token: write # Enable OIDC
env:
DH_IMAGE_NAME: bridgecrew/whorf
GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
FULL_IMAGE_TAG: ${{ needs.update-checkov.outputs.version }}
SHORT_IMAGE_TAG: ${{ needs.update-checkov.outputs.major_version }}
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3
with:
ref: main
- uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2
- uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2 # needed for self-hosted builds
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and export image to Docker
# buildx changes the driver to 'docker-container' which doesn't expose the image to the host,
# so it is built and loaded to Docker and in the next step pushed to the registry
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3
with:
context: .
no-cache: true
load: true
tags: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
- name: Push Docker image
id: docker_push
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3
with:
context: .
push: true
tags: |
${{ env.DH_IMAGE_NAME }}:latest
${{ env.DH_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
${{ env.GHCR_IMAGE_NAME }}:latest
${{ env.GHCR_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
${{ env.GHCR_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
- name: Generate SBOM
continue-on-error: true
uses: bridgecrewio/checkov-action@master # use latest and greatest
with:
api-key: ${{ secrets.BC_API_KEY }}
docker_image: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
dockerfile_path: Dockerfile
output_format: cyclonedx_json
output_file_path: cyclonedx.json,
- name: Sign and attest image
run: |
# sign image
cosign sign ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
cosign sign -f ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
# attest SBOM
cosign attest \
--type cyclonedx \
--predicate cyclonedx.json \
${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
cosign attest -f \
--type cyclonedx \
--predicate cyclonedx.json \
${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: 1 # needed for keyless signing
- name: Update deployment
uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0 # v3
with:
find: "image: bridgecrew/whorf@sha256:[a-f0-9]{64}"
replace: "image: ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}"
include: "k8s/deployment.yaml"
- uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4
with:
commit_message: update k8s deployment [skip ci]
file_pattern: k8s/*.yaml