Changes by create-pull-request action #160
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release project | |
| on: | |
| push: | |
| tags: | |
| - "*" | |
| pull_request: | |
| workflow_dispatch: {} | |
| jobs: | |
| validate-and-test: | |
| uses: "./.github/workflows/validate-test.yaml" | |
| release-binary-and-image: | |
| permissions: | |
| contents: write # needed to write releases | |
| id-token: write # needed for keyless signing | |
| packages: write # needed for ghcr access | |
| needs: [validate-and-test] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout - force fetch tags | |
| run: git fetch --force --tags | |
| - name: Install tools | |
| run: sudo apt-get install -y --no-install-recommends python3-semver jq | |
| - name: Tagged build - generate tag | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| echo "CURRENT_TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV | |
| - name: Snapshot build - generate tag | |
| if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| run: | | |
| export NEXT_TAG=$(pysemver nextver $(git describe --tags --abbrev=0 2>/dev/null || echo "0.0.0") patch) | |
| echo "CURRENT_TAG=${NEXT_TAG}-$(git describe --tags | awk -F '-' '{print "dev."$2"."$3}')" >> $GITHUB_ENV | |
| - name: Generate tag - print the tag | |
| run: | | |
| echo "CURRENT_TAG=$CURRENT_TAG" | |
| - name: Setup pack | |
| uses: buildpacks/github-actions/[email protected] | |
| - name: Setup Cosign | |
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
| - name: Install oras | |
| uses: jaxxstorm/[email protected] | |
| with: | |
| repo: oras-project/oras | |
| cache: enable | |
| - name: Setup Helm | |
| run: | | |
| curl -L -sS -o helm-v3.16.1-linux-amd64.tar.gz https://get.helm.sh/helm-v3.16.1-linux-amd64.tar.gz | |
| tar xzf helm-v3.16.1-linux-amd64.tar.gz | |
| mv linux-amd64/helm /usr/local/bin/helm | |
| rm -rf helm-v3.16.1-linux-amd64.tar.gz linux-amd64 | |
| helm version | |
| - name: Setup app-build-suite | |
| run: curl -fsSL https://github.com/giantswarm/app-build-suite/releases/latest/download/dabs.sh -o /tmp/dabs.sh && chmod +x /tmp/dabs.sh && sed -i 's/docker run -it --rm/docker run --rm/' /tmp/dabs.sh | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: build_bot | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login helm to OCI registry | |
| run: helm registry login ghcr.io -u build_bot -p "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Run build with pack | |
| run: | | |
| pack build ghcr.io/giantswarm/demo-album-catalog-pack:${CURRENT_TAG} \ | |
| --path . \ | |
| --trust-builder \ | |
| --sbom-output-dir sbom/ \ | |
| --publish \ | |
| --cache-image ghcr.io/giantswarm/pack-cache/demo-album-catalog-pack \ | |
| --env BP_GO_BUILD_LDFLAGS="-X main.builtBy=pack -X main.version=${CURRENT_TAG} -X main.commit=$(git rev-parse @) -X main.date=$(date --iso-8601=seconds)" | |
| - name: Attach SBOM to the image | |
| run: oras attach ghcr.io/giantswarm/demo-album-catalog-pack:${CURRENT_TAG} sbom/launch/paketo-buildpacks_go-build/targets/sbom.spdx.json --artifact-type 'application/spdx+json' | |
| - name: Check SBOM | |
| run: | | |
| oras discover ghcr.io/giantswarm/demo-album-catalog-pack:${CURRENT_TAG} --format tree | tee /tmp/oras.log | |
| oras discover ghcr.io/giantswarm/demo-album-catalog-pack:${CURRENT_TAG} --format json | tee /tmp/oras.json | |
| - name: Sign docker image with cosign | |
| run: cosign sign --upload=true -y "$(head -n1 /tmp/oras.log)" | |
| - name: Sign SBOM with cosign | |
| run: cosign sign --upload=true -y "ghcr.io/giantswarm/demo-album-catalog-pack@$(jq -r '.manifests[0].digest' /tmp/oras.json)" | |
| - name: Set helm chart versions | |
| run: | | |
| yq -i "(.version = env(CURRENT_TAG)) | (.appVersion = env(CURRENT_TAG))" helm/Chart.yaml | |
| yq -i "(.replace-chart-version-with-git = false) | (.replace-app-version-with-git = false)" .abs/main.yaml | |
| - name: Run app-build-suite to build the helm chart | |
| run: | | |
| yq -i ".image.tag = env(CURRENT_TAG)" helm/values.yaml | |
| set -o pipefail && /tmp/dabs.sh -c helm 2>&1 | tee /tmp/abs.log | |
| - name: Capture the helm chart name | |
| run: >- | |
| echo "CHART_FILE=$( | |
| awk -F":" '/packaged chart and saved it to/ {gsub(/ /, ""); print $2}' /tmp/abs.log | |
| )" >> "$GITHUB_ENV" | |
| - name: Capture the helm chart version | |
| run: >- | |
| echo "CHART_VERSION=$( | |
| awk -F"[:,]" '/=> \(version/ {gsub(/[ "]/, ""); print $2; exit }' /tmp/abs.log | |
| )" >> "$GITHUB_ENV" | |
| - name: Check detected version | |
| run: '[ -z "${CHART_FILE}" ] && exit 1 || echo "CHART_FILE=${CHART_FILE}"; [ -z "${CHART_VERSION}" ] && exit 1 || echo "CHART_VERSION=${CHART_VERSION}"' | |
| - name: Push the helm chart to registry | |
| run: set -o pipefail && helm push "${CHART_FILE}" "oci://ghcr.io/giantswarm/charts" 2>&1 | tee /tmp/helm-push.log | |
| - name: Capture the helm chart SHA256 | |
| run: >- | |
| echo "CHART_SHA256=$( | |
| awk -F" " '/^Digest:/ {print $2}' /tmp/helm-push.log | |
| )" >> "$GITHUB_ENV" | |
| - name: Sign the helm chart | |
| run: cosign sign --upload=true -y "ghcr.io/giantswarm/charts/demo-album-catalog-pack@${CHART_SHA256}" |