-
Notifications
You must be signed in to change notification settings - Fork 0
152 lines (130 loc) · 4.93 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Build
permissions:
contents: read
id-token: write
packages: write
on:
pull_request:
types:
- edited
- opened
- ready_for_review
- synchronize
paths:
- go.mod
- go.sum
- "**/*.go"
- Dockerfile
- .github/workflows/build.yml
push:
branches:
- main
paths:
- go.mod
- go.sum
- "**/*.go"
- Dockerfile
- .github/workflows/build.yml
release:
types:
- published
merge_group:
jobs:
main:
permissions:
attestations: write # for submitting SBOM and provenance attestations
contents: write # for dependency submission API
id-token: write # needed to sign SBOM and provenance attestations
packages: write
runs-on: ubuntu-latest
env:
REGISTRY: ghcr.io
IMAGE: grafana/generate-policy-bot-config
PUSH_IMAGE: ${{ (github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main')) || '' }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set Docker Buildx up
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Log into GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Calculate image metadata
id: calculate-metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE }}
tags: |
# tag with branch name for `main`
type=ref,event=branch,enable={{is_default_branch}}
# tag with semver, and `latest`
type=ref,event=tag
# tag with pr-<number>-<sha>
type=ref,suffix=-{{sha}},event=pr
- name: Build and push
id: build
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
labels: ${{ steps.calculate-metadata.outputs.labels }}
platforms: linux/amd64,linux/arm64
provenance: mode=max
push: ${{ env.PUSH_IMAGE != '' && env.PUSH_IMAGE || 'false' }}
# Doesn't generate proper SBOMs; using syft directly lower down
sbom: false
tags: ${{ steps.calculate-metadata.outputs.tags }}
- name: Extract platform-specific digests
if: env.PUSH_IMAGE
id: platform-digests
shell: bash
run: |
declare -a TAGS
TAGS=(${{ steps.calculate-metadata.outputs.tags }})
REGISTRY_REF="${TAGS[0]}"
BASE_REF="${REGISTRY_REF%%:*}"
# Get digests for each platform
MANIFEST_JSON="$(docker buildx imagetools inspect "${REGISTRY_REF}" --format '{{json .}}')"
# Create fully qualified references and extract digests
for arch in amd64 arm64; do
ARCH_REF="$(jq -r ".manifest.manifests[] | select(.platform.architecture == \"${arch}\").digest" <<< "${MANIFEST_JSON}")"
echo "${arch}-ref=${BASE_REF}@${ARCH_REF}" | tee -a "${GITHUB_OUTPUT}"
done
- name: Generate SBOM (amd64)
uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
with:
dependency-snapshot: true
format: spdx-json
image: ${{ steps.platform-digests.outputs.amd64-ref }}
output-file: ${{ runner.temp }}/amd64.spdx.json
- name: Attest SBOM (amd64)
if: env.PUSH_IMAGE
uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
subject-digest: ${{ steps.build.outputs.digest }}
sbom-path: ${{ runner.temp }}/amd64.spdx.json
push-to-registry: true
- name: Generate SBOM (arm64)
uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
with:
dependency-snapshot: true
format: spdx-json
image: ${{ steps.platform-digests.outputs.arm64-ref }}
output-file: ${{ runner.temp }}/arm64.spdx.json
- name: Attest SBOM (arm64)
if: env.PUSH_IMAGE
uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
subject-digest: ${{ steps.build.outputs.digest }}
sbom-path: ${{ runner.temp }}/arm64.spdx.json
push-to-registry: true
- name: Generate build provenance attestation
if: env.PUSH_IMAGE
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true