fix(action): i need token for cosign #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Tag, and Push Image | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| dry_run: | |
| description: "Set to true for a dry run, false for real tagging" | |
| required: false | |
| default: "true" | |
| env: | |
| IMAGE: ttl.sh/attest-sign | |
| jobs: | |
| test: | |
| name: Build container and push to ttl.sh | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| contents: "write" | |
| id-token: "write" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.IMAGE }} | |
| tags: 2 | |
| - uses: docker/build-push-action@v6 | |
| id: build_push | |
| with: | |
| context: test | |
| # The tag indicates 2 min ttl | |
| tags: ${{ steps.meta.outputs.tags }} | |
| push: true | |
| - name: "Attest and sign test image" | |
| uses: './' | |
| with: | |
| image_ref: ${{ env.IMAGE }}@${{ steps.build_push.outputs.digest }} | |
| - name: Create or Update Tags | |
| if: success() | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git fetch --tags --force | |
| latest_tag=$(git tag -l 'v1.*' | sort -V | tail -n 1) | |
| echo "Latest tag: $latest_tag" | |
| if [ -z "$latest_tag" ]; then | |
| major=1 | |
| minor=0 | |
| patch=0 | |
| else | |
| major=$(echo $latest_tag | cut -d'.' -f1 | sed 's/v//') | |
| minor=$(echo $latest_tag | cut -d'.' -f2) | |
| patch=$(echo $latest_tag | cut -d'.' -f3) | |
| fi | |
| new_patch=$((patch + 1)) | |
| new_tag="v$major.$minor.$new_patch" | |
| echo "New tag: $new_tag" | |
| git tag -a $new_tag -m "Created new tag: $new_tag" | |
| if [ "${{ inputs.dry_run }}" == "false" ]; then | |
| git push origin $new_tag | |
| else | |
| echo "Dry run enabled, skipping tag push." | |
| fi | |
| - name: Update Floating v1 Tag | |
| if: success() && inputs.dry_run == 'false' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git fetch --tags --force | |
| echo "Updating floating tag v1 to point to $new_tag" | |
| git tag -f v1 | |
| git push origin -f v1 |