Skip to content
Build, push and sign

gradle's own dependency submission is better than the third party one #133

Sign in to view logs

gradle's own dependency submission is better than the third party one

gradle's own dependency submission is better than the third party one #133

Workflow file for this run

.github/workflows/master.yml at cc598c2
name: Build, push and sign
on:
push:
branches:
- master
paths-ignore:
- "*.md"
jobs:
build_push_sign:
permissions:
contents: "read"
id-token: "write"
packages: "write"
outputs:
img_to_deploy: ${{ steps.build-push-sign.outputs.tag }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4 # ratchet:actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # ratchet:actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Setup Gradle
uses: gradle/gradle-build-action@915a66c096a03101667f9df2e56c9efef558b165 # ratchet:gradle/gradle-build-action@v2
with:
dependency-graph: generate-and-submit
- name: Verify Gradle wrapper checksum
uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b # ratchet:gradle/wrapper-validation-action@v1
- name: Build with Gradle
run: ./gradlew build
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # ratchet:sigstore/[email protected]
- name: Verify distroless base image
run: |
cosign verify \
--certificate-identity "[email protected]" \
--certificate-oidc-issuer "https://accounts.google.com" \
gcr.io/distroless/java17
- name: Create SBOM
run: ./gradlew cyclonedxBom
- name: "Build and push image"
uses: nais/platform-build-push-sign@main # ratchet:exclude
id: build-push-sign
with:
name: tokendings
google_service_account: gh-tokendings
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
push_ghcr: true
sbom: build/reports/bom.json
multi-platform: true