-
Notifications
You must be signed in to change notification settings - Fork 0
133 lines (111 loc) · 4.2 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Build
permissions:
contents: read
id-token: write
packages: write
on:
pull_request:
types:
- edited
- opened
- ready_for_review
- synchronize
push:
branches:
- main
paths:
- go.mod
- go.sum
- "**/*.go"
- Dockerfile
- .github/workflows/build.yml
release:
types:
- created
merge_group:
jobs:
main:
permissions:
attestations: write
contents: read
id-token: write
packages: write
runs-on: ubuntu-latest
env:
REGISTRY: ghcr.io
IMAGE: grafana/generate-policy-bot-config
PUSH_IMAGE: true
# ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set Docker Buildx up
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Log into GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Calculate image metadata
id: calculate-metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE }}
tags: |
# tag with branch name for `main`
type=ref,event=branch,enable={{is_default_branch}}
# tag with semver, and `latest`
type=ref,event=tag
# tag with pr-<number>-<sha>
type=ref,suffix=-{{sha}},event=pr
- name: Build and push
id: build
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
labels: ${{ steps.calculate-metadata.outputs.labels }}
platforms: linux/amd64,linux/arm64
provenance: true
push: ${{ env.PUSH_IMAGE }}
sbom: true
tags: ${{ steps.calculate-metadata.outputs.tags }}
- name: Extract platform-specific digests
id: platform-digests
run: |
REGISTRY_REF="${{ steps.calculate-metadata.outputs.tags }}"
BASE_REF="${REGISTRY_REF%%:*}"
# Get digests for each platform
MANIFEST_JSON="$(docker buildx imagetools inspect "${REGISTRY_REF}" --format '{{json .}}')"
# Create fully qualified references and extract digests
for arch in amd64 arm64; do
ARCH_REF="$(jq -r ".manifest.manifests[] | select(.platform.architecture == \"${arch}\").digest" <<< "${MANIFEST_JSON}")"
echo "${arch}_ref=${BASE_REF}@${ARCH_REF}" | tee -a "${GITHUB_ENV}"
done
- name: Extract SBOMs
run: |
mkdir -p sboms
# Extract SBOM for AMD64
docker buildx imagetools inspect ${{ steps.platform-digests.outputs.amd64_ref }} --format '{{json .SBOM.SPDX}}' > sboms/amd64.spdx.json
# Extract SBOM for ARM64
docker buildx imagetools inspect ${{ steps.platform-digests.outputs.arm64_ref }} --format '{{json .SBOM.SPDX}}' > sboms/arm64.spdx.json
- name: Attest AMD64 SBOM
uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
with:
subject-name: ${{ steps.platform-digests.outputs.amd64_ref }}
subject-digest: ${{ steps.platform-digests.outputs.amd64_ref }}
sbom-path: sboms/amd64.spdx.json
push-to-registry: true
- name: Attest ARM64 SBOM
uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
with:
subject-name: ${{ steps.platform-digests.outputs.arm64_ref }}
subject-digest: ${{ steps.platform-digests.outputs.arm64_ref }}
sbom-path: sboms/arm64.spdx.json
push-to-registry: true
- name: Generate build provenance attestation
if: env.PUSH_IMAGE
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true