-
Notifications
You must be signed in to change notification settings - Fork 87
131 lines (131 loc) · 5.4 KB
/
content-artifacts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
# yamllint disable-line rule:truthy
on:
push:
branches:
- master
- develop
- 'feature/**'
paths:
- Dockerfile
- "src/**"
- "oscal"
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch:
branches:
- master
name: Process Content
env:
HOME_REPO: GSA/fedramp-automation
IMAGE_NAME: GSA/fedramp-automation/validation-tools
REGISTRY: ghcr.io
# Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
DOCKER_METADATA_PR_HEAD_SHA: true
# https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
jobs:
validate-and-publish-content:
name: Content Validation Checking, Conversion and Validation
runs-on: ubuntu-20.04
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
with:
path: git-content
submodules: recursive
# Only update `fetch-depth` for debugging on branches. If not, this
# action cannot see other branches for names for the PR to push back
# changes. So, on PR branches without this, you will have errors.
# fetch-depth: 0
- name: Build content generator
run: make init-content
working-directory: git-content
- name: Validate Content
run: make test-content
working-directory: git-content
- name: Auto-convert Content
run: make build-content
working-directory: git-content
- name: Setup SSH key
# Only do this on GSA/master
if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/master'
run: |
eval "$(ssh-agent -s)"
ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"
- name: Publish Artifacts
# Only do this on GSA/master
if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/master'
uses: stefanzweifel/[email protected]
with:
repository: git-content
commit_message: Publishing auto-converted artifacts
commit_user_name: OSCAL GitHub Actions Bot
commit_user_email: [email protected]
commit_author: OSCAL GitHub Actions Bot <[email protected]>
- if: github.repository == env.HOME_REPO
name: Container image QEMU setup for cross-arch builds
id: image_setup_qemu
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
- if: github.repository == env.HOME_REPO
name: Container image buildx setup for cross-arch builds
id: image_setup_buildx
with:
platforms: linux/amd64,linux/arm64
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
- if: github.repository == env.HOME_REPO
name: Container image login
id: image_login
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- if: github.repository == env.HOME_REPO
name: Container image metadata and tag generation
id: image_metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images:
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha,prefix=,suffix=,format=long
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
# For now, do not auto-tag latest, maintainers will decided what is
# release-worthy.
flavor: |
latest=true
annotations:
maintainers="FedRAMP Automation Team <[email protected]>"
org.opencontainers.image.authors="FedRAMP Automation Team <[email protected]>"
org.opencontainers.image.documentation="https://automate.fedramp.gov"
org.opencontainers.image.source="https://github.com/GSA/fedramp-automation"
org.opencontainers.image.vendor="GSA Technology Transformation Services"
org.opencontainers.image.title="FedRAMP Validation Tools"
org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data"
org.opencontainers.image.licenses="CC0-1.0"
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
name: Container image registry push
id: image_registry_push
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
context: git-content
push: true
tags: ${{ steps.image_metadata.outputs.tags }}
labels: ${{ steps.image_metadata.outputs.annotations }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
- if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
name: Container image push attestations
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.image_registry_push.outputs.digest }}
push-to-registry: false