Skip to content

Commit

Permalink
added release pipeline bits
Browse files Browse the repository at this point in the history
  • Loading branch information
@garethahealy
garethahealy committed Jan 5, 2024
1 parent 8abcab6 commit 4d4b3fb
Show file tree
Hide file tree
Showing 2 changed files with 140 additions and 0 deletions.
126 changes: 126 additions & 0 deletions .github/workflows/build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
Expand Down Expand Up @@ -40,20 +42,51 @@ jobs:
path: target/
if-no-files-found: error

- name: Upload runner binary
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
with:
name: runner
path: target/github-stats-*-runner
if-no-files-found: error

- name: Generate hashes
shell: bash
id: hash
run: |
echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Get image tags
id: image_tags
uses: redhat-cop/github-actions/get-image-version@main
with:
IMAGE_CONTEXT_DIR: src/main/docker

- name: Build image
id: build_image
uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2
with:
dockerfiles: src/main/docker/Dockerfile.native-micro
image: github-stats
oci: true
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"

- name: Push to ghcr.io
if: startsWith(github.ref, 'refs/tags/')
uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2
id: push_image
with:
image: ${{ steps.build_image.outputs.image }}
registry: ghcr.io/${{ github.repository }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
tags: ${{ steps.build_image.outputs.tags }}

outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
image_digest: "${{ steps.push_image.outputs.digest }}"
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"

analyze:
needs: [ build ]
runs-on: ubuntu-latest
Expand Down Expand Up @@ -114,3 +147,96 @@ jobs:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: ./github-stats-*-runner create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --members-csv=tests/members.csv --fail-if-no-vpn=false

sign-image:
needs: [ build ]
permissions:
id-token: write
packages: write
if: startsWith(github.ref, 'refs/tags/')
env:
image_uri: ${{ needs.build.outputs.image_uri }} # todo
runs-on: ubuntu-latest
steps:
- name: Setup cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3

- name: Cosign login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io
- name: Sign Image
run: |
cosign sign --yes ${image_uri}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "cosign-vuln"
output: "cosign-vuln.json"

- name: Run Trivy SBOM generator
uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "spdx-json"
output: "spdx-json.json"

- name: Attach attestations
run: |
cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri}
cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri}
provenance_binary:
needs: [ build ]
if: startsWith(github.ref, 'refs/tags/')
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true

provenance_image:
needs: [ build ]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build.outputs.image_repo }}
digest: ${{ needs.build.outputs.image_digest }}
registry-username: ${{ github.repository_owner }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}

release:
needs: [ build ]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write
steps:
- name: Download runner
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4
with:
name: runner

- name: Upload assets to release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: |
github-stats-*-runner
14 changes: 14 additions & 0 deletions renovate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,19 @@
"extends": [
"config:best-practices",
"schedule:earlyMondays"
],
"packageRules": [
{
"matchDepTypes": [
"action"
],
"matchPackageNames": [
"slsa-framework/slsa-github-generator"
],
"matchUpdateTypes": [
"pinDigest"
],
"enabled": false
}
]
}

0 comments on commit 4d4b3fb

Please sign in to comment.