Skip to content
release-guac-visualizer-image

Fix release build errors (#99) #18

Sign in to view logs

Fix release build errors (#99)

Fix release build errors (#99) #18

Workflow file for this run

.github/workflows/release.yaml at 2d9908b
#
# Copyright 2022 The GUAC Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: release-guac-visualizer-image
on:
push:
tags:
- 'v*'
permissions:
actions: read # for detecting the Github Actions environment.
packages: write # To publish container images to GHCR
id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
jobs:
build-n-release:
name: Build and publish image
runs-on: ubuntu-latest
outputs:
image: ${{ env.IMAGE_URI }}
digest: ${{ steps.build_n_publish_image.outputs.IMAGE_DIGEST }}
env:
IMAGE_URI: ghcr.io/${{ github.repository }}
BUILDER: paketobuildpacks/builder-jammy-full
BUILDPACK: paketo-buildpacks/nodejs
BUILDPACK_SBOM_OUTPUT_DIR: sbom-output-dir
BUILDPACK_SPDX_SBOM: "launch/paketo-buildpacks_yarn-install/launch-modules/sbom.spdx.json"
steps:
- name: Checkout code
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag=v3
- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup pack
uses: buildpacks/github-actions/setup-pack@7fc3d673350db0fff960cc94a3b9b80e5b663ae2 # v5.0.0
- name: Install cosign
uses: sigstore/[email protected] # main
with:
cosign-release: 'v2.4.0'
- name: Install crane
uses: imjasonh/setup-crane@5146f708a817ea23476677995bf2133943b9be0b # v0.1
- name: Update version string to match git tag
run: |
#!/usr/bin/env bash
set -euo pipefail
npm version --no-git-tag-version $(git describe --tags --abbrev=0)
- name: Build and publish image
id: build_n_publish_image
run: |
#!/usr/bin/env bash
set -euo pipefail
pack build ${IMAGE_URI}:${{ github.ref_name }} --builder ${BUILDER} --buildpack ${BUILDPACK} --publish --sbom-output-dir ${BUILDPACK_SBOM_OUTPUT_DIR}
echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI}:${{ github.ref_name }})" >> $GITHUB_OUTPUT
- name: Sign and verify image
run: |
#!/usr/bin/env bash
set -euo pipefail
cosign sign -a git_sha=$GITHUB_SHA ${IMAGE_URI_DIGEST} --yes
cosign attach sbom --sbom ${BUILDPACK_SBOM_OUTPUT_DIR}/${BUILDPACK_SPDX_SBOM} ${IMAGE_URI_DIGEST}
cosign sign -a git_sha=$GITHUB_SHA --attachment sbom ${IMAGE_URI_DIGEST} --yes
cosign verify ${IMAGE_URI_DIGEST} --certificate-oidc-issuer ${GITHUB_ACITONS_OIDC_ISSUER} --certificate-identity ${COSIGN_KEYLESS_SIGNING_CERT_SUBJECT}
shell: bash
env:
IMAGE_URI_DIGEST: ${{ env.IMAGE_URI }}@${{ steps.build_n_publish_image.outputs.IMAGE_DIGEST }}
GITHUB_ACITONS_OIDC_ISSUER: https://token.actions.githubusercontent.com
COSIGN_KEYLESS_SIGNING_CERT_SUBJECT: https://github.com/${{ github.repository }}/.github/workflows/release.yaml@${{ github.ref }}
provenance-container:
name: generate provenance for container
needs: [build-n-release]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
image: ${{ needs.build-n-release.outputs.image }}
digest: ${{ needs.build-n-release.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}