GitHub Universe 24 - Sample NPM Project #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: GitHub Universe 24 - Sample Python Project | |
| on: workflow_dispatch | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. | |
| contents: read #Ability to read the contents permission | |
| security-events: write # Required for uploading code scanning | |
| jobs: | |
| build-publish-python: | |
| runs-on: ubuntu-latest | |
| env: | |
| DOCKER_REPO: 'docker-prod-local' | |
| IMAGE_NAME: 'python-test-image-gh' | |
| outputs: | |
| image: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} | |
| digest: ${{ steps.build.outputs.digest }} | |
| steps: | |
| # Download the JFrog CLI and configure using JFrog Project and OIDC provider | |
| - uses: jfrog/setup-jfrog-cli@v4 | |
| name: Setup JFrog CLI | |
| id: setup-cli | |
| env: | |
| JF_URL: https://${{ vars.JF_URL }}/ | |
| JF_PROJECT: ${{ vars.JF_PROJECT }} | |
| # Required for uploading code scanning. | |
| JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| oidc-provider-name: jfrog-github-oidc | |
| version: latest | |
| - name: Checkout the repository | |
| uses: actions/checkout@v4 | |
| - name: jfrog cli version | |
| run: | | |
| jfrog -v | |
| - name: configure jfrog environment | |
| run: | | |
| jf pip-config --repo-resolve=python-virtual | |
| - name: configure environment | |
| run: | | |
| python3 -m pip install --upgrade pip setuptools wheel sigstore | |
| wheel -h | |
| pip show setuptools | |
| echo $VIRTUAL_ENV | |
| - name: build project | |
| run: | | |
| jf pip install -r requirements.txt --module=jfrog-python-example | |
| python setup.py sdist bdist_wheel | |
| cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT | |
| - name: publish python package | |
| run: | | |
| jf rt u dist/ python-virtual/example-projects/ --module=jfrog-python-example | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Authenticate Docker | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ vars.JF_URL }} | |
| username: ${{ vars.JF_USER }} | |
| password: ${{ secrets.JF_ACCESS_TOKEN }} | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| id: build | |
| with: | |
| push: true | |
| platforms: linux/amd64 #, linux/arm64 | |
| tags: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} | |
| - name: docker scan | |
| run: | | |
| jf docker pull ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} | |
| jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} | |
| - name: add docker package to build | |
| run: | | |
| echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}" > metadata.json | |
| jf rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json | |
| - name: publish build info | |
| run: | | |
| jf rt bce | |
| jf rt bp | |
| - name: build scan | |
| run: | | |
| jf build-scan --fail=false | |
| provenance: | |
| needs: [build-publish-python] | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| image: ${{ needs.build-publish-python.outputs.image }} | |
| digest: ${{ needs.build-publish-python.outputs.digest }} | |
| private-repository: true | |
| secrets: | |
| registry-username: ${{ vars.JF_USER }} | |
| registry-password: ${{ secrets.JF_ACCESS_TOKEN }} |