-
Notifications
You must be signed in to change notification settings - Fork 1
135 lines (117 loc) · 4.12 KB
/
container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Container
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
# renovate: datasource=go depName=github.com/goreleaser/goreleaser
GORELEASER_VERSION: v1.10.2
jobs:
skip-check:
name: Skip check
continue-on-error: true
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip-check.outputs.should_skip }}
permissions:
actions: write
contents: read
steps:
- id: skip-check
uses: fkirc/skip-duplicate-actions@9d116fa7e55f295019cfab7e3ab72b478bcf7fdd # tag=v4.0.0
with:
do_not_skip: '["schedule", "workflow_dispatch"]'
paths: |-
[
"**.go",
".dockerignore",
".github/workflows/container.yml",
"Dockerfile*",
"Makefile",
"go.mod",
"go.sum"
]
skip_after_successful_duplicate: false
build-binaries:
name: Build binaries using goreleaser
needs: skip-check
if: ${{ needs.skip-check.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
container:
image: docker.io/goreleaser/goreleaser-cross:v1.18.3
options: --privileged
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: "${{ env.goreleaser_current_tag }}"
steps:
- name: Check out the code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
- name: Set up Go
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # tag=v3.2.1
with:
go-version-file: 'go.mod'
cache: true
- name: Run Goreleaser
run: goreleaser release --rm-dist --skip-validate --skip-publish --snapshot --debug
- name: Archive generated artifacts
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
name: parca-debuginfo-dist-container
if-no-files-found: error
path: |
goreleaser/dist
!goreleaser/dist/*.txt
build-and-push-container:
name: Container build and push (when merged)
needs: build-binaries
runs-on: ubuntu-latest
container:
# https://github.com/containers/podman/tree/main/contrib/podmanimage
# Specifying SHA repeatedly fails:
# @sha256:421ac576cebff98e90c531e7b9ce4482370ecc7cee59abc2341714031bfb5f43
image: quay.io/containers/podman:v4.1.1
options: >-
--device /dev/fuse:rw
--privileged
--security-opt label=disable
--security-opt seccomp=unconfined
permissions:
id-token: write
packages: write
contents: read
steps:
- name: Install dependencies
run: dnf install --assumeyes --repo fedora git make jq
- name: Check out code into the Go module directory
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
- name: Set up Go
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # tag=v3.2.1
with:
go-version-file: 'go.mod'
check-latest: true
- uses: actions/download-artifact@v3
with:
name: parca-debuginfo-dist-container
path: goreleaser/dist
- name: Build container
run: make container
- name: Check images are created
run: podman images | grep 'ghcr.io/parca-dev/parca-debuginfo'
- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # tag=v2.5.0
- name: Login to registry
if: ${{ github.event_name != 'pull_request' }}
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | podman login -u parca-dev --password-stdin ghcr.io
- name: Install crane
if: ${{ github.event_name != 'pull_request' }}
uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 # tag=v0.2
- name: Push and sign container
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: true
run: |
make push-container
make sign-container