fix permissions for merged config #131
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| # branches: | |
| # - "latest" | |
| jobs: | |
| docker-release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver: docker-container | |
| - name: Install GitVersion | |
| uses: gittools/actions/gitversion/[email protected] | |
| with: | |
| versionSpec: "6.0.0" | |
| - name: Clear GitVersion Cache | |
| run: rm -rf .git/gitversion_cache | |
| - name: Determine Version | |
| id: gitversion | |
| uses: gittools/actions/gitversion/[email protected] | |
| with: | |
| useConfigFile: true | |
| configFilePath: ci/git-version.yml | |
| - name: Generate changelog | |
| id: changelog | |
| run: | | |
| git log $(git describe --tags --abbrev=0)..HEAD -- . --pretty=format:"- %s" > changelog.txt | |
| CHANGELOG=$(cat changelog.txt | jq -sRr @uri) | |
| echo "CHANGELOG=$CHANGELOG" >> $GITHUB_ENV | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: Multi-arch build and push to Docker Hub | |
| id: build-push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| # platforms: linux/amd64,linux/arm64 | |
| platforms: linux/amd64 | |
| push: true | |
| tags: | | |
| usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} | |
| usabilitydynamics/udx-worker:latest | |
| - name: Install Trivy | |
| run: | | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \ | |
| sudo sh -s -- -b /usr/local/bin | |
| - name: Generate SBOM with Retry Logic | |
| id: generate-sbom | |
| run: | | |
| export TRIVY_DISABLE_VEX_NOTICE=true | |
| set +e # Disable exit on error for the retry logic | |
| # Retry logic for Trivy SBOM generation | |
| max_retries=10 | |
| attempt=1 | |
| success=false | |
| while [ $attempt -le $max_retries ]; do | |
| echo "Generating SBOM, attempt $attempt..." | |
| # Run Trivy SBOM generation and capture the output and exit status | |
| output=$(trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} 2>&1) | |
| sbom_exit_code=$? | |
| # Check if SBOM generation was successful | |
| if [ $sbom_exit_code -eq 0 ]; then | |
| echo "SBOM generation successful." | |
| success=true | |
| break | |
| else | |
| echo "SBOM generation encountered an error." | |
| # Extract and remove decimals from retry-after value | |
| retry_after=$(echo "$output" | grep -oP 'retry-after: \K[0-9]+') | |
| # Default sleep time if retry-after is not found | |
| if [ -z "$retry_after" ]; then | |
| retry_after=120 # Default to 2 minutes if retry-after is missing | |
| fi | |
| echo "Retrying in ${retry_after} seconds..." | |
| sleep "$retry_after" | |
| attempt=$((attempt+1)) | |
| fi | |
| done | |
| # Exit if all retries fail without a successful SBOM generation | |
| if [ "$success" = false ]; then | |
| echo "Failed to complete SBOM generation after $max_retries attempts." | |
| exit 1 | |
| fi | |
| - name: Upload SBOM Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.json | |
| # - name: Install Cosign | |
| # uses: sigstore/[email protected] | |
| # - name: Sign Docker image with Cosign | |
| # env: | |
| # COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| # run: | | |
| # cosign sign -y \ | |
| # --key env://COSIGN_PRIVATE_KEY \ | |
| # usabilitydynamics/udx-worker@${{ steps.build-push.outputs.digest }} | |
| # - name: Sign SBOM with Cosign | |
| # env: | |
| # COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| # run: | | |
| # cosign attest -y \ | |
| # --key env://COSIGN_PRIVATE_KEY \ | |
| # --predicate sbom.json \ | |
| # --type https://spdx.dev/spdx-specification-2-2-pdf \ | |
| # usabilitydynamics/udx-worker@${{ steps.build-push.outputs.digest }} | |
| - name: Log out from Docker Hub | |
| run: docker logout | |
| # github-release: | |
| # runs-on: ubuntu-latest | |
| # needs: docker-release | |
| # permissions: | |
| # contents: write | |
| # steps: | |
| # - name: Checkout code | |
| # uses: actions/checkout@v4 | |
| # with: | |
| # fetch-depth: 0 | |
| # - name: Configure git for pushing | |
| # run: | | |
| # git config --global user.email "[email protected]" | |
| # git config --global user.name "UDX Worker" | |
| # - name: Create GitHub Tag | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
| # run: | | |
| # git tag ${{ needs.docker-release.outputs.semVer }} | |
| # git push origin ${{ needs.docker-release.outputs.semVer }} | |
| # - name: Download SBOM Artifact | |
| # uses: actions/download-artifact@v4 | |
| # with: | |
| # name: sbom | |
| # - name: Create GitHub release | |
| # uses: softprops/action-gh-release@v2 | |
| # with: | |
| # tag_name: ${{ needs.docker-release.outputs.semVer }} | |
| # body: | | |
| # Release version ${{ needs.docker-release.outputs.semVer }}. | |
| # [View on Docker Hub](https://hub.docker.com/r/usabilitydynamics/udx-worker/tags?page=1&ordering=last_updated). | |
| # ${{ needs.docker-release.outputs.changelog }} | |
| # draft: false | |
| # prerelease: false | |
| # files: sbom.json | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} |