test release #153

Workflow file for this run

.github/workflows/release.yml at 61ecf95

	name: Release

	on:
	push:
	# branches:
	# - "latest"

	jobs:
	docker-release:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	driver: docker-container

	- name: Install GitVersion
	uses: gittools/actions/gitversion/[email protected]
	with:
	versionSpec: "6.0.0"

	- name: Clear GitVersion Cache
	run: rm -rf .git/gitversion_cache

	- name: Determine Version
	id: gitversion
	uses: gittools/actions/gitversion/[email protected]
	with:
	useConfigFile: true
	configFilePath: ci/git-version.yml

	- name: Log in to Docker Hub
	uses: docker/login-action@v3
	with:
	username: "usabilitydynamics"
	password: ${{ secrets.DOCKER_TOKEN }}

	- name: Build and Push Docker Image
	id: docker_push
	uses: docker/build-push-action@v6
	with:
	context: .
	platforms: linux/amd64
	push: true
	tags: \|
	usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }}
	usabilitydynamics/udx-worker:latest

	- name: Retrieve Image Digest from Docker Hub
	id: retrieve_digest
	env:
	DOCKER_USERNAME: "usabilitydynamics"
	DOCKER_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
	run: \|
	echo "Fetching digest for tag: ${{ steps.gitversion.outputs.semVer }}"

	# Query the Docker Registry API
	RESPONSE_HEADERS=$(curl -sI -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
	-u "${DOCKER_USERNAME}:${DOCKER_PASSWORD}" \
	"https://registry-1.docker.io/v2/usabilitydynamics/udx-worker/manifests/${{ steps.gitversion.outputs.semVer }}")

	# Debug headers
	echo "Response headers:"
	echo "${RESPONSE_HEADERS}"

	# Extract the Docker-Content-Digest
	DIGEST=$(echo "${RESPONSE_HEADERS}" \| grep -i "Docker-Content-Digest" \| awk '{print $2}' \| tr -d '\r')

	if [ -z "${DIGEST}" ]; then
	echo "Failed to retrieve digest. Check if the tag exists or if authentication is correct."
	exit 1
	fi

	echo "IMAGE_DIGEST=usabilitydynamics/udx-worker@${DIGEST}" >> $GITHUB_ENV
	echo "Image Digest: ${DIGEST}"

	- name: Install Cosign
	uses: sigstore/[email protected]

	- name: Sign Docker Image with Cosign
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	run: \|
	cosign sign -y \
	--key env://COSIGN_PRIVATE_KEY \
	"${IMAGE_DIGEST}"

	- name: Verify Cosign Signature
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	run: \|
	cosign verify \
	--key env://COSIGN_PRIVATE_KEY \
	"${IMAGE_DIGEST}"

	- name: Install Trivy
	run: \|
	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \| \
	sudo sh -s -- -b /usr/local/bin

	- name: Generate SBOM with Retry Logic
	id: generate-sbom
	run: \|
	export TRIVY_DISABLE_VEX_NOTICE=true
	set +e
	max_retries=10
	attempt=1
	success=false
	while [ $attempt -le $max_retries ]; do
	echo "Generating SBOM, attempt $attempt..."
	output=$(trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} 2>&1)
	sbom_exit_code=$?
	if [ $sbom_exit_code -eq 0 ]; then
	echo "SBOM generation successful."
	success=true
	break
	else
	echo "Retrying in 120 seconds..."
	sleep 120
	attempt=$((attempt+1))
	fi
	done
	if [ "$success" = false ]; then
	exit 1
	fi

	- name: Upload SBOM Artifact
	uses: actions/upload-artifact@v4
	with:
	name: sbom
	path: sbom.json

	- name: Sign SBOM with Cosign
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	run: \|
	cosign attest \
	--key env://COSIGN_PRIVATE_KEY \
	--predicate sbom.json \
	--type https://spdx.dev/spdx-specification-2-2-pdf \
	"${IMAGE_DIGEST}"

	- name: Log out from Docker Hub
	run: docker logout

	# github-release:
	# runs-on: ubuntu-latest
	# needs: docker-release
	# permissions:
	# contents: write
	# steps:
	# - name: Checkout code
	# uses: actions/checkout@v4
	# with:
	# fetch-depth: 0

	# - name: Configure git for pushing
	# run: \|
	# git config --global user.email "[email protected]"
	# git config --global user.name "UDX Worker"

	# - name: Create GitHub Tag
	# env:
	# GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
	# run: \|
	# git tag ${{ needs.docker-release.outputs.semVer }}
	# git push origin ${{ needs.docker-release.outputs.semVer }}

	# - name: Download SBOM Artifact
	# uses: actions/download-artifact@v4
	# with:
	# name: sbom

	# - name: Create GitHub release
	# uses: softprops/action-gh-release@v2
	# with:
	# tag_name: ${{ needs.docker-release.outputs.semVer }}
	# body: \|
	# Release version ${{ needs.docker-release.outputs.semVer }}.
	# [View on Docker Hub](https://hub.docker.com/r/usabilitydynamics/udx-worker/tags?page=1&ordering=last_updated).
	# ${{ needs.docker-release.outputs.changelog }}
	# draft: false
	# prerelease: false
	# files: sbom.json
	# env:
	# GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test release #153

Workflow file

test release #153

Jobs

Run details

Workflow file for this run