test release #158
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| # branches: | |
| # - "latest" | |
| jobs: | |
| docker-release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver: docker-container | |
| - name: Install GitVersion | |
| uses: gittools/actions/gitversion/[email protected] | |
| with: | |
| versionSpec: "6.0.0" | |
| - name: Clear GitVersion Cache | |
| run: rm -rf .git/gitversion_cache | |
| - name: Determine Version | |
| id: gitversion | |
| uses: gittools/actions/gitversion/[email protected] | |
| with: | |
| useConfigFile: true | |
| configFilePath: ci/git-version.yml | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: "usabilitydynamics" | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: Build and Push Docker Image | |
| id: docker_push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| push: true | |
| tags: | | |
| usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} | |
| usabilitydynamics/udx-worker:latest | |
| - name: Extract Full Image Reference | |
| run: | | |
| # Use the digest provided by docker/build-push-action | |
| DIGEST=${{ steps.docker_push.outputs.digest }} | |
| IMAGE_REFERENCE="usabilitydynamics/udx-worker@${DIGEST}" | |
| # Export the simplified reference | |
| echo "IMAGE_REFERENCE=${IMAGE_REFERENCE}" >> $GITHUB_ENV | |
| echo "Image Reference for Signing: ${IMAGE_REFERENCE}" | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Sign Docker Image with Cosign | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| FULL_REFERENCE: ${{ env.FULL_REFERENCE }} | |
| run: | | |
| cosign sign -y \ | |
| --key env://COSIGN_PRIVATE_KEY \ | |
| "${FULL_REFERENCE}" | |
| - name: Verify Cosign Signature | |
| env: | |
| FULL_REFERENCE: ${{ env.FULL_REFERENCE }} | |
| run: | | |
| cosign verify \ | |
| --key ci/pub.keys/cosign.pub \ | |
| "${FULL_REFERENCE}" | |
| - name: Install Trivy | |
| run: | | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \ | |
| sudo sh -s -- -b /usr/local/bin | |
| - name: Generate SBOM with Retry Logic | |
| id: generate-sbom | |
| run: | | |
| export TRIVY_DISABLE_VEX_NOTICE=true | |
| set +e | |
| max_retries=10 | |
| attempt=1 | |
| success=false | |
| while [ $attempt -le $max_retries ]; do | |
| echo "Generating SBOM, attempt $attempt..." | |
| output=$(trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker:${{ steps.gitversion.outputs.semVer }} 2>&1) | |
| sbom_exit_code=$? | |
| if [ $sbom_exit_code -eq 0 ]; then | |
| echo "SBOM generation successful." | |
| success=true | |
| break | |
| else | |
| echo "Retrying in 120 seconds..." | |
| sleep 120 | |
| attempt=$((attempt+1)) | |
| fi | |
| done | |
| if [ "$success" = false ]; then | |
| exit 1 | |
| fi | |
| - name: Upload SBOM Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.json | |
| - name: Sign SBOM with Cosign | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| FULL_REFERENCE: ${{ env.FULL_REFERENCE }} | |
| run: | | |
| cosign attest -y \ | |
| --key env://COSIGN_PRIVATE_KEY \ | |
| --predicate sbom.json \ | |
| --type https://spdx.dev/spdx-specification-2-2-pdf \ | |
| "${FULL_REFERENCE}" | |
| - name: Log out from Docker Hub | |
| run: docker logout | |
| # github-release: | |
| # runs-on: ubuntu-latest | |
| # needs: docker-release | |
| # permissions: | |
| # contents: write | |
| # steps: | |
| # - name: Checkout code | |
| # uses: actions/checkout@v4 | |
| # with: | |
| # fetch-depth: 0 | |
| # - name: Configure git for pushing | |
| # run: | | |
| # git config --global user.email "[email protected]" | |
| # git config --global user.name "UDX Worker" | |
| # - name: Create GitHub Tag | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
| # run: | | |
| # git tag ${{ needs.docker-release.outputs.semVer }} | |
| # git push origin ${{ needs.docker-release.outputs.semVer }} | |
| # - name: Download SBOM Artifact | |
| # uses: actions/download-artifact@v4 | |
| # with: | |
| # name: sbom | |
| # - name: Create GitHub release | |
| # uses: softprops/action-gh-release@v2 | |
| # with: | |
| # tag_name: ${{ needs.docker-release.outputs.semVer }} | |
| # body: | | |
| # Release version ${{ needs.docker-release.outputs.semVer }}. | |
| # [View on Docker Hub](https://hub.docker.com/r/usabilitydynamics/udx-worker/tags?page=1&ordering=last_updated). | |
| # ${{ needs.docker-release.outputs.changelog }} | |
| # draft: false | |
| # prerelease: false | |
| # files: sbom.json | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} |