This repository has been archived by the owner on Nov 13, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
148 lines (124 loc) · 4.7 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Release Operator
on:
push:
branches:
- main
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Get app version from chart
uses: mikefarah/yq@v4.35.1
id: app_version
with:
cmd: yq '.appVersion' charts/bitwarden-secret-operator/Chart.yaml
- id: repository
run: echo IMAGE_NAME=$(echo ${{ env.IMAGE_NAME }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v3.0.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Check if app version was already built (and if so, skip further steps).
- name: Check for existing image
if: github.event_name != 'pull_request'
id: image_exists
continue-on-error: true
run: docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.app_version.outputs.result }}
- name: Setup Docker buildx
if: ${{ steps.image_exists.outcome != 'success' }}
uses: docker/setup-buildx-action@v2.10.0
- name: Extract Docker metadata
id: meta
if: ${{ steps.image_exists.outcome != 'success' }}
uses: docker/metadata-action@v5.4.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
if: ${{ steps.image_exists.outcome != 'success' }}
id: build-and-push
uses: docker/build-push-action@v5.0.0
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.app_version.outputs.result }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Install cosign
if: ${{ steps.image_exists.outcome != 'success' && github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@v3.1.2
- name: Sign the published Docker image
if: ${{ steps.image_exists.outcome != 'success' && github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: echo "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.app_version.outputs.result }}" | xargs -I {} cosign sign -y {}@${{ steps.build-and-push.outputs.digest }}
release:
needs: build
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- id: repository
run: echo IMAGE_NAME=$(echo ${{ env.IMAGE_NAME }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
- name: Install Helm
uses: azure/setup-helm@v3
with:
version: v3.10.0
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.5.0
with:
charts_dir: charts
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get app version from chart
uses: mikefarah/yq@v4.35.1
id: app_version
with:
cmd: yq '.appVersion' charts/bitwarden-secret-operator/Chart.yaml
- name: Create SBOM
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.app_version.outputs.result }}
- name: Publish SBOM
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.spdx\\.json"
- name: Get Latest Tag
id: previoustag
uses: WyriHaximus/github-action-get-previous-tag@v1
- name: Download SBOM from github action
uses: actions/download-artifact@v3
with:
name: ${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}
- name: Add SBOM to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file_glob: true
file: olympusgg-bitwarden-secret-operator_*.spdx.json
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true