feat: added gh action to release oci artifact

.github/workflows/ci.yml

@@ -0,0 +1,67 @@
+name: compage-template-go-ci
+on:
+  push:
+    branches:
+      - main
+jobs:
+  build-and-push:
+    permissions:
+      id-token: write  # Required for keyless signing
+      contents: read
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: ghcr.io
+      GH_URL: https://github.com
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GH_TOKEN }}
+      - name: Create JSON file
+        run: |
+          cat <<EOF > /tmp/annotations.json
+          {
+          "\$manifest": {
+               "org.opencontainers.image.authors": "${{ github.actor }}",
+               "org.opencontainers.image.url": "${{ env.REGISTRY }}/${{ github.repository }}",
+               "org.opencontainers.image.source": "https://github.com/intelops/compage-template-go",
+               "org.opencontainers.image.version": "${{ github.run_id }}",
+               "org.opencontainers.image.vendor": "Intelops Inc.",
+               "org.opencontainers.image.licenses": "Apache License Version 2.0",
+               "org.opencontainers.image.title": "compage-template-go",
+               "org.opencontainers.image.description": "The compage-template-go template has templates for Go"
+            }
+          }
+          EOF
+      - uses: oras-project/setup-oras@v1
+        with:
+          version: 1.1.0
+      - run: |
+          oras push --annotation-file /tmp/annotations.json ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.run_id }} ./:application/vnd.compage.template.go.layer.v1+tar
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.3.0
+      - name: Check install!
+        run: cosign version
+      - name: Sign the images
+        run: |
+          cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.run_id }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Verify the pushed tags
+        run: |
+          cosign verify ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/ci.yml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          image-ref: '.'
+          github-pat: ${{ secrets.GH_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,81 @@
+name: compage-template-go-release
+on:
+  push:
+    tags:
+      - "v*.*.*"
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
+jobs:
+  push_to_registry:
+    name: Build and push oci image to github container registry.
+    runs-on: ubuntu-20.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: read
+      actions: read
+      security-events: write
+    env:
+      REGISTRY: ghcr.io
+      GH_URL: https://github.com
+    steps:
+      - name: Set environment variable
+        run: |
+          echo "RELEASE_VERSION=${GITHUB_REF:10}" >> $GITHUB_ENV
+      - name: Test environment variable
+        run: echo ${{ env.RELEASE_VERSION }}
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GH_TOKEN }}
+      - name: Create JSON file
+        run: |
+          cat <<EOF > /tmp/annotations.json
+          {
+          "\$manifest": {
+               "org.opencontainers.image.authors": "${{ github.actor }}",
+               "org.opencontainers.image.url": "${{ env.REGISTRY }}/${{ github.repository }}",
+               "org.opencontainers.image.source": "https://github.com/intelops/compage-template-go",
+               "org.opencontainers.image.version": "${{ github.run_id }}",
+               "org.opencontainers.image.vendor": "Intelops Inc.",
+               "org.opencontainers.image.licenses": "Apache License Version 2.0",
+               "org.opencontainers.image.title": "compage-template-go",
+               "org.opencontainers.image.description": "The compage-template-go template has templates for Go"
+            }
+          }
+          EOF
+      - uses: oras-project/setup-oras@v1
+        with:
+          version: 1.1.0
+      - run: |
+          oras push --annotation-file /tmp/annotations.json ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }} ./:application/vnd.compage.template.go.layer.v1+tar
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.3.0
+      - name: Check install!
+        run: cosign version
+      - name: Sign the images
+        run: |
+          cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Verify the pushed tags
+        run: |
+          cosign verify ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.RELEASE_VERSION }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/release.yml@refs/tags/${{ env.RELEASE_VERSION }}  --certificate-oidc-issuer https://token.actions.githubusercontent.com
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          image-ref: '.'
+          github-pat: ${{ secrets.GH_TOKEN }}

.github/workflows/ci.yml.tmpl → code/.github/workflows/ci.yml.tmpl

@@ -33,6 +33,7 @@ jobs:
       - name: Build
         run: |
           cd [[.NodeName]]
+          go get ./...
           go mod tidy
           go build -v ./...
           cd ..

Dockerfile.tmpl → code/Dockerfile.tmpl

@@ -10,7 +10,7 @@ WORKDIR /app
 COPY . .
 
 # Build application
-RUN go mod tidy && go build -ldflags '-s -w' -o main .
+RUN go get ./... && go mod tidy && go build -ldflags '-s -w' -o main .
 
 # Container start command for development
 CMD ["go", "run", "main.go"]