Skip to content

Update cosign configuration (#216) #45

Update cosign configuration (#216)

Update cosign configuration (#216) #45

Workflow file for this run

name: Maven Release
# Deploy the webrepl when a new tag is pushed
on:
push:
tags: [ 'webrepl-*' ]
jobs:
release:
name: Maven PR Builder (JDK ${{ matrix.java }})
runs-on: ubuntu-latest
env:
ARTIFACT_NAME: "jsh4jpv3"
strategy:
matrix:
java: [ "21" ]
maven: [ "3.8.2" ]
jdk: [ "temurin" ]
cosign: [ "v2.4.1" ]
steps:
- name: Check out source code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Login to Docker repository
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Install JDK ${{ matrix.java }}
uses: actions/setup-java@860f60056505705214d223b91ed7a30f173f6142 # v3.3.0
with:
cache: maven
distribution: ${{ matrix.jdk }}
java-version: ${{ matrix.java }}
- name: Set release version
shell: bash
run: |
GITHUB_REF="${{ github.ref }}" &&
TAG_NAME="${GITHUB_REF#refs/tags/}" &&
echo "RELEASE_VERSION=${TAG_NAME#webrepl-}" >> $GITHUB_ENV
- name: Set up Maven if needed
if: ${{ env.ACT }}
uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5
with:
maven-version: ${{ matrix.maven }}
- name: Build with Maven
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.BUILD_PASSPHRASE }}
MAVEN_GPG_KEY: ${{ secrets.BUILD_KEY }}
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
DOCKER_ACCOUNT: ${{ secrets.DOCKER_ACCOUNT }}
DOCKER_BUILDKIT: 1
run: |
mvn -B -ntp deploy -Prelease -Drevision="${{ env.RELEASE_VERSION }}" -DskipNexusStagingDeployMojo="true"
- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM
run: |
syft ${{ secrets.DOCKER_ACCOUNT }}/${{ env.ARTIFACT_NAME }}:${{ env.RELEASE_VERSION }} -o json > sbom.json
- name: Install Cosign
env:
COSIGN_URL: "https://github.com/sigstore/cosign/releases/download"
run: |
curl -sSfL ${{ env.COSIGN_URL }}/${{ matrix.cosign }}/cosign-linux-amd64 -o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Write Cosign Private Key to File
run: |
echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > $RUNNER_TEMP/cosign.key
chmod 600 $RUNNER_TEMP/cosign.key
- name: Sign Docker image with Cosign
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --key $RUNNER_TEMP/cosign.key \
${{ secrets.DOCKER_ACCOUNT }}/${{ env.ARTIFACT_NAME }}:${{ env.RELEASE_VERSION }}
- name: Attest Docker image with Cosign
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign attest --predicate sbom.json --type spdx \
${{ secrets.DOCKER_ACCOUNT }}/${{ env.ARTIFACT_NAME }}:${{ env.RELEASE_VERSION }}