Skip to content

Bump sigstore/cosign-installer from 3.4.0 to 3.6.0 (#488) #38

Bump sigstore/cosign-installer from 3.4.0 to 3.6.0 (#488)

Bump sigstore/cosign-installer from 3.4.0 to 3.6.0 (#488) #38

Workflow file for this run

name: Release
on:
push:
branches:
- main
# Publish `v1.2.3` tags as releases.
tags:
- v*
permissions: read-all
env:
IMAGE_NAME: packagefeeds
jobs:
# Push image to GitHub Packages.
push:
name: Push
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write
contents: read
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
- name: Install Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
with:
cosign-release: 'v2.2.2'
- name: Log into registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
id: docker-metadata
with:
images: ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.source=${{ github.repositoryUrl }}
org.opencontainers.image.description="This is a container for the Package Feeds process"
org.opencontainers.image.title="Package Feeds"
org.opencontainers.image.vendor="OpenSSF"
org.opencontainers.image.version=${{ github.sha }}
flavor: |
latest=auto
# Using the {{version}} placeholder to automatically detect the version from the git tag
# without the prefix "v".
# We'll also generate tags for commit sha, main branch changes and semver tags.
tags: |
type=sha
type=ref,event=tag
type=ref,event=branch
type=semver,pattern={{version}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build image
id: image-build
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
file: ./Dockerfile
tags: ${{ steps.docker-metadata.outputs.tags }}
labels: ${{ steps.docker-metadata.outputs.labels }}
provenance: true
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Sign the image
run: |
cosign sign --yes ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}@${{ steps.image-build.outputs.digest }}