-
Notifications
You must be signed in to change notification settings - Fork 2
111 lines (99 loc) · 4.15 KB
/
publish.yml
File metadata and controls
111 lines (99 loc) · 4.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: Publish
on:
push:
tags: ["v*"]
workflow_dispatch:
permissions:
contents: read # Default read-only for checkout
jobs:
publish:
name: Publish Alpine with SBOM & Provenance
runs-on: ubuntu-latest
permissions:
contents: write # For uploading release assets
id-token: write # For signing attestations
packages: write # For pushing to registries
attestations: write # For attestations
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Determine image tag: use git tag ref if available, else read from pyproject.toml
- name: Determine version tag
id: version
run: |
if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
else
VERSION=$(grep '^version' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"
fi
# Run Dagger checks and tests first
#- name: Run checks and tests
# uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
# with:
# verb: call
# args: checks
# cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
# version: "latest"
# Set up Docker Buildx (required for attestations)
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
# Login to Docker Hub
- name: Login to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_SECRET }}
# Build and push with native BuildKit attestations
- name: Build and push Alpine with attestations
id: build
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
file: .docker/ra-mcp.dockerfile
push: true
tags: |
riksarkivet/ra-mcp:${{ steps.version.outputs.tag }}
riksarkivet/ra-mcp:latest
build-args: |
BASE_IMAGE=python:3.13-slim
platforms: linux/amd64
sbom: true # ✅ Generate SBOM attestation
provenance: mode=max # ✅ Generate SLSA provenance (max detail)
cache-from: type=gha
cache-to: type=gha,mode=max
# Extract real provenance attestation from published image using Dagger
- name: Extract provenance from image
if: startsWith(github.ref, 'refs/tags/v')
uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
with:
verb: call
args: "extract-provenance-attestation --image-ref riksarkivet/ra-mcp:${{ steps.version.outputs.tag }} export --path ./provenance.intoto.jsonl"
cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
version: "latest"
# Upload attestations as release assets (for OpenSSF Scorecard compliance)
- name: Upload attestations as release assets
if: startsWith(github.ref, 'refs/tags/v')
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
with:
files: |
./provenance.intoto.jsonl
# Install Cosign for signing
- name: Install Cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
# Sign the container images with keyless signing
- name: Sign container images
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: |
echo "Signing riksarkivet/ra-mcp@${DIGEST}"
cosign sign --yes riksarkivet/ra-mcp@${DIGEST}
# Publish to PyPI
#- name: Publish to PyPI
# uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
# with:
# verb: call
# args: "publish-pypi --pypi-token env:PYPI_TOKEN --source ."
# cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
# version: "latest"
# env:
# PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}