apstrahub-container-snowdemopack/.github/workflows/release.yml at c19ac06f360df88e4fee89381526a7b6dc2913d0 · Juniper/apstrahub-container-snowdemopack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#  Copyright (c) Juniper Networks, Inc., 2025-2026.
#  All rights reserved.
#  SPDX-License-Identifier: MIT

name: Release

on:
  push:
    tags:
      - 'v*'

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-sign-release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Extract metadata for Docker
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=ref,event=tag
          labels: |
            org.opencontainers.image.description=ServiceNow integration for Apstra anomaly ticket creation
            org.opencontainers.image.title=ApstraHub Container - Snow Demo Pack

      - name: Build and Push Container
        id: build
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64

      - name: Sign Container with Cosign (Key-Pair)
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          # Lowercase the image name for OCI compliance
          IMAGE_REF: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          # COSIGN_PASSWORD defaults to empty if not set
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
        run: |
          if [ -z "${{ secrets.COSIGN_PRIVATE_KEY }}" ]; then
            echo "ERROR: COSIGN_PRIVATE_KEY secret is not set"
            echo "Please add the private key as a repository secret"
            exit 1
          fi
          IMAGE_LOWER=$(echo "${IMAGE_REF}" | tr '[:upper:]' '[:lower:]')
          IMAGE="${IMAGE_LOWER}@${DIGEST}"
          echo "Signing image: $IMAGE"
          echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
          cosign sign --key cosign.key --yes "$IMAGE"
          rm -f cosign.key

      - name: Create container-url.txt
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          IMAGE_REF: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
        run: |
          # Lowercase and include digest for immutable reference
          IMAGE_LOWER=$(echo "${IMAGE_REF}" | tr '[:upper:]' '[:lower:]')
          echo "${IMAGE_LOWER}@${DIGEST}" > container-url.txt
          echo "Container URL: $(cat container-url.txt)"

      - name: Create GitHub Release
        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
        with:
          files: |
            container-url.txt
            README.md
          generate_release_notes: true