Update release.yml #14
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & publish container to GitHub Container Registry | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| inputs: | |
| caller: | |
| description: 'The invoker of the workflow' | |
| required: false | |
| default: '' | |
| env: | |
| GHCR_IMAGE_NAME: ghcr.io/bdwyertech/ecr-proxy | |
| # GHCR_IMAGE_NAME: ghcr.io/bdwyertech/${{ github.event.repository.name }} | |
| jobs: | |
| build-and-push-image: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - prefix: '' | |
| # ansible: false | |
| # - prefix: 'ansible-' | |
| # ansible: true | |
| permissions: | |
| contents: write # needed to write releases | |
| id-token: write # needed for keyless signing | |
| packages: write # needed for ghcr access | |
| security-events: write # For Scan results | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.8.1 | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set Parameters | |
| id: params | |
| run: | | |
| echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
| echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.GHCR_IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.title=${{ env.GHCR_IMAGE_NAME }} | |
| flavor: | | |
| latest=true | |
| prefix=${{ matrix.prefix }},onlatest=true | |
| tags: | | |
| type=ref,event=tag | |
| type=sha,enable=true,priority=100,prefix=${{ matrix.prefix }}${{ steps.params.outputs.date }}--,suffix=,format=short | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push Docker image | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| provenance: true | |
| sbom: true | |
| - name: Setup Helm | |
| uses: ./.github/actions/helm | |
| with: | |
| version: 3.17.3 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.34.2 | |
| with: | |
| image-ref: ${{ env.GHCR_IMAGE_NAME }}:${{ steps.params.outputs.date }}--${{ steps.params.outputs.sha_short }} | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: 'container-security' | |
| - name: Publish Helm chart to GHCR | |
| id: chart | |
| run: | | |
| helm package charts/ecr-proxy --app-version ${GITHUB_REF#refs/tags/} --version ${GITHUB_REF#refs/tags/v} | |
| DIGEST=$(helm push ecr-proxy-*.tgz oci://ghcr.io/bdwyertech/charts 2>&1 | sed -n 's/^Digest: //p') | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| rm ecr-proxy-*.tgz | |
| - name: Sign Images | |
| run: | | |
| cosign sign --yes \ | |
| --annotations="repo=${{ github.repository }}" \ | |
| --annotations="workflow=${{ github.workflow }}" \ | |
| --annotations="ref=${{ github.ref }}" \ | |
| $GHCR_IMAGE_NAME@${{ steps.build.outputs.digest }} | |
| cosign sign --yes \ | |
| --annotations="repo=${{ github.repository }}" \ | |
| --annotations="workflow=${{ github.workflow }}" \ | |
| --annotations="ref=${{ github.ref }}" \ | |
| ghcr.io/bdwyertech/charts/ecr-proxy:${GITHUB_REF#refs/tags/v}@${{ steps.chart.outputs.digest }} |