chore(deps): update debian:trixie-slim docker digest to f6e2cfa #211
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Delivery | |
| on: | |
| push: | |
| workflow_dispatch: | |
| defaults: | |
| run: | |
| shell: 'bash -Eeuo pipefail -x {0}' | |
| permissions: {} | |
| jobs: | |
| testbuild: | |
| name: Build and publish | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| # Required by the cosign step | |
| id-token: write | |
| outputs: | |
| metadata: ${{ steps.build.outputs.metadata }} | |
| images: ${{ steps.images.outputs.images }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| - name: Log in to the GitHub Container registry | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| with: | |
| platforms: 'arm64' | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | |
| - name: Build and push | |
| uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6 | |
| id: build | |
| env: | |
| environment: testing | |
| registry: ghcr.io/${{ github.repository_owner }} | |
| revision: ${{ github.sha }} | |
| with: | |
| push: true | |
| # Get a list of the images that were built and pushed. We only care about a single tag for each image. | |
| - name: Generated images | |
| id: images | |
| run: | | |
| echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >> "$GITHUB_OUTPUT" | |
| # Even if we're testing we sign the images, so we can push them to production later if that's required | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 | |
| # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ | |
| # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on | |
| # how to use cosign. | |
| - name: Sign images | |
| run: | | |
| echo '${{ steps.build.outputs.metadata }}' | \ | |
| jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' | \ | |
| xargs cosign sign --yes | |
| security: | |
| name: Security checks | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: read | |
| security-events: write | |
| needs: | |
| - testbuild | |
| strategy: | |
| matrix: | |
| image: ${{fromJson(needs.testbuild.outputs.images)}} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| - name: Security checks | |
| uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main | |
| with: | |
| image: "${{ matrix.image }}" | |
| registry_user: ${{ github.actor }} | |
| registry_token: ${{ secrets.GITHUB_TOKEN }} | |
| snyk_token: ${{ secrets.SNYK_TOKEN }} | |
| dockerfile: "./Dockerfile" | |
| copytoproduction: | |
| name: Copy images to production | |
| if: | | |
| github.ref == 'refs/heads/main' || github.event_name == 'schedule' | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - testbuild | |
| - security | |
| permissions: | |
| contents: read | |
| packages: write | |
| # Required by the cosign step | |
| id-token: write | |
| steps: | |
| - name: Copy to production | |
| uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main | |
| with: | |
| bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}" | |
| registry_user: ${{ github.actor }} | |
| registry_token: ${{ secrets.GITHUB_TOKEN }} |