|
8 | 8 | types: ['published'] |
9 | 9 |
|
10 | 10 | jobs: |
| 11 | + validate: |
| 12 | + permissions: |
| 13 | + contents: read |
| 14 | + uses: ./.github/workflows/ci.yaml |
| 15 | + |
| 16 | + e2e: |
| 17 | + permissions: |
| 18 | + contents: read |
| 19 | + uses: ./.github/workflows/e2e.yaml |
| 20 | + |
11 | 21 | publish-container-image: |
| 22 | + needs: [validate, e2e] |
12 | 23 | permissions: |
13 | 24 | id-token: write |
14 | 25 | contents: read |
15 | 26 | packages: write |
16 | 27 | attestations: write |
17 | | - uses: datum-cloud/actions/.github/workflows/publish-docker.yaml@v1.16.0 |
| 28 | + uses: datum-cloud/actions/.github/workflows/publish-docker.yaml@605da9a9cc20ab7266d1635ec4ba9cd4f223f68c # v1.16.0 |
18 | 29 | with: |
19 | 30 | image-name: backstage |
20 | 31 | context: . |
21 | 32 | dockerfile-path: packages/backend/Dockerfile |
22 | 33 | platforms: linux/amd64 |
23 | 34 | secrets: inherit |
24 | 35 |
|
| 36 | + sign-and-attest: |
| 37 | + needs: publish-container-image |
| 38 | + runs-on: ubuntu-latest |
| 39 | + permissions: |
| 40 | + id-token: write |
| 41 | + contents: read |
| 42 | + packages: write |
| 43 | + attestations: write |
| 44 | + env: |
| 45 | + IMAGE: ghcr.io/datum-cloud/backstage |
| 46 | + TAG: ${{ needs.publish-container-image.outputs.tag }} |
| 47 | + steps: |
| 48 | + - name: Log in to GitHub Container Registry |
| 49 | + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 |
| 50 | + with: |
| 51 | + registry: ghcr.io |
| 52 | + username: ${{ github.actor }} |
| 53 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 54 | + |
| 55 | + - name: Install Cosign |
| 56 | + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 |
| 57 | + |
| 58 | + - name: Resolve image digest |
| 59 | + id: digest |
| 60 | + run: | |
| 61 | + digest=$(docker buildx imagetools inspect "${IMAGE}:${TAG}" --format '{{json .Manifest.Digest}}' | tr -d '"') |
| 62 | + echo "digest=${digest}" >> "$GITHUB_OUTPUT" |
| 63 | +
|
| 64 | + - name: Sign image (keyless) |
| 65 | + run: cosign sign --yes "${IMAGE}@${{ steps.digest.outputs.digest }}" |
| 66 | + |
| 67 | + - name: Generate SBOM |
| 68 | + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 |
| 69 | + with: |
| 70 | + image: ${{ env.IMAGE }}@${{ steps.digest.outputs.digest }} |
| 71 | + format: spdx-json |
| 72 | + output-file: sbom.spdx.json |
| 73 | + |
| 74 | + - name: Attest build provenance |
| 75 | + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 |
| 76 | + with: |
| 77 | + subject-name: ${{ env.IMAGE }} |
| 78 | + subject-digest: ${{ steps.digest.outputs.digest }} |
| 79 | + push-to-registry: true |
| 80 | + |
| 81 | + - name: Attest SBOM |
| 82 | + uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0 |
| 83 | + with: |
| 84 | + subject-name: ${{ env.IMAGE }} |
| 85 | + subject-digest: ${{ steps.digest.outputs.digest }} |
| 86 | + sbom-path: sbom.spdx.json |
| 87 | + push-to-registry: true |
| 88 | + |
25 | 89 | publish-kustomize-bundle: |
26 | 90 | needs: publish-container-image |
27 | 91 | permissions: |
28 | 92 | id-token: write |
29 | 93 | contents: read |
30 | 94 | packages: write |
31 | | - uses: datum-cloud/actions/.github/workflows/publish-kustomize-bundle.yaml@v1.16.0 |
| 95 | + uses: datum-cloud/actions/.github/workflows/publish-kustomize-bundle.yaml@605da9a9cc20ab7266d1635ec4ba9cd4f223f68c # v1.16.0 |
32 | 96 | with: |
33 | 97 | bundle-name: ghcr.io/datum-cloud/backstage-kustomize |
34 | 98 | bundle-path: config |
|
0 commit comments