Skip to content
Build

chore(deps): update astral-sh/setup-uv action to v7.1.5 #641

Sign in to view logs

chore(deps): update astral-sh/setup-uv action to v7.1.5

chore(deps): update astral-sh/setup-uv action to v7.1.5 #641

Workflow file for this run

.github/workflows/build.yml at 036cc70
name: Build
on:
pull_request:
types:
- edited
- opened
- ready_for_review
- synchronize
push:
branches:
- main
paths:
- go.mod
- go.sum
- "**/*.go"
- Dockerfile
- .github/workflows/build.yml
merge_group:
permissions:
contents: read
jobs:
build:
permissions:
attestations: write
contents: read
id-token: write
packages: write
strategy:
matrix:
runner:
- ubuntu-24.04
- ubuntu-24.04-arm
name: Build and push Docker image for ${{ matrix.runner }}
runs-on: ${{ matrix.runner }}
outputs:
digest: ${{ steps.build.outputs.digest }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
with:
egress-policy: audit
- name: Calculate build variables
id: calculate-build-variables
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
// Sanitise the ref name to be a valid Docker tag and SemVer
// pre-release identifier.
const sanitisedRef = context.ref
// Remove full ref prefixes. `refs/heads/foo/bar` becomes `foo/bar`.
.replace(/^refs\/(?:heads|tags|pull)\//, '')
// Lowercase for consistency.
.toLowerCase()
// SemVer pre-release identifiers must start with a letter or number.
.replace(/[^a-z0-9.-]/g, '-')
// In SemVer pre-release identifiers, only single hyphens are allowed.
.replace(/-+/g, '-')
// Leading and trailing hyphens are not allowed
.replace(/^-|-$/g, '');
// TODO: Once https://github.com/actions/github-script/issues/566 is
// fixed and released, replace `proess.env.GITHUB_RUN_ATTEMPT` with
// `context.runAttempt`.
const version = `0.0.0-${sanitisedRef}.${context.runNumber}.${process.env.GITHUB_RUN_ATTEMPT}.${context.sha}`;
console.log(`Generated version: ${version}`);
core.setOutput('version', version);
core.setOutput('commit', context.sha);
core.setOutput('branch', context.ref_type === 'branch' ? context.ref_name : 'unknown');
return version;
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Login to GHCR
if: github.event_name == 'push'
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Set Docker Buildx up
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
# No tags
- name: Build and push Docker image
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
build-args: |
VERSION=${{ steps.calculate-build-variables.outputs.version }}
COMMIT=${{ steps.calculate-build-variables.outputs.commit }}
BRANCH=${{ steps.calculate-build-variables.outputs.branch }}
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: type=image,"name=ghcr.io/grafana/flux-commit-tracker",push-by-digest=true,name-canonical=true
provenance: true
push: ${{ github.event_name == 'push' }}
sbom: false
- name: Export digests
if: github.event_name == 'push'
id: export-digests
env:
DIGEST: ${{ steps.build.outputs.digest }}
RUNNER_TEMP: ${{ runner.temp }}
run: |
# The digest of the _index_ - this is what we ultimately push, and
# what we need to refer to in the multi-arch manifest.
mkdir -pv "${RUNNER_TEMP}"/artifact/digests
touch "${RUNNER_TEMP}/artifact/digests/${DIGEST#sha256:}"
# The digest of the _manifest_ referred to by the index. When `docker
# buildx imagetools create` processes its inputs, it creates a new
# combines these manifest references into a new index. So we should
# attest this digest, then clients can find it given the multiarch
# index, by dereferencing to the per-arch manifests and looking at the
# referrers on them.
docker buildx imagetools inspect "ghcr.io/grafana/flux-commit-tracker@${DIGEST}" --raw | \
jq \
--raw-output \
'.manifests[] |
select (
.mediaType == "application/vnd.oci.image.manifest.v1+json" and .annotations["vnd.docker.reference.type"] == null
) |
.digest' | \
( echo -n 'digest=' && cat ) | \
tee -a "${GITHUB_OUTPUT}"
- name: Generate SBOM
if: github.event_name == 'push'
uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10
with:
format: cyclonedx-json
image: ghcr.io/grafana/flux-commit-tracker@${{ steps.export-digests.outputs.digest }}
output-file: ${{ runner.temp }}/sbom-${{ matrix.runner }}.json
- name: Generate SBOM attestation
if: github.event_name == 'push'
uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
with:
push-to-registry: true
subject-digest: ${{ steps.export-digests.outputs.digest }}
subject-name: ghcr.io/grafana/flux-commit-tracker
sbom-path: ${{ runner.temp }}/sbom-${{ matrix.runner }}.json
- name: Upload artifact
if: github.event_name == 'push'
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: artifacts-${{ matrix.runner }}
path: ${{ runner.temp }}/artifact/
if-no-files-found: error
retention-days: 1
manifest:
if: github.event_name == 'push'
needs:
- build
permissions:
attestations: write
id-token: write
packages: write
name: Generate multi-arch manifest list and build provenance attestation
runs-on: ubuntu-24.04
outputs:
digest: ${{ steps.inspect.outputs.digest }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
with:
egress-policy: audit
- name: Download artifacts
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
merge-multiple: true
path: ${{ runner.temp }}/artifacts
pattern: artifacts-*
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ghcr.io/grafana/flux-commit-tracker
sep-tags: " "
tags: |
# tag with branch name for `main`
type=ref,event=branch,enable={{is_default_branch}}
# tag with semver, and `latest`
type=ref,event=tag
# for testing
type=ref,event=branch
- name: Login to GHCR
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/artifacts/digests
run: |
# We want word splitting here to give separate args to `docker buildx imagetools create`.
# shellcheck disable=SC2046
docker buildx imagetools create $(jq --compact-output --raw-output '.tags | map("-t " + .) | join(" ")' <<< "${DOCKER_METADATA_OUTPUT_JSON}") \
$(printf 'ghcr.io/grafana/flux-commit-tracker@sha256:%s ' *)
- name: Inspect image
id: inspect
env:
VERSION: ${{ steps.meta.outputs.version }}
run: |
docker buildx imagetools inspect "ghcr.io/grafana/flux-commit-tracker:${VERSION}"
# Output image digest as github output
docker buildx imagetools inspect "ghcr.io/grafana/flux-commit-tracker:${VERSION}" --format "{{json .Manifest.Digest}}" | \
xargs | \
( echo -n 'digest=' && cat ) | \
tee -a "${GITHUB_OUTPUT}"
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
with:
push-to-registry: true
subject-name: ghcr.io/grafana/flux-commit-tracker
subject-digest: ${{ steps.inspect.outputs.digest }}