build(deps): bump rfc3161-client from 1.0.5 to 1.0.6 in /jobs/async-u… #1906
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container image build and tag | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| tags: | |
| - 'v*' | |
| paths-ignore: | |
| - 'LICENSE*' | |
| - '**.gitignore' | |
| - '**.md' | |
| - '**.txt' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - '.github/dependabot.yml' | |
| - 'docs/**' | |
| env: | |
| IMG_REGISTRY: ghcr.io | |
| IMG_ORG: kubeflow | |
| IMG_REPO: model-registry/server | |
| PUSH_IMAGE: true | |
| DOCKER_USER: ${{ github.actor }} | |
| DOCKER_PWD: ${{ secrets.GITHUB_TOKEN }} | |
| PLATFORMS: linux/arm64,linux/amd64 | |
| permissions: read-all | |
| jobs: | |
| prepare: | |
| uses: ./.github/workflows/prepare.yml | |
| build-image: | |
| permissions: | |
| actions: read # anchore/sbom-action for syft | |
| contents: write # anchore/sbom-action for syft | |
| packages: write | |
| id-token: write # cosign | |
| runs-on: ubuntu-latest | |
| needs: prepare | |
| steps: | |
| # Assign context variable for various action contexts (tag, main, CI) | |
| - name: Assigning tag context | |
| if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v') | |
| run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV | |
| - name: Assigning main context | |
| if: github.head_ref == '' && github.ref == 'refs/heads/main' | |
| run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV | |
| # checkout branch | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| # Set up QEMU for multi-architecture builds | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 | |
| # Set up Docker Buildx | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 | |
| # set image version | |
| - name: Set main-branch environment | |
| if: env.BUILD_CONTEXT == 'main' | |
| run: | | |
| commit_sha=${{ github.event.after }} | |
| tag=main-${commit_sha:0:7} | |
| echo "VERSION=${tag}" >> $GITHUB_ENV | |
| - name: Set tag environment | |
| if: env.BUILD_CONTEXT == 'tag' | |
| run: | | |
| echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 | |
| with: | |
| registry: ${{ env.IMG_REGISTRY }} | |
| username: ${{ env.DOCKER_USER }} | |
| password: ${{ env.DOCKER_PWD }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| with: | |
| images: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}" | |
| tags: | | |
| type=raw,value=${{ env.VERSION }} | |
| type=raw,value=latest,enable=${{ env.BUILD_CONTEXT == 'main' }} | |
| type=raw,value=main,enable=${{ env.BUILD_CONTEXT == 'main' }} | |
| - name: Build and push Docker image | |
| id: build-push | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 | |
| with: | |
| context: . | |
| platforms: ${{ env.PLATFORMS }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: mode=max | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3 | |
| - name: Sign image with cosign | |
| run: | | |
| cosign sign --yes "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}" | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0 | |
| with: | |
| image: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}" | |
| format: spdx-json # default, but making sure of the format | |
| artifact-name: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json" | |
| output-file: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json" # pin the file to use it later below | |
| - name: Attest SBOM to image | |
| run: | | |
| cosign attest --yes --predicate model-registry-server-${{ env.VERSION }}-sbom.spdx.json --type spdxjson "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}@${{ steps.build-push.outputs.digest }}" |