Skip to content

Merge pull request #79 from lawndoc/sbom-uploads #none #44

Merge pull request #79 from lawndoc/sbom-uploads #none

Merge pull request #79 from lawndoc/sbom-uploads #none #44

name: "Build, Tag, and Release"
on:
push:
branches:
- main
paths-ignore:
- .gitignore
- .github/renovate.json
- .github/workflows/
- .pre-commit-config.yaml
- LICENSE
- README.MD
- docs/
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-tag-release:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
permissions:
contents: write
packages: write
attestations: write
id-token: write
steps:
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
- name: Get next version
id: version
uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # 1.75.0
env:
WITH_V: true
DEFAULT_BUMP: patch
DRY_RUN: true
- name: Check if version changed
id: changed
continue-on-error: true
run: |
if [[ "${{ steps.version.outputs.new_tag }}" == "${{ steps.version.outputs.old_tag }}" ]]; then
echo "Version not changed"
exit 1
else
echo "Version changed"
fi
- name: Install uv
if: ${{ steps.changed.outcome == 'success' }}
uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
- name: Bump version in files
if: ${{ steps.changed.outcome == 'success' }}
run: |
version="${{ steps.version.outputs.new_tag }}"
clean_version="${version#v}"
sed -i "s/__version__ = .*/__version__ = \"${clean_version}\"/" src/restic_compose_backup/__init__.py
sed -i "s/version = .*/version = \"${clean_version}\"/" src/pyproject.toml
sed -i "s/release = .*/release = \"${clean_version}\"/" docs/conf.py
uv lock --directory src --upgrade-package restic-compose-backup
- name: Push version tag
if: ${{ steps.changed.outcome == 'success' }}
uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # 1.75.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CUSTOM_TAG: ${{ steps.version.outputs.new_tag }}
- name: Log in to the Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Generate metadata for published image
id: meta
run: |
TAG=${{ steps.version.outputs.new_tag }}
echo "version=${TAG#v}" >> $GITHUB_OUTPUT
echo "timestamp=$(date -u +'%Y-%m-%dT%H:%M:%S.000Z')" >> $GITHUB_OUTPUT
- name: Build and push Docker image
id: push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: src/
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
${{ steps.changed.outcome == 'success' && format('{0}/{1}:latest', env.REGISTRY, env.IMAGE_NAME) || null }}
${{ steps.changed.outcome == 'success' && format('{0}/{1}:{2}', env.REGISTRY, env.IMAGE_NAME, steps.version.outputs.new_tag) || null }}
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.url=${{ github.repositoryUrl }}
org.opencontainers.image.source=${{ github.repositoryUrl }}
org.opencontainers.image.version=${{ steps.meta.outputs.version }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.created=${{ steps.meta.outputs.timestamp }}
- name: Attest container image build provenance
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Generate SPDX SBOM
uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.changed.outcome == 'success' && steps.version.outputs.new_tag || github.ref_name }}
format: spdx-json
output-file: ./sbom.spdx.json
- name: Generate CycloneDX SBOM
uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.changed.outcome == 'success' && steps.version.outputs.new_tag || github.ref_name }}
format: cyclonedx-json
output-file: ./sbom.cyclonedx.json
- name: Attest SBOM
uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
with:
sbom-path: ./sbom.cyclonedx.json
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Update release
if: ${{ steps.changed.outcome == 'success' }}
uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
with:
allowUpdates: true
artifacts: "sbom.spdx.json,sbom.cyclonedx.json"
updateOnlyUnreleased: true
generateReleaseNotes: true
tag: ${{ steps.version.outputs.new_tag }}