Update dependency go to v1.25.1 (#21) #54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - 'v*.*.*' | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| GO_VERSION: '1.24' | |
| jobs: | |
| release: | |
| name: Build and Push | |
| runs-on: ubuntu-latest | |
| # Don't run on PRs, only on direct pushes to main or tags | |
| if: github.event_name == 'push' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # For cosign signing | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=sha,prefix=sha-,enable={{is_default_branch}} | |
| - name: Build and push Docker image | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: ${{ github.ref_type == 'tag' && 'linux/amd64,linux/arm64' || 'linux/amd64' }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| GO_VERSION=${{ env.GO_VERSION }} | |
| - name: Verify build success | |
| run: | | |
| if [[ -z "${{ steps.build.outputs.digest }}" ]]; then | |
| echo "❌ Docker build failed - no digest generated" | |
| exit 1 | |
| fi | |
| echo "✅ Docker build successful with digest: ${{ steps.build.outputs.digest }}" | |
| # Image signing | |
| - name: Install cosign | |
| uses: sigstore/[email protected] | |
| - name: Sign container image | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| run: | | |
| echo "$TAGS" | while IFS= read -r tag; do | |
| if [[ -n "$tag" ]]; then | |
| echo "Signing: $tag@${DIGEST}" | |
| if ! cosign sign --yes "$tag@${DIGEST}"; then | |
| echo "First attempt failed, retrying in 10 seconds..." | |
| sleep 10 | |
| if ! cosign sign --yes "$tag@${DIGEST}"; then | |
| echo "❌ Failed to sign $tag after retry" | |
| echo "::warning::Failed to sign image $tag - continuing with unsigned image" | |
| else | |
| echo "✅ Successfully signed $tag on retry" | |
| fi | |
| else | |
| echo "✅ Successfully signed $tag" | |
| fi | |
| fi | |
| done | |
| - name: Generate SBOM | |
| uses: anchore/[email protected] | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.spdx.json |