chore(deps): update actions/attest-build-provenance action to v2.3.0 #192
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build all | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/README.md' | |
| schedule: | |
| # Every Saturday at 2AM UTC | |
| - cron: "0 2 * * 6" | |
| pull_request: | |
| branches: | |
| - 'main' | |
| env: | |
| DNF_CACHE_PATH: /var/cache/libdnf5 # F41+ and newer F40 with libdnf5 | |
| HOST_DNF_CACHE_PATH: /tmp/libdnf5 # Any path is okay | |
| DNF_CACHE_PURGE_THRESHOLD_MB: 400 | |
| FEDORA_VERSION: "41" | |
| jobs: | |
| build-and-push: | |
| strategy: | |
| matrix: | |
| job: | |
| - { name: amd64, os: ubuntu-latest, pretty-name: Build and push amd64 image } | |
| - { name: arm64, os: ubuntu-24.04-arm, pretty-name: Build and push arm64 image } | |
| runs-on: ${{ matrix.job.os }} | |
| name: ${{ matrix.job.pretty-name }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| attestations: write | |
| steps: | |
| - name: Check out the repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Mkdir for DNF Cache | |
| run: mkdir -p ${{ env.HOST_DNF_CACHE_PATH }} | |
| - name: Restore DNF Cache | |
| uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 | |
| with: | |
| path: ${{ env.HOST_DNF_CACHE_PATH }} | |
| key: dnf-cache-${{ matrix.job.name }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 | |
| - name: Extract metadata for Docker (main) | |
| id: meta-main | |
| uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=raw,value={{date 'YYYYMMDD'}}-${{ matrix.job.name }},enable={{is_default_branch}} | |
| type=raw,value=latest-${{ matrix.job.name }},enable={{is_default_branch}} | |
| type=ref,event=pr,suffix=-${{ matrix.job.name }} | |
| - name: Log in to ghcr.io (Using Action) | |
| uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 | |
| with: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ghcr.io | |
| - name: Buildah Action (main) | |
| id: build-image-main | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 | |
| with: | |
| context: fe | |
| containerfiles: fe/Dockerfile.${{ env.FEDORA_VERSION }} | |
| tags: ${{ steps.meta-main.outputs.tags }} | |
| oci: true | |
| extra-args: | | |
| --squash | |
| -v ${{ env.HOST_DNF_CACHE_PATH }}:${{ env.DNF_CACHE_PATH }} | |
| - name: Purge dnf5 cache if too big | |
| run: | | |
| # Folder size (KB) | |
| folder_size=$(du -sk ${{ env.HOST_DNF_CACHE_PATH }} | cut -f1) | |
| echo "Folder size: ${folder_size} KB; $(($folder_size /1024)) MB" | |
| # 100MB = 100 * 1024 KB | |
| threshold=$((${{ env.DNF_CACHE_PURGE_THRESHOLD_MB }} * 1024)) | |
| echo "Threshold size: ${threshold} KB; ${{ env.DNF_CACHE_PURGE_THRESHOLD_MB }} MB" | |
| if [ "$folder_size" -gt "$threshold" ]; then | |
| echo "Threshold size exceed, purging." | |
| rm -rf ${{ env.HOST_DNF_CACHE_PATH }}/* | |
| echo '### DNF Cache purging: true' >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "Threshold size is not exceed." | |
| echo '### DNF Cache purging: false' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| - name: Get Date for creating cache key | |
| id: get-date | |
| shell: bash | |
| run: | | |
| echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | |
| - name: Save DNF Cache | |
| uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 | |
| with: | |
| path: ${{ env.HOST_DNF_CACHE_PATH }} | |
| key: dnf-cache-${{ matrix.job.name }}-${{ steps.get-date.outputs.date }} | |
| - name: Push (main) | |
| id: push-main | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 | |
| with: | |
| image: ${{ steps.build-image-main.outputs.image }} | |
| tags: ${{ steps.build-image-main.outputs.tags }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| extra-args: | | |
| --compression-format=zstd | |
| - name: Attest (main) | |
| uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.push-main.outputs.digest }} | |
| push-to-registry: true | |
| link-container-tags: | |
| runs-on: ubuntu-24.04-arm | |
| name: Link Container tags | |
| needs: build-and-push | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| attestations: write | |
| steps: | |
| - name: Login ghcr.io | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push manifest (latest) | |
| id: manifest-latest | |
| uses: Noelware/docker-manifest-action@dbe59e31eb61049f37aa51bfc7f44d899215008e | |
| with: | |
| inputs: ghcr.io/${{ github.repository }}:latest | |
| images: | | |
| ghcr.io/${{ github.repository }}:latest-amd64, | |
| ghcr.io/${{ github.repository }}:latest-arm64 | |
| push: true | |
| - name: Get Date | |
| id: get-date | |
| shell: bash | |
| run: | | |
| echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | |
| - name: Create and push manifest (time) | |
| id: manifest-time | |
| uses: Noelware/docker-manifest-action@dbe59e31eb61049f37aa51bfc7f44d899215008e | |
| with: | |
| inputs: ghcr.io/${{ github.repository }}:${{ steps.get-date.outputs.date }} | |
| images: | | |
| ghcr.io/${{ github.repository }}:${{ steps.get-date.outputs.date }}-amd64, | |
| ghcr.io/${{ github.repository }}:${{ steps.get-date.outputs.date }}-arm64 | |
| push: true | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 | |
| - name: "Image:Digest -> Digest" | |
| id: get-digest-only | |
| shell: bash | |
| run: | | |
| echo "digest-latest=$(echo ${LATEST} | awk -F'@' '{print $2}')" >> $GITHUB_OUTPUT | |
| echo "digest-time=$(echo ${TIME} | awk -F'@' '{print $2}')" >> $GITHUB_OUTPUT | |
| env: | |
| LATEST: ${{ steps.manifest-latest.outputs.images }} | |
| TIME: ${{ steps.manifest-time.outputs.images }} | |
| - name: Attest (Tag resign) (latest) | |
| uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.get-digest-only.outputs.digest-latest }} | |
| push-to-registry: true | |
| - name: Sign the images with GitHub OIDC Token (recursive) | |
| env: | |
| IMAGES: ${{ steps.manifest-time.outputs.images }} | |
| run: | | |
| cosign sign --yes --recursive ${IMAGES} | |
| - name: Attest (Tag resign) (time) | |
| uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.get-digest-only.outputs.digest-time }} | |
| push-to-registry: true | |
| # For PR Test Only | |
| # https://stackoverflow.com/questions/59077079/how-to-get-pull-request-number-within-github-actions-workflow | |
| link-container-tags-test: | |
| runs-on: ubuntu-24.04-arm | |
| name: Link Container tags (PR Test) | |
| needs: build-and-push | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Get PR number | |
| id: pr | |
| run: echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
| - name: Login ghcr.io | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push manifest (PR) | |
| id: manifest-time | |
| uses: Noelware/docker-manifest-action@dbe59e31eb61049f37aa51bfc7f44d899215008e | |
| with: | |
| inputs: ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.PR_NUMBER }} | |
| images: | | |
| ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.PR_NUMBER }}-amd64, | |
| ghcr.io/${{ github.repository }}:pr-${{ steps.pr.outputs.PR_NUMBER }}-arm64 | |
| push: true |