Skip to content

Update OCI Artifacts #2039

Update OCI Artifacts

Update OCI Artifacts #2039

name: Update OCI Artifacts
on:
workflow_dispatch:
jobs:
publish-oci-artifacts:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
matrix: ${{ steps.oci_build.outputs.REGISTRY_UPDATE_STATUS }}
steps:
- name: Checkout Plugins
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '^1.21'
- name: Build registry artifact tool
working-directory: build/registry
run: make
- name: Upload OCI artifacts to GitHub packages
id: oci_build
env:
REGISTRY: ghcr.io
REGISTRY_USER: ${{ github.repository_owner }}
REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_GITHUB: https://github.com/${{ github.repository_owner }}/plugins.git
working-directory: build/registry
run: |
REGISTRY_UPDATE_STATUS=$(./bin/registry update-oci-registry ../../registry.yaml)
echo "REGISTRY_UPDATE_STATUS=${REGISTRY_UPDATE_STATUS}" >> $GITHUB_OUTPUT
# Create signatures of the plugin artifacts as OCI artifacts
sign-oci-artifacts:
needs: [ publish-oci-artifacts ]
runs-on: ubuntu-latest
if: ${{ needs.publish-oci-artifacts.outputs.matrix != '[]' }}
strategy:
matrix:
value: ${{ fromJson(needs.publish-oci-artifacts.outputs.matrix) }}
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.1.0'
- run: cosign version
- name: Log into ghcr.io
uses: docker/login-action@master
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign the artifacts with GitHub OIDC Token
run: cosign sign --yes ${{ matrix.value.repository.ref }}@${{ matrix.value.artifact.digest }}