-
Notifications
You must be signed in to change notification settings - Fork 30
89 lines (86 loc) · 2.94 KB
/
cd.release.build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: "CD: Release Build"
on:
repository_dispatch:
types: [release-build]
env:
REGISTRY: images.opencadc.org
IMAGE: platform/skaha
TAG: latest
TAG_RELEASE: ${{ github.event.client_payload.tag_name }}
jobs:
release-build:
if: github.repository == 'opencadc/science-platform'
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
steps:
-
name: Client Payload
id: client-payload
run: |
echo "Client Payload: ${{ toJson(github.event.client_payload) }}"
-
name: Checkout
uses: actions/checkout@v3
-
name: Setup Docker Buildx
uses: docker/[email protected]
with:
install: true
-
name: Perform Container Registry Login
uses: docker/[email protected]
with:
registry: images.opencadc.org
username: ${{ secrets.SKAHA_REGISTRY_USERNAME }}
password: ${{ secrets.SKAHA_REGISTRY_TOKEN }}
-
name: Build and Push Docker Image
id: build
uses: docker/[email protected]
with:
context: skaha/
target: production
file: skaha/Dockerfile
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: mode=max
sbom: true
push: true
tags: |
${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}
${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG_RELEASE }}
labels: |
org.opencontainers.image.title=skaha
org.opencontainers.image.version=${{ env.TAG_RELEASE }}
org.opencontainers.image.description="Science Platform Backend"
org.opencontainers.image.licenses=AGPL-3.0
org.opencontainers.image.url=https://github.com/opencadc/science-platform
-
# See https://github.com/marketplace/actions/attest-build-provenance#container-image
# for more information on the attest-build-provenance action
name: Attest Container Image
id: attest
uses: actions/[email protected]
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
subject-digest: ${{ steps.build.outputs.digest }}
# Currently not pushing attestations to Harbor Registry
# push-to-registry: true
show-summary: true
-
name: Install Cosign
id: install-cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.1'
-
name: Cosign Container Image
id: cosign
run: |
cosign version
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }} --upload
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG_RELEASE }} --upload
cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ steps.build.outputs.digest }} --upload