Skip to content

chore(ci/fix): only sign images when creating release #95

chore(ci/fix): only sign images when creating release

chore(ci/fix): only sign images when creating release #95

Workflow file for this run

---
name: Release
on:
push:
branches:
- main
workflow_call:
secrets:
ADFINISBOT_PAT:
required: true
jobs:
semrel:
permissions:
actions: none
checks: none
contents: none
deployments: none
issues: none
packages: write
pull-requests: none
repository-projects: none
security-events: none
statuses: none
id-token: write # needed for signing the images with GitHub OIDC using cosign
name: Semantic Release
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
token: ${{ secrets.ADFINISBOT_PAT }}
- name: Semantic Release
uses: go-semantic-release/action@v1
id: semrel
with:
github-token: ${{ secrets.ADFINISBOT_PAT }}
allow-initial-development-versions: true
- name: Adjust Versions
if: steps.semrel.outputs.version != ''
run: |
sed -r 's/"(0.0.0|latest)"/"${{ steps.semrel.outputs.version }}"/g' -i ./ember/package.json ./api/pyproject.toml ./charts/outdated/Chart.yaml
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: steps.semrel.outputs.version != ''
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
if: steps.semrel.outputs.version != ''
uses: docker/setup-buildx-action@v3
- name: Build and Push API Docker Image
if: steps.semrel.outputs.version != ''
uses: docker/build-push-action@v5
id: docker-api
with:
context: ./api/
target: prod
push: true
tags: |
ghcr.io/${{ github.repository }}/api:${{ steps.semrel.outputs.version }}
ghcr.io/${{ github.repository }}/api:latest
- name: Build and Push Ember Docker Image
if: steps.semrel.outputs.version != ''
uses: docker/build-push-action@v5
id: docker-ember
with:
context: ./ember/
push: true
tags: |
ghcr.io/${{ github.repository }}/ember:${{ steps.semrel.outputs.version }}
ghcr.io/${{ github.repository }}/ember:latest
- name: Run Trivy vulnerability scanner on api
if: steps.semrel.outputs.version != ''
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/${{ github.repository }}/api
format: "cyclonedx"
output: "api.cdx"
- name: Run Trivy vulnerability scanner on ember
if: steps.semrel.outputs.version != ''
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/${{ github.repository }}/ember
format: "cyclonedx"
output: "ember.cdx"
- name: Install Cosign
if: steps.semrel.outputs.version != ''
uses: sigstore/[email protected]
- name: Sign the images with GitHub OIDC Token using cosign
if: steps.semrel.outputs.version != ''
run: |
cosign sign --yes ghcr.io/${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
cosign sign --yes ghcr.io/${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
- name: Attach an SBOM attestation to the signed images
if: steps.semrel.outputs.version != ''
run: |
cosign attest --yes --type cyclonedx --predicate api.cdx ghcr.io/${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
cosign attest --yes --type cyclonedx --predicate ember.cdx ghcr.io/${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
- name: Set up Helm
if: steps.semrel.outputs.version != ''
uses: azure/[email protected]
with:
version: v3.14.0
- name: Package Chart
if: steps.semrel.outputs.version != ''
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm dependency build charts/outdated
helm package --destination=dist charts/outdated
- name: Push Chart
if: steps.semrel.outputs.version != ''
run: helm push dist/*.tgz oci://ghcr.io/${{ github.repository }}/helm
trivy-scan-api:
if: always()
needs: semrel
uses: ./.github/workflows/trivy-scan.yaml
with:
image-ref: api
attest: ${{ needs.semrel.result == 'success' }}
trivy-scan-ember:
if: always()
needs: semrel
uses: ./.github/workflows/trivy-scan.yaml
with:
image-ref: ember
attest: ${{ needs.semrel.result == 'success' }}