This repository has been archived by the owner on May 13, 2024. It is now read-only.

fix(semrel): correctly set version tags #440

Workflow file for this run

.github/workflows/release.yaml at 2cd41dc

	---
	name: Release

	on:
	push:
	branches: [main]

	jobs:
	semrel:
	name: Semantic Release
	runs-on: ubuntu-latest
	permissions:
	actions: none
	checks: none
	contents: none
	deployments: none
	issues: none
	packages: write
	pull-requests: none
	repository-projects: none
	security-events: none
	statuses: none
	id-token: write # needed for signing the images with GitHub OIDC using cosign
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Semantic Release
	uses: go-semantic-release/action@v1
	id: semrel
	with:
	github-token: ${{ secrets.ADFINISBOT_PAT }}

	- name: Bump Version
	if: steps.semrel.outputs.version != ''
	run: \|
	pipx run poetry version "${{ steps.semrel.outputs.version }}"

	- name: Docker meta
	id: meta
	if: steps.semrel.outputs.version != ''
	uses: docker/metadata-action@v5
	with:
	images: ghcr.io/adfinis/timed-backend
	flavor: \|
	latest=auto
	tags: \|
	type=semver,pattern={{version}},value=${{ steps.semrel.outputs.version }}
	type=semver,pattern={{major}}.{{minor}},value=${{ steps.semrel.outputs.version }}
	type=semver,pattern={{major}},value=${{ steps.semrel.outputs.version }}
	labels: \|
	org.opencontainers.image.title=${{ github.event.repository.name }}
	org.opencontainers.image.description=${{ github.event.repository.description }}
	org.opencontainers.image.url=${{ github.event.repository.html_url }}
	org.opencontainers.image.source=${{ github.event.repository.clone_url }}
	org.opencontainers.image.revision=${{ github.sha }}
	org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}

	- name: Login to GHCR
	if: steps.semrel.outputs.version != ''
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build and push
	if: steps.semrel.outputs.version != ''
	id: docker
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ./Dockerfile
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: \|
	${{ steps.meta.outputs.labels }}

	- name: Run Trivy vulnerability scanner on api
	if: steps.semrel.outputs.version != ''
	uses: aquasecurity/[email protected]
	with:
	image-ref: ghcr.io/adfinis/timed-backend
	format: "cyclonedx"
	output: "trivy.cdx"

	- name: Install Cosign
	if: steps.semrel.outputs.version != ''
	uses: sigstore/[email protected]

	- name: Sign the image with GitHub OIDC Token using cosign
	if: steps.semrel.outputs.version != ''
	run: \|
	cosign sign --yes ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }}

	- name: Attach an SBOM attestation to the signed image
	if: steps.semrel.outputs.version != ''
	run: \|
	cosign attest --yes --type cyclonedx --predicate trivy.cdx ghcr.io/adfinis/timed-backend@${{ steps.docker.outputs.digest }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(semrel): correctly set version tags #440

Workflow file

fix(semrel): correctly set version tags #440

Jobs

Run details

Workflow file for this run