Skip to content

feat: Removed async v2 restriction #389

feat: Removed async v2 restriction

feat: Removed async v2 restriction #389

Workflow file for this run

name: Commit
on:
workflow_dispatch:
push:
branches:
- main
paths-ignore:
- .github/dependabot.yaml
- .github/workflows/pull-request.yaml
- .github/workflows/release.yaml
jobs:
build:
name: Build OCI Image
permissions: write-all
strategy:
fail-fast: false
matrix:
variant: [musl, glibc]
runs-on: ubuntu-latest
defaults:
run:
shell: bash
env:
PLATFORMS: "linux/amd64,linux/arm64"
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup
id: setup
run: |
set -euo pipefail
source_date_epoch="$(git log -1 --pretty=%ct)"
echo "source_date_epoch=${source_date_epoch}" >> "${GITHUB_OUTPUT}"
echo "SOURCE_DATE_EPOCH=${source_date_epoch}" >> "${GITHUB_ENV}"
- name: Install Crane
uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- name: Install Syft
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
owner: anchore
repository: syft
check_command: syft --version
version: latest
- name: Install Grype
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
owner: anchore
repository: grype
check_command: grype --version
version: latest
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Install Hadolint
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
owner: hadolint
repository: hadolint
arch_amd64: x86_64
os_linux: Linux
extract: false
filename_format: "{name}-{os}-{arch}"
check_command: hadolint --version
version: latest
- name: Run Hadolint
run: |
set -euo pipefail
hadolint --no-fail --format sarif ./${{ matrix.variant }}.dockerfile > ./hadolint-${{ matrix.variant }}.sarif
- name: Upload Hadolint SARIF report
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
category: hadolint-${{ matrix.variant }}
sarif_file: hadolint-${{ matrix.variant }}.sarif
- name: Generate OCI image metadata
id: metadata
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
flavor: |
latest=false
images: |
ghcr.io/${{ github.repository }}
tags: |
type=sha
labels: |
org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image.
org.opencontainers.image.authors=Steve Hipwell <[email protected]>
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build OCI image
id: build
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
file: ./${{ matrix.variant }}.dockerfile
context: .
provenance: false
sbom: false
platforms: ${{ env.PLATFORMS }}
cache-from: type=gha,scope=buildkit-${{ matrix.variant }}
cache-to: type=gha,scope=buildkit-${{ matrix.variant }},mode=max
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
push: true
build-args: |
SOURCE_DATE_EPOCH=${{ steps.setup.outputs.source_date_epoch }}
- name: Generate SBOMs
id: sboms
run: |
set -euo pipefail
default_image="ghcr.io/${{ github.repository }}"
sha_tag="${{ steps.metadata.outputs.version }}"
sbom_paths=""
for platform in ${PLATFORMS//,/ }
do
digest="$(crane digest "${default_image}:${sha_tag}" --platform="${platform}")"
sbom_path="syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json"
syft --source-name "${{ github.repository }}" --source-version "${digest}" --platform "${platform}" -o "spdx-json=${sbom_path}" "${default_image}@${digest}"
sbom_paths="${sbom_paths}${sbom_path},"
done
echo "paths=${sbom_paths%,}" >> $GITHUB_OUTPUT
- name: Upload SBOM artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ matrix.variant }}-sboms
retention-days: 28
if-no-files-found: error
path: "*.spdx.json"
- name: Upload SBOMs to Dependency Graph
uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
filePath: "."
filePattern: "*.spdx.json"
- name: Scan SBOMs with Grype
id: grype
run: |
set -euo pipefail
directory_path="grype-results"
mkdir -p "${directory_path}"
for platform in ${PLATFORMS//,/ }
do
sarif_path="${directory_path}/grype-scan-${{ matrix.variant }}-${platform#*/}.sarif"
grype --platform "${platform}" -o "sarif=${sarif_path}" "sbom:syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json"
done
echo "path=${directory_path}" >> $GITHUB_OUTPUT
- name: Upload Grype SARIF report
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
category: grype-${{ matrix.variant }}
sarif_file: ${{ steps.grype.outputs.path }}
- name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Push OCI image tags
id: push
run: |
set -euo pipefail
default_image="ghcr.io/${{ github.repository }}"
sha_tag="${{ steps.metadata.outputs.version }}"
digest="${{ steps.build.outputs.digest }}"
images="docker.io/${{ github.repository }}"
tags="${{ matrix.variant }}-main"
if [[ "${{ matrix.variant }}" == "musl" ]]
then
tags="${tags},main"
fi
references="${default_image}:${sha_tag}"
for image in ${images//,/ }
do
crane copy --platform all "${default_image}:${sha_tag}@${digest}" "${image}:${sha_tag}"
references="${references},${image}:${sha_tag}"
done
images="${images},${default_image}"
for image in ${images//,/ }
do
for tag in ${tags//,/ }
do
crane tag --platform all "${image}:${sha_tag}@${digest}" "${tag}"
references="${references},${image}:${tag}"
done
done
echo "references=${references}" >> $GITHUB_OUTPUT
- name: Sign OCI image
run: |
set -euo pipefail
default_image="ghcr.io/${{ github.repository }}"
sha_tag="${{ steps.metadata.outputs.version }}"
references="${{ steps.push.outputs.references }}"
for reference in ${references//,/ }
do
cosign sign --yes=true --recursive "${reference}@${{ steps.build.outputs.digest }}"
done
for platform in ${PLATFORMS//,/ }
do
digest="$(crane digest "${default_image}:${sha_tag}@${{ steps.build.outputs.digest }}" --platform="${platform}")"
for reference in ${references//,/ }
do
cosign attest --yes --type spdxjson --predicate syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}"
cosign attach sbom --type spdx --input-format json --sbom syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}"
sbom_digest="$(crane digest "${reference%:*}:${digest/:/-}.sbom")"
cosign sign --yes=true "${reference%:*}:${digest/:/-}.sbom@${sbom_digest}"
done
done