feat: Removed async v2 restriction #389
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Commit | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- .github/dependabot.yaml | |
- .github/workflows/pull-request.yaml | |
- .github/workflows/release.yaml | |
jobs: | |
build: | |
name: Build OCI Image | |
permissions: write-all | |
strategy: | |
fail-fast: false | |
matrix: | |
variant: [musl, glibc] | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
shell: bash | |
env: | |
PLATFORMS: "linux/amd64,linux/arm64" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup | |
id: setup | |
run: | | |
set -euo pipefail | |
source_date_epoch="$(git log -1 --pretty=%ct)" | |
echo "source_date_epoch=${source_date_epoch}" >> "${GITHUB_OUTPUT}" | |
echo "SOURCE_DATE_EPOCH=${source_date_epoch}" >> "${GITHUB_ENV}" | |
- name: Install Crane | |
uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
- name: Install Syft | |
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
owner: anchore | |
repository: syft | |
check_command: syft --version | |
version: latest | |
- name: Install Grype | |
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
owner: anchore | |
repository: grype | |
check_command: grype --version | |
version: latest | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Install Hadolint | |
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
owner: hadolint | |
repository: hadolint | |
arch_amd64: x86_64 | |
os_linux: Linux | |
extract: false | |
filename_format: "{name}-{os}-{arch}" | |
check_command: hadolint --version | |
version: latest | |
- name: Run Hadolint | |
run: | | |
set -euo pipefail | |
hadolint --no-fail --format sarif ./${{ matrix.variant }}.dockerfile > ./hadolint-${{ matrix.variant }}.sarif | |
- name: Upload Hadolint SARIF report | |
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 | |
with: | |
category: hadolint-${{ matrix.variant }} | |
sarif_file: hadolint-${{ matrix.variant }}.sarif | |
- name: Generate OCI image metadata | |
id: metadata | |
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
with: | |
flavor: | | |
latest=false | |
images: | | |
ghcr.io/${{ github.repository }} | |
tags: | | |
type=sha | |
labels: | | |
org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image. | |
org.opencontainers.image.authors=Steve Hipwell <[email protected]> | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build OCI image | |
id: build | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
with: | |
file: ./${{ matrix.variant }}.dockerfile | |
context: . | |
provenance: false | |
sbom: false | |
platforms: ${{ env.PLATFORMS }} | |
cache-from: type=gha,scope=buildkit-${{ matrix.variant }} | |
cache-to: type=gha,scope=buildkit-${{ matrix.variant }},mode=max | |
tags: ${{ steps.metadata.outputs.tags }} | |
labels: ${{ steps.metadata.outputs.labels }} | |
push: true | |
build-args: | | |
SOURCE_DATE_EPOCH=${{ steps.setup.outputs.source_date_epoch }} | |
- name: Generate SBOMs | |
id: sboms | |
run: | | |
set -euo pipefail | |
default_image="ghcr.io/${{ github.repository }}" | |
sha_tag="${{ steps.metadata.outputs.version }}" | |
sbom_paths="" | |
for platform in ${PLATFORMS//,/ } | |
do | |
digest="$(crane digest "${default_image}:${sha_tag}" --platform="${platform}")" | |
sbom_path="syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json" | |
syft --source-name "${{ github.repository }}" --source-version "${digest}" --platform "${platform}" -o "spdx-json=${sbom_path}" "${default_image}@${digest}" | |
sbom_paths="${sbom_paths}${sbom_path}," | |
done | |
echo "paths=${sbom_paths%,}" >> $GITHUB_OUTPUT | |
- name: Upload SBOM artifacts | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: ${{ matrix.variant }}-sboms | |
retention-days: 28 | |
if-no-files-found: error | |
path: "*.spdx.json" | |
- name: Upload SBOMs to Dependency Graph | |
uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
filePath: "." | |
filePattern: "*.spdx.json" | |
- name: Scan SBOMs with Grype | |
id: grype | |
run: | | |
set -euo pipefail | |
directory_path="grype-results" | |
mkdir -p "${directory_path}" | |
for platform in ${PLATFORMS//,/ } | |
do | |
sarif_path="${directory_path}/grype-scan-${{ matrix.variant }}-${platform#*/}.sarif" | |
grype --platform "${platform}" -o "sarif=${sarif_path}" "sbom:syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json" | |
done | |
echo "path=${directory_path}" >> $GITHUB_OUTPUT | |
- name: Upload Grype SARIF report | |
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 | |
with: | |
category: grype-${{ matrix.variant }} | |
sarif_file: ${{ steps.grype.outputs.path }} | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ vars.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Push OCI image tags | |
id: push | |
run: | | |
set -euo pipefail | |
default_image="ghcr.io/${{ github.repository }}" | |
sha_tag="${{ steps.metadata.outputs.version }}" | |
digest="${{ steps.build.outputs.digest }}" | |
images="docker.io/${{ github.repository }}" | |
tags="${{ matrix.variant }}-main" | |
if [[ "${{ matrix.variant }}" == "musl" ]] | |
then | |
tags="${tags},main" | |
fi | |
references="${default_image}:${sha_tag}" | |
for image in ${images//,/ } | |
do | |
crane copy --platform all "${default_image}:${sha_tag}@${digest}" "${image}:${sha_tag}" | |
references="${references},${image}:${sha_tag}" | |
done | |
images="${images},${default_image}" | |
for image in ${images//,/ } | |
do | |
for tag in ${tags//,/ } | |
do | |
crane tag --platform all "${image}:${sha_tag}@${digest}" "${tag}" | |
references="${references},${image}:${tag}" | |
done | |
done | |
echo "references=${references}" >> $GITHUB_OUTPUT | |
- name: Sign OCI image | |
run: | | |
set -euo pipefail | |
default_image="ghcr.io/${{ github.repository }}" | |
sha_tag="${{ steps.metadata.outputs.version }}" | |
references="${{ steps.push.outputs.references }}" | |
for reference in ${references//,/ } | |
do | |
cosign sign --yes=true --recursive "${reference}@${{ steps.build.outputs.digest }}" | |
done | |
for platform in ${PLATFORMS//,/ } | |
do | |
digest="$(crane digest "${default_image}:${sha_tag}@${{ steps.build.outputs.digest }}" --platform="${platform}")" | |
for reference in ${references//,/ } | |
do | |
cosign attest --yes --type spdxjson --predicate syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}" | |
cosign attach sbom --type spdx --input-format json --sbom syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}" | |
sbom_digest="$(crane digest "${reference%:*}:${digest/:/-}.sbom")" | |
cosign sign --yes=true "${reference%:*}:${digest/:/-}.sbom@${sbom_digest}" | |
done | |
done |