sync #135
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE refs | |
| # - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions | |
| # - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script | |
| name: sync | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "0 0 * * MON" | |
| workflow_dispatch: {} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| packages: write | |
| security-events: write | |
| concurrency: | |
| group: ${{ github.run_id }} | |
| cancel-in-progress: false | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - id: set | |
| run: | | |
| echo "matrix=$(jq '.sync | {"include":.}' -r -c <<< "$(yq e . -o json config.yaml)")" >> $GITHUB_OUTPUT | |
| - name: check output | |
| run: | | |
| jq . <<< '${{ steps.set.outputs.matrix }}' | |
| sync: | |
| if: ${{ fromJSON(needs.prepare.outputs.matrix) != null }} | |
| needs: prepare | |
| runs-on: ubuntu-latest | |
| outputs: | |
| source: ${{ steps.get-digests.outputs.source }} | |
| destination: ${{ steps.get-digests.outputs.destination }} | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }} | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| - uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main | |
| - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
| - id: determine-uses-ecr | |
| env: | |
| DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
| run: | | |
| if echo "$DESTINATION" | grep -q -E '[0-9]{12}.dkr.ecr.ap-southeast-2.amazonaws.com/.*'; then | |
| echo "ecr="$(echo "$DESTINATION" | cut -d'/' -f1)"" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Configure AWS Credentials | |
| if: ${{ steps.determine-uses-ecr.outputs.ecr != '' }} | |
| uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v2.0.0 | |
| with: | |
| aws-region: ap-southeast-2 | |
| role-to-assume: arn:aws:iam::862640294325:role/github-actions-geonet-ecr-push | |
| role-duration-seconds: 3600 | |
| role-session-name: github-actions-GeoNet--base-images | |
| - name: login to ECR | |
| if: ${{ steps.determine-uses-ecr.outputs.ecr != '' }} | |
| env: | |
| ECR: ${{ steps.determine-uses-ecr.outputs.ecr }} | |
| run: | | |
| aws ecr get-login-password --region ap-southeast-2 | crane auth login "$ECR" -u AWS --password-stdin | |
| - name: get-digests | |
| if: ${{ fromJSON(toJSON(matrix)).always != true }} | |
| id: get-digests | |
| env: | |
| SOURCE: ${{ fromJSON(toJSON(matrix)).source }} | |
| DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
| run: | | |
| SOURCE_DIGEST="$(crane digest "${SOURCE}" || true)" | |
| DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
| ( | |
| echo "SOURCE-DIGEST DESTINATION-DIGEST" | |
| echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" | |
| ) | column -t | |
| echo "source=${SOURCE_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
| - name: verify-signature | |
| if: ${{ (steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true) && fromJSON(toJSON(matrix)).sourceSignature != null }} | |
| env: | |
| SOURCE: ${{ fromJSON(toJSON(matrix)).source }} | |
| SUBJECT: ${{ fromJSON(toJSON(matrix)).sourceSignature.subjectRegExp }} | |
| ISSUER: ${{ fromJSON(toJSON(matrix)).sourceSignature.issuerRegExp }} | |
| run: | | |
| cosign verify -o text --certificate-identity-regexp "$SUBJECT" --certificate-oidc-issuer-regexp "$ISSUER" "$SOURCE" | |
| - name: copy | |
| if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} | |
| env: | |
| SOURCE: ${{ fromJSON(toJSON(matrix)).source }} | |
| DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
| run: | | |
| crane cp $SOURCE $DESTINATION | |
| - name: add source labels | |
| if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} | |
| env: | |
| DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
| run: | | |
| LABELS=( | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.source=${{ github.repositoryUrl }} | |
| ) | |
| for LABEL in "${LABELS[@]}"; do | |
| crane mutate $DESTINATION --label "${LABEL}" | |
| done | |
| - name: get-synced-digests | |
| id: get-synced-digests | |
| env: | |
| DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} | |
| run: | | |
| DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" | |
| ( | |
| echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" | |
| ) | column -t | |
| HAS_SIGNATURES="$(cosign tree ${DESTINATION}@${DESTINATION_DIGEST} 2>&1 | grep -q 'Signatures for an image tag' && echo true || echo false)" | |
| echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "has-signatures=${HAS_SIGNATURES}" >> $GITHUB_OUTPUT | |
| - name: Clean signatures | |
| if: ${{ fromJSON(toJSON(matrix)).always == true }} | |
| run: | | |
| cosign clean -f ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} | |
| - name: Sign image with a key | |
| if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| COSIGN_YES: "true" | |
| run: | | |
| cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y | |
| - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
| if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
| with: | |
| image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} | |
| artifact-name: sbom-spdx.json | |
| output-file: /tmp/sbom-spdx.json | |
| - name: publish sbom blob as blob | |
| if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} | |
| env: | |
| COSIGN_YES: "true" | |
| run: | | |
| cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y |