Skip to content

add workflow

add workflow #1

Workflow file for this run

name: Build OpenUnison
on:
push:
branches:
- 'main'
permissions:
id-token: write
packages: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- uses: actions/checkout@v1
- name: generate tag
run: |-
export PROJ_VERSION="1.0.0"
echo "TAG=$PROJ_VERSION-$(echo $GITHUB_SHA | cut -c 1-6)" >> $GITHUB_ENV
echo "SHORT_TAG=$PROJ_VERSION" >> $GITHUB_ENV
- name: Login to container Registry
uses: docker/login-action@v2
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
- name: downcase REPO
run: |
echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
-
name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
context: "."
push: true
tags: |
ghcr.io/${{ env.REPO }}:${{ env.TAG }}
ghcr.io/${{ env.REPO }}:${{ env.SHORT_TAG }}
ghcr.io/${{ env.REPO }}:latest
- name: sign images
run: |-
cosign sign -y ghcr.io/${{ env.REPO }}:${{ env.TAG }}
- uses: anchore/sbom-action@v0
with:
image: ghcr.io/${{ env.REPO }}:${{ env.TAG }}
format: spdx
output-file: /tmp/spdxg
- name: attach sbom to images
run: |-
cosign attach sbom --sbom /tmp/spdxg ghcr.io/${{ env.REPO }}:${{ env.TAG }}
GH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' ghcr.io/${{ env.REPO }}:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-)
cosign sign -y ghcr.io/${{ env.REPO }}:sha256-$GH_SBOM_SHA.sbom