Skip to content
dockerbuild

trigger downstream builds #6

Sign in to view logs

trigger downstream builds

trigger downstream builds #6

Workflow file for this run

.github/workflows/dockerbuild.yml at 17d8fb3
name: dockerbuild
on:
push:
branches:
- 'main'
permissions:
id-token: write
packages: write
jobs:
docker:
runs-on: ubuntu-latest
steps:
- name: get identity
uses: tremolosecurity/[email protected]
with:
audience: ${{ secrets.WH_AUDIENCE }}
environmentVariableName: "WHPROXY"
-
name: Set up QEMU
uses: docker/setup-qemu-action@v1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- uses: actions/checkout@v1
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: downcase REPO
run: |
echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
- name: generate tag
run: |-
export PROJ_VERSION="3"
echo "Project Version: $PROJ_VERSION"
echo "TAG=$PROJ_VERSION-$(echo $GITHUB_SHA | cut -c 1-6)" >> $GITHUB_ENV
echo "SHORT_TAG=$PROJ_VERSION" >> $GITHUB_ENV
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ env.REPO }}:latest
ghcr.io/${{ env.REPO }}:${{ env.TAG }}
ghcr.io/${{ env.REPO }}:${{ env.SHORT_TAG }}
- name: sign images
run: |-
cosign sign -y ghcr.io/${{ env.REPO }}:${{ env.TAG }}
- uses: anchore/sbom-action@v0
with:
image: ghcr.io/${{ env.REPO }}:${{ env.TAG }}
format: spdx
output-file: /tmp/spdxg
- name: attach sbom to images
run: |-
cosign attach sbom --sbom /tmp/spdxg ghcr.io/${{ env.REPO }}:${{ env.TAG }}
GH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' ghcr.io/${{ env.REPO }}:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-)
echo "GH_SBOM_SHA: $GH_SBOM_SHA"
cosign sign -y ghcr.io/${{ env.REPO }}:sha256-$GH_SBOM_SHA.sbom
- name: rebuild dependents
run: |-
curl -H "Authorization: Bearer $WHPROXY" ${{ secrets.WH_AUDIENCE }}webhook/openunison-jib-builder3-dependent