This repository has been archived by the owner on Oct 3, 2024. It is now read-only.
Initial setup for repo (#1) #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Zarf Init Package for AWS on Tag | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| contents: write | |
| steps: | |
| # Checkout the repo and setup the tooling for this job | |
| - name: Checkout | |
| uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install latest version of Zarf | |
| uses: defenseunicorns/setup-zarf@main | |
| - name: Install tools | |
| uses: defenseunicorns/zarf/.github/actions/install-tools@main | |
| - name: Setup Go | |
| uses: defenseunicorns/zarf/.github/actions/golang@main | |
| - name: Build ECR credential-helper binary | |
| run: make build-credential-helper-linux-amd | |
| - name: "ECR Credential Helper: Login to GHCR" | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: dummy | |
| password: ${{ github.token }} | |
| - name: "ECR Credential Helper: Build and Publish the Image" | |
| run: docker buildx build --push --platform linux/amd64 --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME . | |
| # TODO@jeff-mccoy: Setup cosign signing key secrets in repo | |
| # - name: "ECR Credential Helper: Sign the Image" | |
| # run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME | |
| # env: | |
| # COSIGN_EXPERIMENTAL: 1 | |
| # AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }} | |
| # AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }} | |
| # AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }} | |
| - name: Build AWS init package for release | |
| run: make release-aws-init-package CREDENTIAL_HELPER_IMAGE_TAG=$GITHUB_REF_NAME | |
| - name: Publish AWS Init Package as OCI and Skeleton | |
| run: make publish-aws-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages | |
| # Create a CVE report based on this build | |
| - name: Create release time CVE report | |
| run: make cve-report | |
| - name: Save CVE report | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: cve-report | |
| path: build/zarf-known-cves.csv | |
| # Create GitHub release and upload the AWS init package as a release artifact | |
| - name: Create GitHub release and upload AWS init package as release artifact | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} | |
| run: gh release create "$GITHUB_REF_NAME" ./build/zarf-init-*.tar.zst --generate-notes --verify-tag |