This repository has been archived by the owner on Oct 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Lucas Rodriguez
committed
Oct 18, 2023
1 parent
a8a0aa9
commit 48ea41b
Showing
2 changed files
with
78 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
name: Publish Zarf Init Package for AWS on Tag | ||
|
||
permissions: | ||
contents: read | ||
|
||
on: | ||
push: | ||
tags: | ||
- "v*" | ||
|
||
jobs: | ||
release: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
packages: write | ||
contents: write | ||
steps: | ||
# Checkout the repo and setup the tooling for this job | ||
- name: Checkout | ||
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Install latest version of Zarf | ||
uses: defenseunicorns/setup-zarf@main | ||
|
||
- name: Install tools | ||
uses: defenseunicorns/zarf/.github/actions/install-tools@main | ||
|
||
- name: "ECR Credential Helper: Login to GHCR" | ||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||
with: | ||
registry: ghcr.io | ||
username: dummy | ||
password: ${{ github.token }} | ||
|
||
- name: "ECR Credential Helper: Build and Publish the Image" | ||
run: docker buildx build --push --platform linux/amd64 --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME . | ||
|
||
- name: "ECR Credential Helper: Sign the Image" | ||
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME | ||
env: | ||
COSIGN_EXPERIMENTAL: 1 | ||
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }} | ||
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }} | ||
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }} | ||
|
||
- name: Build AWS init package for release | ||
run: make release-aws-init-package CREDENTIAL_HELPER_IMAGE_TAG=$GITHUB_REF_NAME | ||
|
||
- name: Publish AWS Init Package as OCI and Skeleton | ||
run: make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages | ||
|
||
# Create a CVE report based on this build | ||
- name: Create release time CVE report | ||
run: make cve-report | ||
|
||
- name: Save CVE report | ||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||
with: | ||
name: cve-report | ||
path: build/zarf-known-cves.csv | ||
|
||
# Create GitHub release and upload the AWS init package as a release artifact | ||
- name: Create GitHub release and upload AWS init package as release artifact | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} | ||
run: gh release create "$GITHUB_REF_NAME" ./build/zarf-init-*.tar.zst --generate-notes --verify-tag |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters