diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 74def61..1cb325c 100755 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -160,6 +160,8 @@ jobs: permissions: contents: read packages: write + id-token: write + attestations: write # Build steps steps: @@ -231,11 +233,13 @@ jobs: # Set full image name full_names="${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:${tag}" + attestation_image_name="${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}" + echo "ATTESTATION_IMAGE_NAME=${attestation_image_name}" >> $GITHUB_OUTPUT echo "OUTPUT_IMAGE_NAME=${full_names}" >> $GITHUB_OUTPUT - if [ "${tag_latest}" == "true" ] - then - full_names="$full_names,${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:latest" - fi + # if [ "${tag_latest}" == "true" ] + # then + # full_names="$full_names,${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:latest" + # fi if [ "${image_name}" == "rstudio-local_${{ needs.normalize-inputs.outputs.latest_r_version }}_bioc_${{ needs.normalize-inputs.outputs.latest_bioc_version }}" ] \ || [ "${image_name}" == "rstudio_${{ needs.normalize-inputs.outputs.latest_r_version }}_bioc_${{ needs.normalize-inputs.outputs.latest_bioc_version }}" ] then @@ -256,6 +260,7 @@ jobs: echo "SBOM_OUTPUT_FILENAME=$GITHUB_WORKSPACE/sbom.json" >> $GITHUB_OUTPUT - name: Build and push image 🏗 + id: push-image uses: docker/build-push-action@v5 with: context: ./ @@ -296,6 +301,21 @@ jobs: output-file: "${{ steps.build_vars.outputs.SBOM_OUTPUT_FILENAME }}" artifact-name: "sbom.spdx" + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ steps.build_vars.outputs.ATTESTATION_IMAGE_NAME }} + subject-digest: ${{ steps.push-image.outputs.digest }} + push-to-registry: true + + - name: Generate SBOM attestation + uses: actions/attest-sbom@v1 + with: + subject-name: ${{ steps.build_vars.outputs.ATTESTATION_IMAGE_NAME }} + subject-digest: ${{ steps.push-image.outputs.digest }} + sbom-path: ${{ steps.build_vars.outputs.SBOM_OUTPUT_FILENAME }} + push-to-registry: true + - name: Upload image manifest to release 🔼 uses: svenstaro/upload-release-action@v2 if: "${{ needs.normalize-inputs.outputs.release_tag }} != ''" diff --git a/.github/workflows/scheduled.yaml b/.github/workflows/scheduled.yaml index ad5f86c..adf6624 100644 --- a/.github/workflows/scheduled.yaml +++ b/.github/workflows/scheduled.yaml @@ -36,42 +36,42 @@ jobs: strategy: matrix: image: - - distro_tag: '4.4.0' - bioc: '3.19' - distro: rstudio-local - origin: rocker + # - distro_tag: '4.4.0' + # bioc: '3.19' + # distro: rstudio-local + # origin: rocker - distro_tag: '4.4.0' bioc: '3.19' distro: rstudio origin: rocker - - distro_tag: 'latest' - bioc: 'devel' - distro: gcc13 - origin: rhub - - distro_tag: 'latest' - bioc: 'devel' - distro: gcc14 - origin: rhub - - distro_tag: 'latest' - bioc: 'devel' - distro: atlas - origin: rhub - - distro_tag: 'latest' - bioc: 'devel' - distro: valgrind - origin: rhub - - distro_tag: 'latest' - bioc: 'devel' - distro: intel - origin: rhub - - distro_tag: 'latest' - bioc: 'devel' - distro: nosuggests - origin: rhub - - distro_tag: 'latest' - bioc: 'devel' - distro: mkl - origin: rhub + # - distro_tag: 'latest' + # bioc: 'devel' + # distro: gcc13 + # origin: rhub + # - distro_tag: 'latest' + # bioc: 'devel' + # distro: gcc14 + # origin: rhub + # - distro_tag: 'latest' + # bioc: 'devel' + # distro: atlas + # origin: rhub + # - distro_tag: 'latest' + # bioc: 'devel' + # distro: valgrind + # origin: rhub + # - distro_tag: 'latest' + # bioc: 'devel' + # distro: intel + # origin: rhub + # - distro_tag: 'latest' + # bioc: 'devel' + # distro: nosuggests + # origin: rhub + # - distro_tag: 'latest' + # bioc: 'devel' + # distro: mkl + # origin: rhub # Trigger steps steps: @@ -94,6 +94,6 @@ jobs: "latest_r_version": "4.4.0", "latest_bioc_version": "3.19", "tag": "", - "tag_latest": "true", + "tag_latest": "false", "release_tag": "${{ needs.create-release.outputs.release_tag }}" }