mirror of
https://github.com/fosrl/gerbil.git
synced 2026-02-08 05:56:40 +00:00
4576a2e8a7
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](1af3b93b68...8e8c483db8)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
162 lines
5.6 KiB
YAML
162 lines
5.6 KiB
YAML
name: CI/CD Pipeline
|
|
|
|
# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
|
|
# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write # for GHCR push
|
|
id-token: write # for Cosign Keyless (OIDC) Signing
|
|
|
|
# Required secrets:
|
|
# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
|
|
# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
|
|
# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "[0-9]+.[0-9]+.[0-9]+"
|
|
- "[0-9]+.[0-9]+.[0-9]+.rc.[0-9]+"
|
|
|
|
concurrency:
|
|
group: ${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
release:
|
|
name: Build and Release
|
|
runs-on: amd64-runner
|
|
# Job-level timeout to avoid runaway or stuck runs
|
|
timeout-minutes: 120
|
|
env:
|
|
# Target images
|
|
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
|
|
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
|
|
|
|
- name: Log in to Docker Hub
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
|
|
with:
|
|
registry: docker.io
|
|
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
|
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
|
|
|
- name: Extract tag name
|
|
id: get-tag
|
|
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
|
|
shell: bash
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
|
|
with:
|
|
go-version: 1.25
|
|
|
|
- name: Update version in main.go
|
|
run: |
|
|
TAG=${{ env.TAG }}
|
|
if [ -f main.go ]; then
|
|
sed -i 's/version_replaceme/'"$TAG"'/' main.go
|
|
echo "Updated main.go with version $TAG"
|
|
else
|
|
echo "main.go not found"
|
|
fi
|
|
shell: bash
|
|
|
|
- name: Build and push Docker images (Docker Hub)
|
|
run: |
|
|
TAG=${{ env.TAG }}
|
|
make docker-build-release tag=$TAG
|
|
echo "Built & pushed to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
|
|
shell: bash
|
|
|
|
- name: Login in to GHCR
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Install skopeo + jq
|
|
# skopeo: copy/inspect images between registries
|
|
# jq: JSON parsing tool used to extract digest values
|
|
run: |
|
|
sudo apt-get update -y
|
|
sudo apt-get install -y skopeo jq
|
|
skopeo --version
|
|
shell: bash
|
|
|
|
- name: Copy tag from Docker Hub to GHCR
|
|
# Mirror the already-built image (all architectures) to GHCR so we can sign it
|
|
run: |
|
|
set -euo pipefail
|
|
TAG=${{ env.TAG }}
|
|
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
|
|
skopeo copy --all --retry-times 3 \
|
|
docker://$DOCKERHUB_IMAGE:$TAG \
|
|
docker://$GHCR_IMAGE:$TAG
|
|
shell: bash
|
|
|
|
- name: Install cosign
|
|
# cosign is used to sign and verify container images (key and keyless)
|
|
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
|
|
|
|
- name: Dual-sign and verify (GHCR & Docker Hub)
|
|
# Sign each image by digest using keyless (OIDC) and key-based signing,
|
|
# then verify both the public key signature and the keyless OIDC signature.
|
|
env:
|
|
TAG: ${{ env.TAG }}
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
|
|
COSIGN_YES: "true"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
issuer="https://token.actions.githubusercontent.com"
|
|
id_regex="^https://github.com/${{ github.repository }}/.+" # accept this repo (all workflows/refs)
|
|
|
|
for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
|
|
echo "Processing ${IMAGE}:${TAG}"
|
|
|
|
DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
|
|
REF="${IMAGE}@${DIGEST}"
|
|
echo "Resolved digest: ${REF}"
|
|
|
|
echo "==> cosign sign (keyless) --recursive ${REF}"
|
|
cosign sign --recursive "${REF}"
|
|
|
|
echo "==> cosign sign (key) --recursive ${REF}"
|
|
cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
|
|
|
|
echo "==> cosign verify (public key) ${REF}"
|
|
cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
|
|
|
|
echo "==> cosign verify (keyless policy) ${REF}"
|
|
cosign verify \
|
|
--certificate-oidc-issuer "${issuer}" \
|
|
--certificate-identity-regexp "${id_regex}" \
|
|
"${REF}" -o text
|
|
done
|
|
shell: bash
|
|
|
|
- name: Build binaries
|
|
run: |
|
|
make go-build-release
|
|
shell: bash
|
|
|
|
- name: Upload artifacts from /bin
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
|
with:
|
|
name: binaries
|
|
path: bin/
|