chore(deps): pin dependencies #86

Workflow file for this run

.github/workflows/build-clang-image.yaml at 042ae1b

	name: Build Clang Image

	# we want this action to dry run in case it's triggered from a PR
	# - docker/login-action only logs in to quay on GA 'push' event
	# - docker/build-push-action only pushes to quay on GA 'push' event
	on:
	push:
	branches:
	- main
	- v*
	paths:
	- 'Dockerfile.clang'
	- '.github/workflows/build-clang-image.yaml'
	pull_request_target:
	paths:
	- 'Dockerfile.clang'
	- '.github/workflows/build-clang-image.yaml'

	jobs:
	build-and-push:
	runs-on: ubuntu-20.04
	environment: release-clang
	permissions:
	# To be able to access the repository with `actions/checkout`
	contents: read
	# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
	id-token: write
	steps:
	# https://github.com/docker/setup-qemu-action
	- name: Set up QEMU
	uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7
	with:
	platforms: amd64,arm64

	# https://github.com/docker/setup-buildx-action
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34

	- name: Login to quay.io
	if: github.event_name == 'push'
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_CLANG_RELEASE_USERNAME }}
	password: ${{ secrets.QUAY_CLANG_RELEASE_PASSWORD }}

	- name: Getting image tag
	id: tag
	run: \|
	if [ ${{ github.event.pull_request.head.sha }} != "" ]; then
	echo "tag=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
	else
	echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT
	fi

	- name: Checkout Source Code
	uses: actions/checkout@96f53100ba2a5449eb71d2e6604bbcd94b9449b5
	with:
	persist-credentials: false
	fetch-depth: 0

	- name: Release Build clang
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825
	id: docker_build_release
	with:
	provenance: false
	context: .
	file: ./Dockerfile.clang
	platforms: linux/amd64,linux/arm64
	push: ${{ github.event_name == 'push' }}
	tags: \|
	quay.io/${{ github.repository_owner }}/clang:${{ steps.tag.outputs.tag }}

	- name: Install Cosign
	if: github.event_name == 'push'
	uses: sigstore/cosign-installer@ef0e9691595ea19ec990a46b1a591dcafe568f34

	- name: Sign Container Image
	if: github.event_name == 'push' && steps.tag-in-repositories.outputs.exists == 'false'
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	cosign sign quay.io/${{ github.repository_owner }}/clang@${{ steps.docker_build_release.outputs.digest }}

	- name: Install Bom
	if: github.event_name == 'push'
	shell: bash
	run: \|
	curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom
	sudo mv ./bom /usr/local/bin/bom
	sudo chmod +x /usr/local/bin/bom

	- name: Generate SBOM
	if: github.event_name == 'push'
	shell: bash
	# To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479
	run: \|
	bom generate -o sbom_clang_${{ steps.tag.outputs.tag }}.spdx \
	--dirs= . \
	--image=quay.io/${{ github.repository_owner }}/clang:${{ steps.tag.outputs.tag }}

	- name: Attach SBOM to container image
	if: github.event_name == 'push'
	run: \|
	cosign attach sbom --sbom sbom_clang_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/clang@${{ steps.docker_build_release.outputs.digest }}

	- name: Sign SBOM Image
	if: github.event_name == 'push' && steps.tag-in-repositories.outputs.exists == 'false'
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: \|
	docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}"
	image_name="quay.io/${{ github.repository_owner }}/clang:${docker_build_release_digest/:/-}.sbom"
	docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} \| sha256sum \| head -c 64)"
	cosign sign "quay.io/${{ github.repository_owner }}/clang@${docker_build_release_sbom_digest}"

	- name: Image Release Digest
	if: github.event_name == 'push'
	shell: bash
	run: \|
	mkdir -p image-digest/
	job_name=clang
	job_name_capital=${job_name^^}
	job_name_underscored=${job_name_capital//-/_}
	echo "${job_name_underscored}_DIGEST := \"${{ steps.docker_build_release.outputs.digest }}\"" > image-digest/makefile-digest.txt
	echo "### clang" > image-digest/clang.txt
	echo "" >> image-digest/clang.txt
	echo "\`quay.io/${{ github.repository_owner }}/clang:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/clang.txt
	echo "" >> image-digest/clang.txt

	# Upload artifact digests
	- name: Upload artifact digests
	if: github.event_name == 'push'
	uses: actions/upload-artifact@65d862660abb392b8c4a3d1195a2108db131dd05
	with:
	name: image-digest clang
	path: image-digest
	retention-days: 1

	image-digests:
	if: github.event_name == 'push' && github.repository == 'cilium/tetragon'
	name: Display Digests
	runs-on: ubuntu-20.04
	needs: build-and-push
	steps:
	- name: Downloading Image Digests
	shell: bash
	run: \|
	mkdir -p image-digest/

	- name: Download digests of all images built
	uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
	with:
	path: image-digest/

	- name: Image Digests Output
	shell: bash
	run: \|
	cd image-digest/
	find -type f \| sort \| xargs -d '\n' cat

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): pin dependencies #86

Workflow file

chore(deps): pin dependencies #86

Jobs

Run details

Workflow file for this run