chore(deps): update all github action dependencies #133
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Clang Image | |
# we want this action to dry run in case it's triggered from a PR | |
# - docker/login-action only logs in to quay on GA 'push' event | |
# - docker/build-push-action only pushes to quay on GA 'push' event | |
on: | |
push: | |
branches: | |
- main | |
- v* | |
paths: | |
- 'Dockerfile.clang' | |
- '.github/workflows/build-clang-image.yaml' | |
pull_request_target: | |
paths: | |
- 'Dockerfile.clang' | |
- '.github/workflows/build-clang-image.yaml' | |
jobs: | |
build-and-push: | |
runs-on: ubuntu-20.04 | |
environment: release-clang | |
permissions: | |
# To be able to access the repository with `actions/checkout` | |
contents: read | |
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | |
id-token: write | |
steps: | |
# https://github.com/docker/setup-qemu-action | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | |
with: | |
platforms: amd64,arm64 | |
# https://github.com/docker/setup-buildx-action | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 | |
- name: Login to quay.io | |
if: github.event_name == 'push' | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_CLANG_RELEASE_USERNAME }} | |
password: ${{ secrets.QUAY_CLANG_RELEASE_PASSWORD }} | |
- name: Getting image tag | |
id: tag | |
run: | | |
if [ ${{ github.event.pull_request.head.sha }} != "" ]; then | |
echo "tag=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT | |
else | |
echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
fi | |
- name: Checkout Source Code | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: Release Build clang | |
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 | |
id: docker_build_release | |
with: | |
provenance: false | |
context: . | |
file: ./Dockerfile.clang | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ github.event_name == 'push' }} | |
tags: | | |
quay.io/${{ github.repository_owner }}/clang:${{ steps.tag.outputs.tag }} | |
- name: Install Cosign | |
if: github.event_name == 'push' | |
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v3.0.5 | |
- name: Sign Container Image | |
if: github.event_name == 'push' && steps.tag-in-repositories.outputs.exists == 'false' | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
cosign sign quay.io/${{ github.repository_owner }}/clang@${{ steps.docker_build_release.outputs.digest }} | |
- name: Install Bom | |
if: github.event_name == 'push' | |
shell: bash | |
run: | | |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom | |
sudo mv ./bom /usr/local/bin/bom | |
sudo chmod +x /usr/local/bin/bom | |
- name: Generate SBOM | |
if: github.event_name == 'push' | |
shell: bash | |
# To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479 | |
run: | | |
bom generate -o sbom_clang_${{ steps.tag.outputs.tag }}.spdx \ | |
--dirs= . \ | |
--image=quay.io/${{ github.repository_owner }}/clang:${{ steps.tag.outputs.tag }} | |
- name: Attach SBOM to container image | |
if: github.event_name == 'push' | |
run: | | |
cosign attach sbom --sbom sbom_clang_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/clang@${{ steps.docker_build_release.outputs.digest }} | |
- name: Sign SBOM Image | |
if: github.event_name == 'push' && steps.tag-in-repositories.outputs.exists == 'false' | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}" | |
image_name="quay.io/${{ github.repository_owner }}/clang:${docker_build_release_digest/:/-}.sbom" | |
docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign "quay.io/${{ github.repository_owner }}/clang@${docker_build_release_sbom_digest}" | |
- name: Image Release Digest | |
if: github.event_name == 'push' | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
job_name=clang | |
job_name_capital=${job_name^^} | |
job_name_underscored=${job_name_capital//-/_} | |
echo "${job_name_underscored}_DIGEST := \"${{ steps.docker_build_release.outputs.digest }}\"" > image-digest/makefile-digest.txt | |
echo "### clang" > image-digest/clang.txt | |
echo "" >> image-digest/clang.txt | |
echo "\`quay.io/${{ github.repository_owner }}/clang:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/clang.txt | |
echo "" >> image-digest/clang.txt | |
# Upload artifact digests | |
- name: Upload artifact digests | |
if: github.event_name == 'push' | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: image-digest clang | |
path: image-digest | |
retention-days: 1 | |
image-digests: | |
if: github.event_name == 'push' && github.repository == 'cilium/tetragon' | |
name: Display Digests | |
runs-on: ubuntu-20.04 | |
needs: build-and-push | |
steps: | |
- name: Downloading Image Digests | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
- name: Download digests of all images built | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
path: image-digest/ | |
- name: Image Digests Output | |
shell: bash | |
run: | | |
cd image-digest/ | |
find -type f | sort | xargs -d '\n' cat | |