Merge pull request #138 from mlbiam/main #197
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build OpenUnison | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| permissions: | |
| id-token: write | |
| packages: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v1 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: "21" | |
| distribution: temurin | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v1 | |
| - uses: actions/checkout@v1 | |
| - name: Install Skopeo | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y skopeo | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: generate tag | |
| run: |- | |
| export PROJ_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) | |
| echo "Project Version: $PROJ_VERSION" | |
| echo "TAG=$PROJ_VERSION-$(echo $GITHUB_SHA | cut -c 1-6)" >> $GITHUB_ENV | |
| echo "SHORT_TAG=$PROJ_VERSION" >> $GITHUB_ENV | |
| - name: Login to container Registry | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ghcr.io | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.OU_REG_USER }} | |
| password: ${{ secrets.OU_REG_PASSWORD }} | |
| - name: downcase REPO | |
| run: | | |
| echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} | |
| - name: Build with Maven | |
| run: mvn -B clean package --file pom.xml | |
| - name: deploy with jib | |
| run: | | |
| echo $OU_CONTAINER_DEST | |
| mvn compile jib:build --file pom.xml -Djib.httpTimeout=600000 | |
| env: | |
| OU_CONTAINER_DEST: "ghcr.io/${{ env.REPO }}:${{ env.TAG }}" | |
| OU_REG_USER: "${{ github.repository_owner }}" | |
| OU_REG_PASSWORD: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: tag images to short tag and latest | |
| run: |- | |
| docker pull --platform linux/amd64 ghcr.io/${{ env.REPO }}:${{ env.TAG }} | |
| docker pull --platform linux/arm64 ghcr.io/${{ env.REPO }}:${{ env.TAG }} | |
| skopeo copy --all \ | |
| docker://ghcr.io/${{ env.REPO }}:${{ env.TAG }} \ | |
| docker://ghcr.io/${{ env.REPO }}:latest | |
| skopeo copy --all \ | |
| docker://ghcr.io/${{ env.REPO }}:${{ env.TAG }} \ | |
| docker://ghcr.io/${{ env.REPO }}:${{ env.SHORT_TAG }} | |
| # push images to docker | |
| skopeo copy --all \ | |
| docker://ghcr.io/${{ env.REPO }}:${{ env.TAG }} \ | |
| docker://${{ secrets.OU_CONTAINER_REPO }}:latest | |
| skopeo copy --all \ | |
| docker://ghcr.io/${{ env.REPO }}:${{ env.TAG }} \ | |
| docker://${{ secrets.OU_CONTAINER_REPO }}:${{ env.SHORT_TAG }} | |
| skopeo copy --all \ | |
| docker://ghcr.io/${{ env.REPO }}:${{ env.TAG }} \ | |
| docker://${{ secrets.OU_CONTAINER_REPO }}:${{ env.TAG }} | |
| - name: sign images | |
| run: |- | |
| cosign sign -y ghcr.io/${{ env.REPO }}:${{ env.TAG }} | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| image: ghcr.io/${{ env.REPO }}:${{ env.TAG }} | |
| format: spdx | |
| output-file: /tmp/spdxg | |
| - name: attach sbom to images | |
| run: |- | |
| cosign attach sbom --sbom /tmp/spdxg ghcr.io/${{ env.REPO }}:${{ env.TAG }} | |
| GH_SBOM_SHA=$(cosign verify --certificate-oidc-issuer-regexp='.*' --certificate-identity-regexp='.*' ghcr.io/${{ env.REPO }}:${{ env.TAG }} 2>/dev/null | jq -r '.[0].critical.image["docker-manifest-digest"]' | cut -c 8-) | |
| cosign sign -y ghcr.io/${{ env.REPO }}:sha256-$GH_SBOM_SHA.sbom | |