-
Notifications
You must be signed in to change notification settings - Fork 0
158 lines (140 loc) · 4.43 KB
/
ubuntu.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: ubuntu
on:
push:
branches-ignore:
- "renovate/**"
paths:
- "ubuntu/**"
- "!ubuntu/*/README.md"
- ".github/workflows/ubuntu.yml"
pull_request:
types:
- opened
- synchronize
- labeled
- reopened
paths:
- "ubuntu/**"
- "!ubuntu/*/README.md"
- ".github/workflows/ubuntu.yml"
schedule:
- cron: '0 7 * * *'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: true
jobs:
build:
name: docker-build
permissions:
packages: write
id-token: write
runs-on: ubuntu-24.04
env:
REGISTRY: ghcr.io
IMAGE_NAME: ubuntu
strategy:
matrix:
IMAGE_TAG:
- 22.04
- 24.04
- rolling
outputs:
image: ${{ steps.metadata.outputs.image }}
digest2204: ${{ steps.metadata.outputs.digest2204 }}
digest2404: ${{ steps.metadata.outputs.digest2404 }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set SOURCE_DATE_EPOCH
id: set-source-date-epoch
run: |
git log -1 ubuntu/Dockerfile
echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct ubuntu/Dockerfile)" >>"${GITHUB_OUTPUT}"
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build
id: build
uses: docker/build-push-action@v6
env:
SOURCE_DATE_EPOCH: ${{ steps.set-source-date-epoch.outputs.SOURCE_DATE_EPOCH }}
with:
context: ubuntu
platforms: linux/amd64,linux/arm64
provenance: true
sbom: true
cache-from: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ matrix.IMAGE_TAG }}
build-args: |
VERSION=${{ matrix.IMAGE_TAG }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ matrix.IMAGE_TAG }}
- name: Pass metadata
id: metadata
run: |
echo "image=${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}" >>"$GITHUB_OUTPUT"
echo "digest${{ matrix.IMAGE_TAG }}=${{ steps.build.outputs.digest }}" | tr -d '.' >>"$GITHUB_OUTPUT"
- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@v3
- name: Sign
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
- name: Run Trivy vulnerability scanner
if: ${{ github.event_name != 'pull_request' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ matrix.IMAGE_TAG }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
transform:
if: ${{ github.event_name != 'pull_request' }}
needs:
- build
runs-on: ubuntu-24.04
outputs:
images: ${{ steps.transform.outputs.images }}
steps:
- name: transform
id: transform
run: |
echo '${{ toJSON(needs.build.outputs) }}' >outputs.json
cat outputs.json
IMAGES_JSON="$(
jq --compact-output --raw-output '. as $everything | [ to_entries[] | select(.key | startswith("digest")) | {"image": $everything.image, "digest": .value}] | "images=\(.)"' outputs.json
)"
echo ${IMAGES_JSON}
echo ${IMAGES_JSON} >>"$GITHUB_OUTPUT"
provenance:
if: ${{ github.event_name != 'pull_request' }}
needs:
- transform
permissions:
actions: read
id-token: write
packages: write
strategy:
matrix:
images: ${{ fromJson(needs.transform.outputs.images) }}
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ matrix.images.image }}
digest: ${{ matrix.images.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}