Merge pull request #8708 from jenkins-x/dependabot/github_actions/anc… #672
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
permissions: | |
contents: read # to fetch code (actions/checkout) | |
jobs: | |
release: | |
if: github.repository_owner == 'jenkins-x' | |
runs-on: ubuntu-latest | |
# Only this job needs id-token: write for cosign to push signatures using keyless signing | |
permissions: | |
id-token: write | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
# Only fetch last 10 commits, before we were fetching everything including v2 commits! | |
fetch-depth: "0" | |
token: ${{ secrets.GIT_BOT_TOKEN }} | |
- uses: fusion-engineering/setup-git-credentials@v2 | |
with: | |
credentials: ${{ format('https://x-access-token:{0}@github.com/', secrets.GIT_BOT_TOKEN) }} | |
- name: Run coverage | |
run: make test-coverage | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v3 | |
with: | |
files: ./build/reports/cover.txt | |
- id: prep | |
name: next release version | |
uses: jenkins-x-plugins/jx-release-version@v2.7.6 | |
- env: | |
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
VERSION: ${{ steps.prep.outputs.version }} | |
name: changelog | |
uses: docker://ghcr.io/jenkins-x/jx-boot:latest | |
with: | |
entrypoint: .github/workflows/jenkins-x/changelog.sh | |
- env: | |
VERSION: ${{ steps.prep.outputs.version }} | |
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
REPOSITORY: ${{ github.repository }} | |
COSIGN_EXPERIMENTAL: "true" | |
name: upload-binaries | |
uses: docker://ghcr.io/jenkins-x/jx-goreleaser-image:1.0.0@sha256:35070795367fea9a789c1c3a138b5e32262e4253d38e47406ba9ab7833ff15b2 | |
with: | |
entrypoint: .github/workflows/jenkins-x/upload-binaries.sh | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: jenkins-x | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: syft-installer | |
uses: anchore/sbom-action/download-syft@v0.17.5 | |
- name: cosign-installer | |
uses: sigstore/cosign-installer@v2.8.1 | |
with: | |
cosign-release: 'v2.2.3' | |
- name: Build and push jx-boot | |
uses: docker/build-push-action@v4 | |
id: push-jx-boot | |
with: | |
context: . | |
file: ./Dockerfile-boot | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
build-args: | | |
VERSION=${{ steps.prep.outputs.version }} | |
tags: | | |
ghcr.io/jenkins-x/jx-boot:latest | |
ghcr.io/jenkins-x/jx-boot:${{ steps.prep.outputs.version }} | |
- name: Sign the published Docker image for jx boot | |
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases | |
continue-on-error: true | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
# ToDo: We should change this to some other user, a test account pushing images and artifacts for jx org sounds wrong! | |
GIT_USERNAME: jenkins-x-bot-test | |
DOCKER_REGISTRY_ORG: jenkins-x | |
run: | | |
cosign sign ghcr.io/"${DOCKER_REGISTRY_ORG}"/jx-boot@"${{ steps.push-jx-boot.outputs.digest }}" | |
- name: Generate and Push signed SBOM for jx-boot | |
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases | |
continue-on-error: true | |
env: | |
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
GIT_USERNAME: jenkins-x-bot-test | |
DOCKER_REGISTRY_ORG: jenkins-x | |
VERSION: ${{ steps.prep.outputs.version }} | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
syft ghcr.io/$DOCKER_REGISTRY_ORG/jx-boot:$VERSION --scope all-layers -o spdx-json > sbom.json | |
# This uploads the sbom | |
cosign attach sbom --sbom sbom.json ghcr.io/${DOCKER_REGISTRY_ORG}/jx-boot@${{ steps.push-jx-boot.outputs.digest }} | |
# This signs the sbom | |
cosign sign --attachment sbom ghcr.io/${DOCKER_REGISTRY_ORG}/jx-boot@${{ steps.push-jx-boot.outputs.digest }} | |
rm -f sbom.json | |
- name: Build and push jx | |
uses: docker/build-push-action@v4 | |
id: push-jx | |
with: | |
context: . | |
file: ./Dockerfile | |
platforms: linux/amd64 | |
push: true | |
build-args: | | |
VERSION=${{ steps.prep.outputs.version }} | |
tags: | | |
ghcr.io/jenkins-x/jx:latest | |
ghcr.io/jenkins-x/jx:${{ steps.prep.outputs.version }} | |
- name: Sign the published Docker image for jx | |
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases | |
continue-on-error: true | |
env: | |
COSIGN_EXPERIMENTAL: "true" | |
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
# ToDo: We should change this to some other user, a test account pushing images and artifacts for jx org sounds wrong! | |
GIT_USERNAME: jenkins-x-bot-test | |
DOCKER_REGISTRY_ORG: jenkins-x | |
REPO_NAME: ${{ github.event.repository.name }} | |
run: | | |
cosign sign ghcr.io/$DOCKER_REGISTRY_ORG/$REPO_NAME@${{ steps.push-jx.outputs.digest }} | |
- name: Generate and Push signed SBOM for jx | |
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases | |
continue-on-error: true | |
env: | |
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
GIT_USERNAME: jenkins-x-bot-test | |
DOCKER_REGISTRY_ORG: jenkins-x | |
VERSION: ${{ steps.prep.outputs.version }} | |
REPO_NAME: ${{ github.event.repository.name }} | |
COSIGN_EXPERIMENTAL: "true" | |
run: | | |
syft ghcr.io/$DOCKER_REGISTRY_ORG/$REPO_NAME:$VERSION --scope all-layers -o spdx-json > sbom.json | |
# This uploads the sbom | |
cosign attach sbom --sbom sbom.json ghcr.io/${DOCKER_REGISTRY_ORG}/${REPO_NAME}@${{ steps.push-jx.outputs.digest }} | |
# This signs the sbom | |
cosign sign --attachment sbom ghcr.io/${DOCKER_REGISTRY_ORG}/${REPO_NAME}@${{ steps.push-jx.outputs.digest }} | |
release2: | |
if: github.repository_owner == 'jenkins-x' | |
permissions: | |
id-token: write | |
packages: write | |
runs-on: ubuntu-latest | |
needs: release | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: "0" | |
token: ${{ secrets.GIT_BOT_TOKEN }} | |
- id: getrelease | |
name: getrelease | |
uses: pozetroninc/github-action-get-latest-release@master | |
with: | |
repository: jenkins-x/jx | |
- id: prep | |
name: prep | |
env: | |
VERSION: ${{ steps.getrelease.outputs.release }} | |
run: | | |
echo "::set-output name=version::${VERSION#v}" | |
- uses: fusion-engineering/setup-git-credentials@v2 | |
with: | |
credentials: ${{ format('https://x-access-token:{0}@github.com/', secrets.GIT_BOT_TOKEN) }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: jenkins-x | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push jx-go | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
file: ./Dockerfile-go | |
platforms: linux/amd64 | |
push: true | |
build-args: | | |
VERSION=${{ steps.prep.outputs.version }} | |
tags: | | |
ghcr.io/jenkins-x/jx-go:latest | |
ghcr.io/jenkins-x/jx-go:${{ steps.prep.outputs.version }} | |
- name: Build and push jx-go-maven | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
file: ./Dockerfile-go-maven | |
platforms: linux/amd64 | |
push: true | |
build-args: | | |
VERSION=${{ steps.prep.outputs.version }} | |
tags: | | |
ghcr.io/jenkins-x/jx-go-maven:latest | |
ghcr.io/jenkins-x/jx-go-maven:${{ steps.prep.outputs.version }} | |
- env: | |
GIT_USERNAME: jenkins-x-bot-test | |
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }} | |
VERSION: ${{ steps.prep.outputs.version}} | |
XDG_CONFIG_HOME: /github/home/.config | |
name: promote-release | |
uses: docker://ghcr.io/jenkins-x/jx-updatebot:0.1.3 | |
with: | |
args: pr --git-credentials | |
"on": | |
push: | |
branches: | |
- main | |
- master |