Skip to content

Merge pull request #8709 from jenkins-x/dependabot/github_actions/doc… #673

Merge pull request #8709 from jenkins-x/dependabot/github_actions/doc…

Merge pull request #8709 from jenkins-x/dependabot/github_actions/doc… #673

name: Release
permissions:
contents: read # to fetch code (actions/checkout)
jobs:
release:
if: github.repository_owner == 'jenkins-x'
runs-on: ubuntu-latest
# Only this job needs id-token: write for cosign to push signatures using keyless signing
permissions:
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v3
with:
# Only fetch last 10 commits, before we were fetching everything including v2 commits!
fetch-depth: "0"
token: ${{ secrets.GIT_BOT_TOKEN }}
- uses: fusion-engineering/setup-git-credentials@v2
with:
credentials: ${{ format('https://x-access-token:{0}@github.com/', secrets.GIT_BOT_TOKEN) }}
- name: Run coverage
run: make test-coverage
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
files: ./build/reports/cover.txt
- id: prep
name: next release version
uses: jenkins-x-plugins/jx-release-version@v2.7.6
- env:
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }}
REPO_NAME: ${{ github.event.repository.name }}
VERSION: ${{ steps.prep.outputs.version }}
name: changelog
uses: docker://ghcr.io/jenkins-x/jx-boot:latest
with:
entrypoint: .github/workflows/jenkins-x/changelog.sh
- env:
VERSION: ${{ steps.prep.outputs.version }}
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }}
REPOSITORY: ${{ github.repository }}
COSIGN_EXPERIMENTAL: "true"
name: upload-binaries
uses: docker://ghcr.io/jenkins-x/jx-goreleaser-image:1.0.0@sha256:35070795367fea9a789c1c3a138b5e32262e4253d38e47406ba9ab7833ff15b2
with:
entrypoint: .github/workflows/jenkins-x/upload-binaries.sh
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: jenkins-x
password: ${{ secrets.GITHUB_TOKEN }}
- name: syft-installer
uses: anchore/sbom-action/download-syft@v0.17.5
- name: cosign-installer
uses: sigstore/cosign-installer@v2.8.1
with:
cosign-release: 'v2.2.3'
- name: Build and push jx-boot
uses: docker/build-push-action@v4
id: push-jx-boot
with:
context: .
file: ./Dockerfile-boot
platforms: linux/amd64,linux/arm64
push: true
build-args: |
VERSION=${{ steps.prep.outputs.version }}
tags: |
ghcr.io/jenkins-x/jx-boot:latest
ghcr.io/jenkins-x/jx-boot:${{ steps.prep.outputs.version }}
- name: Sign the published Docker image for jx boot
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases
continue-on-error: true
env:
COSIGN_EXPERIMENTAL: "true"
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }}
# ToDo: We should change this to some other user, a test account pushing images and artifacts for jx org sounds wrong!
GIT_USERNAME: jenkins-x-bot-test
DOCKER_REGISTRY_ORG: jenkins-x
run: |
cosign sign ghcr.io/"${DOCKER_REGISTRY_ORG}"/jx-boot@"${{ steps.push-jx-boot.outputs.digest }}"
- name: Generate and Push signed SBOM for jx-boot
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }}
GIT_USERNAME: jenkins-x-bot-test
DOCKER_REGISTRY_ORG: jenkins-x
VERSION: ${{ steps.prep.outputs.version }}
COSIGN_EXPERIMENTAL: "true"
run: |
syft ghcr.io/$DOCKER_REGISTRY_ORG/jx-boot:$VERSION --scope all-layers -o spdx-json > sbom.json
# This uploads the sbom
cosign attach sbom --sbom sbom.json ghcr.io/${DOCKER_REGISTRY_ORG}/jx-boot@${{ steps.push-jx-boot.outputs.digest }}
# This signs the sbom
cosign sign --attachment sbom ghcr.io/${DOCKER_REGISTRY_ORG}/jx-boot@${{ steps.push-jx-boot.outputs.digest }}
rm -f sbom.json
- name: Build and push jx
uses: docker/build-push-action@v4
id: push-jx
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: true
build-args: |
VERSION=${{ steps.prep.outputs.version }}
tags: |
ghcr.io/jenkins-x/jx:latest
ghcr.io/jenkins-x/jx:${{ steps.prep.outputs.version }}
- name: Sign the published Docker image for jx
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases
continue-on-error: true
env:
COSIGN_EXPERIMENTAL: "true"
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }}
# ToDo: We should change this to some other user, a test account pushing images and artifacts for jx org sounds wrong!
GIT_USERNAME: jenkins-x-bot-test
DOCKER_REGISTRY_ORG: jenkins-x
REPO_NAME: ${{ github.event.repository.name }}
run: |
cosign sign ghcr.io/$DOCKER_REGISTRY_ORG/$REPO_NAME@${{ steps.push-jx.outputs.digest }}
- name: Generate and Push signed SBOM for jx
# ToDo(ankitm123): Remove this when this step works, for now we want this to unblock other releases
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }}
GIT_USERNAME: jenkins-x-bot-test
DOCKER_REGISTRY_ORG: jenkins-x
VERSION: ${{ steps.prep.outputs.version }}
REPO_NAME: ${{ github.event.repository.name }}
COSIGN_EXPERIMENTAL: "true"
run: |
syft ghcr.io/$DOCKER_REGISTRY_ORG/$REPO_NAME:$VERSION --scope all-layers -o spdx-json > sbom.json
# This uploads the sbom
cosign attach sbom --sbom sbom.json ghcr.io/${DOCKER_REGISTRY_ORG}/${REPO_NAME}@${{ steps.push-jx.outputs.digest }}
# This signs the sbom
cosign sign --attachment sbom ghcr.io/${DOCKER_REGISTRY_ORG}/${REPO_NAME}@${{ steps.push-jx.outputs.digest }}
release2:
if: github.repository_owner == 'jenkins-x'
permissions:
id-token: write
packages: write
runs-on: ubuntu-latest
needs: release
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: "0"
token: ${{ secrets.GIT_BOT_TOKEN }}
- id: getrelease
name: getrelease
uses: pozetroninc/github-action-get-latest-release@master
with:
repository: jenkins-x/jx
- id: prep
name: prep
env:
VERSION: ${{ steps.getrelease.outputs.release }}
run: |
echo "::set-output name=version::${VERSION#v}"
- uses: fusion-engineering/setup-git-credentials@v2
with:
credentials: ${{ format('https://x-access-token:{0}@github.com/', secrets.GIT_BOT_TOKEN) }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: jenkins-x
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push jx-go
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile-go
platforms: linux/amd64
push: true
build-args: |
VERSION=${{ steps.prep.outputs.version }}
tags: |
ghcr.io/jenkins-x/jx-go:latest
ghcr.io/jenkins-x/jx-go:${{ steps.prep.outputs.version }}
- name: Build and push jx-go-maven
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile-go-maven
platforms: linux/amd64
push: true
build-args: |
VERSION=${{ steps.prep.outputs.version }}
tags: |
ghcr.io/jenkins-x/jx-go-maven:latest
ghcr.io/jenkins-x/jx-go-maven:${{ steps.prep.outputs.version }}
- env:
GIT_USERNAME: jenkins-x-bot-test
GITHUB_TOKEN: ${{ secrets.GIT_BOT_TOKEN }}
VERSION: ${{ steps.prep.outputs.version}}
XDG_CONFIG_HOME: /github/home/.config
name: promote-release
uses: docker://ghcr.io/jenkins-x/jx-updatebot:0.1.3
with:
args: pr --git-credentials
"on":
push:
branches:
- main
- master