Skip to content

Bump docker/login-action from 2.1.0 to 2.2.0 #139

Bump docker/login-action from 2.1.0 to 2.2.0

Bump docker/login-action from 2.1.0 to 2.2.0 #139

Workflow file for this run

name: Create docker image
on:
push:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
GOOGLE_REGISTRY: europe-north1-docker.pkg.dev
EARTHLY_USE_INLINE_CACHE: true
EARTHLY_SAVE_INLINE_CACHE: true
EARTHLY_VERBOSE: true
EARTHLY_FULL_TARGET: true
EARTHLY_OUTPUT: true
FEATURE: aiven-poke
jobs:
version:
name: Version
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # ratchet:actions/checkout@v3
- name: Generate image environment variable
id: set-image-tag
run: |
version="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')"
echo "version=${version}" >> $GITHUB_OUTPUT
outputs:
version: ${{ steps.set-image-tag.outputs.version }}
build:
runs-on: ubuntu-latest
needs:
- version
permissions:
contents: "read"
id-token: "write"
packages: "write"
steps:
- name: Install earthly
uses: earthly/actions-setup@135d686cdc4619918fd1b542d0a08d61dd104518 # ratchet:earthly/actions-setup@v1
with:
version: "latest" # or pin to an specific version, e.g. "v0.6.10"
- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@main
with:
cosign-release: 'v2.0.0'
- name: Verify runner image
run: cosign verify --certificate-identity https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com cgr.dev/chainguard/python:3.11
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
- id: "auth"
name: "Authenticate to Google Cloud"
if: github.ref == 'refs/heads/main'
uses: "google-github-actions/auth@v1.1.1" # ratchet:google-github-actions/auth@v1.0.0
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "gh-aiven-poke@nais-io.iam.gserviceaccount.com"
token_format: "access_token"
- name: Login to Google Artifact Registry
if: github.ref == 'refs/heads/main'
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2
with:
registry: ${{ env.GOOGLE_REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: "Set image tag"
id: set-image-tag
run: |
export IMAGE_TAG="${{ needs.version.outputs.version }}"
echo "IMAGE_TAG=${IMAGE_TAG}" >> ${GITHUB_ENV}
export IMAGE="${GOOGLE_REGISTRY}/nais-io/nais/images/${FEATURE}"
echo "IMAGE=${IMAGE}" >> $GITHUB_ENV
- name: Build and possibly push
env:
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}"
run: |
earthly --version
earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --BASEIMAGE="${IMAGE}"
- name: Retrieve image digest
id: imgdigest
if: github.ref == 'refs/heads/main'
run: |
docker pull ${IMAGE}:${IMAGE_TAG}
echo "digest=$(docker inspect ${IMAGE}:${IMAGE_TAG} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT
- name: Sign the container image
if: github.ref == 'refs/heads/main'
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }}
- name: Create SBOM
if: github.ref == 'refs/heads/main'
run: |
sudo apt-get update && sudo apt-get install -y python3-pip
pip3 install cyclonedx-bom
cyclonedx-py -p --format json -o sbom.json
- name: Attest image
if: github.ref == 'refs/heads/main'
run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }}
chart:
permissions:
contents: 'read'
id-token: 'write'
name: Build and push chart
runs-on: ubuntu-latest
needs:
- version
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033' # ratchet:google-github-actions/auth@v1.1.1
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: 'gh-aiven-poke@nais-io.iam.gserviceaccount.com'
token_format: 'access_token'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # ratchet:google-github-actions/setup-gcloud@v1
- name: 'Log in to Google Artifact Registry'
run: |-
echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://${{ env.GOOGLE_REGISTRY }}
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # ratchet:azure/setup-helm@v3
name: 'Setup Helm'
with:
version: '3.8.0'
- name: Set versions
run: |-
for chart in charts/*; do
yq e '.version = "${{ needs.version.outputs.version }}"' --inplace "${chart}/Chart.yaml"
yq e '.image.tag = "${{ needs.version.outputs.version }}"' --inplace "${chart}/values.yaml"
done
- name: Build Chart
run: |-
for chart in charts/*; do
helm package "$chart"
done
- name: Push Chart
run: |-
for chart in *.tgz; do
helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
done
rollout:
name: Rollout
if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/main'
needs:
- version
- build
- chart
runs-on: fasit-deploy
permissions:
id-token: write
steps:
- uses: nais/fasit-deploy@badff0705af8a57bcf0ab172895273da09ae5959 # ratchet:nais/fasit-deploy@v2
with:
chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ env.FEATURE }}
version: ${{ needs.version.outputs.version }}
feature_name: ${{ env.FEATURE }}