Bump actions/checkout from 3 to 4 #157
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create docker image | |
on: | |
push: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
GOOGLE_REGISTRY: europe-north1-docker.pkg.dev | |
EARTHLY_USE_INLINE_CACHE: true | |
EARTHLY_SAVE_INLINE_CACHE: true | |
EARTHLY_VERBOSE: true | |
EARTHLY_FULL_TARGET: true | |
EARTHLY_OUTPUT: true | |
FEATURE: aiven-poke | |
jobs: | |
version: | |
name: Version | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 # ratchet:actions/checkout@v3 | |
- name: Generate image environment variable | |
id: set-image-tag | |
run: | | |
version="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')" | |
echo "version=${version}" >> $GITHUB_OUTPUT | |
outputs: | |
version: ${{ steps.set-image-tag.outputs.version }} | |
build: | |
runs-on: ubuntu-latest | |
needs: | |
- version | |
permissions: | |
contents: "read" | |
id-token: "write" | |
packages: "write" | |
steps: | |
- name: Install earthly | |
uses: earthly/actions-setup@135d686cdc4619918fd1b542d0a08d61dd104518 # ratchet:earthly/actions-setup@v1 | |
with: | |
version: "latest" # or pin to an specific version, e.g. "v0.6.10" | |
- name: Install cosign | |
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # ratchet:sigstore/cosign-installer@main | |
with: | |
cosign-release: 'v2.0.0' | |
- name: Checkout | |
uses: actions/checkout@v4 # ratchet:actions/checkout@v3 | |
- id: "auth" | |
name: "Authenticate to Google Cloud" | |
if: github.ref == 'refs/heads/main' | |
uses: "google-github-actions/auth@v1.1.1" # ratchet:google-github-actions/auth@v1.0.0 | |
with: | |
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: "gh-aiven-poke@nais-io.iam.gserviceaccount.com" | |
token_format: "access_token" | |
- name: Login to Google Artifact Registry | |
if: github.ref == 'refs/heads/main' | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2 | |
with: | |
registry: ${{ env.GOOGLE_REGISTRY }} | |
username: "oauth2accesstoken" | |
password: "${{ steps.auth.outputs.access_token }}" | |
- name: "Set image tag" | |
id: set-image-tag | |
run: | | |
export IMAGE_TAG="${{ needs.version.outputs.version }}" | |
echo "IMAGE_TAG=${IMAGE_TAG}" >> ${GITHUB_ENV} | |
export IMAGE="${GOOGLE_REGISTRY}/nais-io/nais/images/${FEATURE}" | |
echo "IMAGE=${IMAGE}" >> $GITHUB_ENV | |
- name: Build and possibly push | |
env: | |
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}" | |
run: | | |
earthly --version | |
earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --BASEIMAGE="${IMAGE}" | |
- name: Retrieve image digest | |
id: imgdigest | |
if: github.ref == 'refs/heads/main' | |
run: | | |
docker pull ${IMAGE}:${IMAGE_TAG} | |
echo "digest=$(docker inspect ${IMAGE}:${IMAGE_TAG} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT | |
- name: Sign the container image | |
if: github.ref == 'refs/heads/main' | |
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }} | |
- name: Create SBOM | |
if: github.ref == 'refs/heads/main' | |
run: | | |
sudo apt-get update && sudo apt-get install -y python3-pip | |
pip3 install cyclonedx-bom | |
cyclonedx-py -p --format json -o sbom.json | |
- name: Attest image | |
if: github.ref == 'refs/heads/main' | |
run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }} | |
chart: | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
name: Build and push chart | |
runs-on: ubuntu-latest | |
needs: | |
- version | |
steps: | |
- uses: actions/checkout@v4 # ratchet:actions/checkout@v3 | |
- id: 'auth' | |
if: github.ref == 'refs/heads/main' | |
name: 'Authenticate to Google Cloud' | |
uses: 'google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033' # ratchet:google-github-actions/auth@v1.1.1 | |
with: | |
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: 'gh-aiven-poke@nais-io.iam.gserviceaccount.com' | |
token_format: 'access_token' | |
- name: 'Set up Cloud SDK' | |
uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # ratchet:google-github-actions/setup-gcloud@v1 | |
- name: 'Log in to Google Artifact Registry' | |
if: github.ref == 'refs/heads/main' | |
run: |- | |
echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://${{ env.GOOGLE_REGISTRY }} | |
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # ratchet:azure/setup-helm@v3 | |
name: 'Setup Helm' | |
with: | |
version: '3.8.0' | |
- name: Set versions | |
run: |- | |
for chart in charts/*; do | |
yq e '.version = "${{ needs.version.outputs.version }}"' --inplace "${chart}/Chart.yaml" | |
yq e '.image.tag = "${{ needs.version.outputs.version }}"' --inplace "${chart}/values.yaml" | |
done | |
- name: Build Chart | |
run: |- | |
for chart in charts/*; do | |
helm package "$chart" | |
done | |
- name: Push Chart | |
if: github.ref == 'refs/heads/main' | |
run: |- | |
for chart in *.tgz; do | |
helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature | |
done | |
rollout: | |
name: Rollout | |
if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/main' | |
needs: | |
- version | |
- build | |
- chart | |
runs-on: fasit-deploy | |
permissions: | |
id-token: write | |
steps: | |
- uses: nais/fasit-deploy@badff0705af8a57bcf0ab172895273da09ae5959 # ratchet:nais/fasit-deploy@v2 | |
with: | |
chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ env.FEATURE }} | |
version: ${{ needs.version.outputs.version }} | |
feature_name: ${{ env.FEATURE }} |