-
Notifications
You must be signed in to change notification settings - Fork 3
78 lines (74 loc) · 2.93 KB
/
master.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: Build, push and sign
on:
push:
branches:
- master
paths-ignore:
- "*.md"
jobs:
build_push_sign:
permissions:
contents: "read"
id-token: "write"
packages: "write"
outputs:
img_to_deploy: ${{ steps.build-push-sign.outputs.tag }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # ratchet:actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Verify Gradle wrapper checksum
uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b # ratchet:gradle/wrapper-validation-action@v1
- name: Build with Gradle
run: ./gradlew build
- uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@v3.1.1
- name: Verify distroless base image
run: |
cosign verify \
--certificate-identity "keyless@distroless.iam.gserviceaccount.com" \
--certificate-oidc-issuer "https://accounts.google.com" \
gcr.io/distroless/java17
- name: Create SBOM
run: ./gradlew cyclonedxBom
- name: "Build and push image"
uses: nais/platform-build-push-sign@main # ratchet:exclude
id: build-push-sign
with:
name: tokendings
google_service_account: gh-tokendings
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
push_ghcr: true
sbom: build/reports/bom.json
multi-platform: true
deploy-dev-gcp:
name: Deploy to dev-gcp
needs: build_push_sign
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
- uses: nais/deploy/actions/deploy@913eb0f92e9d132dbe0cbba3390a340675849f30 # ratchet:nais/deploy/actions/deploy@v1
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: dev-gcp
RESOURCE: .nais/nais.yml,.nais/alerts.yml,.nais/configmap.yml
VARS: .nais/dev-gcp-vars.yml
IMAGE: ${{ needs.build_push_sign.outputs.img_to_deploy }}
deploy-prod-gcp:
name: Deploy to prod-gcp
needs: [build_push_sign, deploy-dev-gcp]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
- uses: nais/deploy/actions/deploy@913eb0f92e9d132dbe0cbba3390a340675849f30 # ratchet:nais/deploy/actions/deploy@v1
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: prod-gcp
RESOURCE: .nais/nais.yml,.nais/alerts.yml
VARS: .nais/prod-gcp-vars.yml
IMAGE: ${{ needs.build_push_sign.outputs.img_to_deploy }}