-
Notifications
You must be signed in to change notification settings - Fork 3
125 lines (108 loc) · 3.83 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
on:
push:
branches:
- main
paths-ignore:
- LICENSE
- README.md
- build-local.sh
- update-versions.sh
schedule:
- cron: "0 0 * * 0"
workflow_dispatch: {}
name: Create Release
concurrency: release
jobs:
build:
name: Release OCI image
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: read
steps:
- uses: actions/checkout@v3
- uses: sigstore/cosign-installer@main
with:
cosign-release: v1.13.1
- uses: docker/setup-qemu-action@v2.1.0
- uses: imjasonh/setup-crane@v0.3
- uses: chainguard-dev/actions/setup-melange@main
- run: |
echo "$SIGNING_KEY" >${{ github.workspace }}/melange.rsa
echo "$SIGNING_KEY_PUB" >${{ github.workspace }}/melange.rsa.pub
env:
SIGNING_KEY: ${{ secrets.MELANGE_SIGNING_KEY }}
SIGNING_KEY_PUB: ${{ secrets.MELANGE_SIGNING_KEY_PUB }}
- name: Download binaries
run: ./download.sh
- name: Verify sha256 checksums
run: sha256sum -c DIGESTS
- name: Strip binaries
run: |
sudo apt-get update -q
sudo apt-get install -qy binutils-aarch64-linux-gnu
strip *-amd64
aarch64-linux-gnu-strip *-arm64
- name: Compress binaries with UPX
run: |
curl -fsL -o /tmp/upx.txz https://github.com/upx/upx/releases/download/v4.0.1/upx-4.0.1-amd64_linux.tar.xz
echo "3fb999c3ab2b5c169911267768eebed584ce90d16c1baec30dc9c6632db2cc00 /tmp/upx.txz" | sha256sum -c -
tar -C /tmp -xJf /tmp/upx.txz
chmod +x *-amd64 *-arm64
echo *-amd64 *-arm64 | xargs -n1 -P0 /tmp/upx-4.0.1-amd64_linux/upx -q -9
- uses: chainguard-dev/actions/melange-build-pkg@main
with:
config: melange.yaml
archs: x86_64,aarch64
sign-with-key: true
signing-key-path: ${{ github.workspace }}/melange.rsa
keyring-append: ${{ github.workspace }}/melange.rsa.pub
update-index: true
- uses: chainguard-images/actions/apko-build@main
with:
config: apko.yaml
tag: distroless-k8s-test
keyring-append: melange.rsa.pub
archs: x86_64
- name: load image for testing
run: docker load -i output.tar
- name: run structure tests
uses: plexsystems/container-structure-test-action@v0.3.0
with:
image: distroless-k8s-test:latest-amd64
config: tests.yaml
- uses: chainguard-images/actions/apko-publish@main
id: apko
with:
config: apko.yaml
tag: ghcr.io/${{ github.repository }}:latest
image_refs: apko.images
keyring-append: melange.rsa.pub
source-date-epoch: "0"
archs: x86_64,aarch64
- uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- name: Sign image
shell: bash
env:
COSIGN_EXPERIMENTAL: "true"
run: |
. ./VERSIONS
cosign sign ${{ steps.apko.outputs.digest }} \
-a "sha=${{ github.sha }}" \
-a "run_id=${{ github.run_id }}" \
-a "run_attempt=${{ github.run_attempt }}" \
-a "helm_version=${HELM_VERSION}" \
-a "kapp_version=${KAPP_VERSION}" \
-a "kbld_version=${KBLD_VERSION}" \
-a "kubectl_version=${KUBECTL_VERSION}" \
-a "kustomize_version=${KUSTOMIZE_VERSION}"
- shell: bash
run: |
. ./VERSIONS
crane cp ${{ steps.apko.outputs.digest }} "ghcr.io/${{ github.repository }}:${KUBECTL_SEMVER}"
crane cp ${{ steps.apko.outputs.digest }} "ghcr.io/${{ github.repository }}:${KUBECTL_SEMVER_MINOR}"