Skip to content
build

wip #1132

Sign in to view logs

wip

wip #1132

Workflow file for this run

.github/workflows/build.yml at 9eaf0d9
name: build
on:
push:
pull_request:
workflow_dispatch:
jobs:
# lint:
# runs-on: ubuntu-latest
# permissions:
# contents: read
# steps:
# - uses: actions/checkout@v4
# - name: Shellcheck
# run: make shellcheck
# - name: Update README
# run: make update-readme
# - name: Check if README is up-to date
# run: git diff --exit-code README.md
# snapshot:
# runs-on: ubuntu-latest
# permissions:
# contents: read
# steps:
# - uses: actions/checkout@v4
# with:
# fetch-depth: 0
# persist-credentials: false
# - name: Set up QEMU
# uses: docker/setup-qemu-action@v3
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v3
# - name: GoReleaser
# uses: goreleaser/goreleaser-action@v5
# with:
# version: latest
# args: release --snapshot --clean
build:
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
permissions:
actions: read
contents: write
packages: write
id-token: write
outputs:
manifest-digest: ${{ steps.get-manifest-digest.outputs.digest }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Install Cosign
uses: sigstore/cosign-installer@v3.4.0
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Images
run: task --verbose build-images
- name: Push Images and Create Manifest
id: get-manifest-digest
run: |
set -euo pipefail
digest=$(jq -r --arg img ghcr.io/tprasadtp/protonwire:${{github.sha}} '.[] | select (.name==$img) | .extra.Digest' dist/artifacts.json
if [[ -z $digest ]]; then
echo "failed to get digest"
exit 1
fi
echo "hash=${digest}" >> "$GITHUB_OUTPUT"
provenance:
if: github.event_name != 'pull_request'
needs:
- build
permissions:
contents: read
actions: read
id-token: write
packages: write
strategy:
fail-fast: false
matrix:
image:
- ghcr.io/tprasadtp/protonwire
- ghcr.io/tprasadtp/protonvpn
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
with:
registry-username: ${{ github.actor }}
digest: ${{ needs.build.outputs.manifest-digest }}
image: ${{ matrix.image }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
verification:
if: github.event_name != 'pull_request'
needs:
- build
- provenance
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
strategy:
fail-fast: false
matrix:
image:
- ghcr.io/tprasadtp/protonwire
- ghcr.io/tprasadtp/protonvpn
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Install SLSA verifier
uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Verify SLSA Provenance
run: |
slsa-verifier \
--source-uri github.com/${{ github.repository }} \
verify-image ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }}
- name: Verify Cosign Signature
run: |
cosign verify ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} \
--certificate-identity-regexp "^https://github.com/${{ github.repository }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-github-workflow-repository "${{ github.repository }}" \
--certificate-github-workflow-sha ${{ github.sha }}