update README #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| env: | |
| REGISTRY: quay.io | |
| IMAGE_NAME: spentass/fosdem-2026 | |
| jobs: | |
| build-and-attest: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| digest: ${{ steps.push.outputs.digest }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| permissions: | |
| id-token: write | |
| actions: read | |
| contents: write | |
| attestations: write | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.24" | |
| - name: Build binary | |
| run: | | |
| go build -o build-sample main.go | |
| chmod +x build-sample | |
| - name: Log in to Quay | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Extract metadata for container image | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha,prefix={{branch}}- | |
| - name: Build and push container image | |
| id: push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Containerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Generate SBOM for container image | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| output-file: build-sample-sbom.spdx.json | |
| artifact-name: "build-sample-sbom.spdx.json" | |
| - name: Sign container image with Cosign | |
| run: | | |
| cosign sign --yes \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| - name: Attest SBOM with Cosign | |
| run: | | |
| cosign attest --yes \ | |
| --predicate build-sample-sbom.spdx.json \ | |
| --type spdx \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| - name: Generate SLSA provenance with GitHub action | |
| uses: actions/attest-build-provenance/predicate@v3 | |
| id: provenance | |
| - name: Attest SLSA provenance with Cosign | |
| run: | | |
| echo '${{ steps.provenance.outputs.predicate }}' > provenance.json | |
| cosign attest --yes \ | |
| --predicate provenance.json \ | |
| --type slsaprovenance1 \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} | |
| validate: | |
| runs-on: ubuntu-latest | |
| needs: build-and-attest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Validate image with Conforma | |
| id: validate | |
| continue-on-error: true | |
| uses: docker://quay.io/conforma/cli:snapshot@sha256:867304d48d9af0e583ef7d04fdd8b33f071cfba65ba1b1ab658b39a14080e348 | |
| with: | |
| args: > | |
| validate image | |
| --policy "policy/policy_release.yaml" | |
| --image "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-attest.outputs.digest }}" | |
| --certificate-identity-regexp "^https://github\.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/" | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | |
| --ignore-rekor=false | |
| --info | |
| --show-successes | |
| --strict=true | |
| --output text | |
| --output text=log.md | |
| - name: Output summary | |
| run: cat log.md >> $GITHUB_STEP_SUMMARY | |
| shell: bash | |
| - name: Fail if validate failed | |
| if: steps.validate.outcome != 'success' | |
| run: exit 1 | |
| shell: bash | |
| promote: | |
| runs-on: ubuntu-latest | |
| needs: [build-and-attest, validate] | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Log in to Quay | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Tag validated image as latest | |
| run: | | |
| skopeo copy \ | |
| docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-attest.outputs.digest }} \ | |
| docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest |