Skip to content

Commit 4d34e87

Browse files
committed
XXX Test ko
1 parent 52b154e commit 4d34e87

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
name: Release
2+
3+
on:
4+
workflow_dispatch:
5+
push:
6+
branches:
7+
- 'main'
8+
9+
10+
jobs:
11+
release:
12+
runs-on: ubuntu-latest
13+
permissions:
14+
contents: read
15+
packages: write
16+
attestations: write
17+
id-token: write
18+
steps:
19+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
20+
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
21+
with:
22+
go-version-file: go.mod
23+
- name: Install ko
24+
uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9.0
25+
- name: Install cosign
26+
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
27+
- name: Install syft
28+
uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
29+
- name: Login to GHCR
30+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
31+
with:
32+
registry: ghcr.io
33+
username: ${{ github.actor }}
34+
password: ${{ secrets.GITHUB_TOKEN }}
35+
- name: Build and publish images
36+
id: ko
37+
run: |
38+
images=$(ko publish \
39+
--platform=linux/amd64,linux/arm64 \
40+
--tags=${{ github.sha }} \
41+
--bare \
42+
github.com/transparency-dev/tesseract/cmd/tesseract/posix \
43+
github.com/transparency-dev/tesseract/cmd/tesseract/aws \
44+
github.com/transparency-dev/tesseract/cmd/tesseract/gcp \
45+
github.com/transparency-dev/tesseract/cmd/fsck)
46+
echo "images=$images" >> $GITHUB_OUTPUT
47+
env:
48+
#KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/tesseract
49+
KO_DOCKER_REPO: ghcr.io/alcutter/tesseract
50+
- name: Sign images
51+
run: |
52+
cosign sign --yes ${{ steps.ko.outputs.images }}
53+
- name: Generate SBOM and attest
54+
run: |
55+
for image in ${{ steps.ko.outputs.images }}; do
56+
syft_json_path="sbom-${image//[^a-zA-Z0-9]/-}.json"
57+
syft generate "${image}" -o json > "${syft_json_path}"
58+
cosign attest --yes --predicate "${syft_json_path}" --type "https://spdx.dev/Document" "${image}"
59+
done

0 commit comments

Comments
 (0)