postgres-extensions-containers/.github/workflows/update-catalogs.yml at ce743ae35c450dabe431fcc534538f71c4d2079d · cloudnative-pg/postgres-extensions-containers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Update Extension Image Catalogs

on:
  schedule:
    # Refresh Catalogs once a week, on Mondays - 1h after postgres-container images
    - cron: 0 9 * * 1
  workflow_dispatch:
  repository_dispatch:
    types: [update-catalogs]

permissions: read-all

defaults:
  run:
    shell: "bash -Eeuo pipefail -x {0}"

jobs:
  update-catalogs:
    name: Updating catalogs
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false

      - name: Checkout artifacts
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          path: artifacts
          repository: cloudnative-pg/artifacts
          token: ${{ secrets.REPO_GHA_PAT }}
          ref: main

      - name: Update catalogs
        id: update-extension-catalogs
        uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
        env:
          # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
          DAGGER_VERSION: 0.20.6
        with:
          version: ${{ env.DAGGER_VERSION }}
          verb: call
          module: ./dagger/maintenance/
          args: generate-catalogs --catalogs-dir artifacts/image-catalogs/ export --path artifacts/image-catalogs-extensions/

      - name: Install cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1

      - name: Sign catalogs
        run: |
          for file in artifacts/image-catalogs-extensions/*.yaml; do
              echo "Signing $file..."
              cosign sign-blob "$file" --bundle "$file.sigstore.json" --yes
          done

      - name: Diff
        working-directory: artifacts
        run: |
          git add -A .
          git status
          git diff --staged

      - uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10
        if: github.ref == 'refs/heads/main'
        with:
          cwd: 'artifacts'
          add: 'image-catalogs-extensions'
          author_name: CloudNativePG Automated Updates
          author_email: noreply@cnpg.com
          message: 'chore: update extensions imageCatalogs'