Skip to content

nightly

nightly #67

Workflow file for this run

name: nightly
on:
workflow_dispatch:
permissions:
contents: read
packages: write
id-token: write
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
component:
- squashfs-tools
- mkfs
name: oci build ${{ matrix.component }}
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
submodules: recursive
- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
id: push-step
with:
file: ./Dockerfile.${{ matrix.component }}
platforms: linux/amd64,linux/aarch64
tags: ghcr.io/edera-dev/${{ matrix.component }}:nightly
push: true
- name: Sign the image
env:
DIGEST: ${{ steps.push-step.outputs.digest }}
TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly
COSIGN_EXPERIMENTAL: "true"
run: cosign sign --yes "${TAGS}@${DIGEST}"
- name: Build `build` stage for SBOM scan
uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
with:
file: ./Dockerfile.${{ matrix.component }}
target: build
platforms: linux/amd64
load: true
tags: sbom-scan-${{ matrix.component }}:latest
- uses: anchore/sbom-action/download-syft@36a5fde73e0fcb1d1e70be9ad66b4724e783bda7 # pinned to match Protect build-and-sign-image
id: syft
- name: Generate and attest CycloneDX SBOM
env:
DIGEST: ${{ steps.push-step.outputs.digest }}
TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly
SYFT_CMD: ${{ steps.syft.outputs.cmd }}
COMPONENT: ${{ matrix.component }}
COSIGN_EXPERIMENTAL: "true"
run: |
set -euo pipefail
# scope to the alpine package db only
"${SYFT_CMD}" "docker:sbom-scan-${COMPONENT}:latest" \
--override-default-catalogers apk-db-cataloger \
--select-catalogers "-file" \
--source-name "${COMPONENT}" \
-o "cyclonedx-json=${COMPONENT}.cdx.json"
jq -e '.bomFormat == "CycloneDX" and ((.components // []) | length > 0)' \
"${COMPONENT}.cdx.json" >/dev/null \
|| { echo "::error::SBOM for ${COMPONENT} is empty or invalid"; exit 1; }
jq '{component: env.COMPONENT, components: (.components | length)}' \
"${COMPONENT}.cdx.json"
cosign attest --yes --type cyclonedx \
--predicate "${COMPONENT}.cdx.json" \
"${TAGS}@${DIGEST}"