Skip to content
Artifacts

🚀 Version 0.2.1 #2

Sign in to view logs

🚀 Version 0.2.1

🚀 Version 0.2.1 #2

Workflow file for this run

.github/workflows/artifacts.yml at 611dc8d
---
name: Artifacts
on:
release:
types:
- published
workflow_dispatch:
permissions:
contents: write
packages: write
security-events: write
id-token: write
jobs:
upload_artifacts:
name: Upload Artifacts
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4.2.2
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5.5.0
with:
go-version: "1.24"
cache: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: latest
- name: Install GoReleaser
run: |
curl -sSL https://github.com/goreleaser/goreleaser/releases/download/v2.7.0/goreleaser_Linux_x86_64.tar.gz | tar -xzv -C /usr/local/bin goreleaser
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run GoReleaser
run: |
goreleaser release --clean
- name: Push container images
env:
TAG: ${{ github.event.release.tag_name }}
run: |
echo "Container images have been built and pushed by GoReleaser with multi-architecture support"
VERSION=${TAG#v}
docker manifest inspect ghcr.io/${{ github.repository }}:${VERSION} || echo "Warning: Manifest not found"
scan_containers:
name: Scan Container Images
needs:
- upload_artifacts
runs-on: ubuntu-24.04
env:
TAG: ${{ github.event.release.tag_name }}
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.2
with:
ref: ${{ github.ref }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set VERSION
run: echo "VERSION=${TAG#v}" >> $GITHUB_ENV
- name: Run Vulnerability Scanning
uses: aquasecurity/trivy-action@0.31.0
with:
image-ref: "ghcr.io/${{ github.repository }}:${{ env.VERSION }}"
exit-code: "0"
format: "sarif"
output: "trivy-results.sarif"
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
category: trivy
sign_containers:
name: Sign Container Images
runs-on: ubuntu-24.04
needs:
- scan_containers
env:
TAG: ${{ github.event.release.tag_name }}
steps:
- name: Install cosign
uses: sigstore/cosign-installer@v3.8.2
with:
cosign-release: "v2.5.0"
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set VERSION
run: echo "VERSION=${TAG#v}" >> $GITHUB_ENV
- name: Sign container images
env:
CONTAINER_REGISTRY: ghcr.io
run: |
docker pull ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}:${{ env.VERSION }}
VERSION_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}:${{ env.VERSION }})
cosign sign --yes $VERSION_DIGEST
if [[ ! "$TAG" =~ -rc ]]; then
docker pull ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}:latest
LATEST_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}:latest)
cosign sign --yes $LATEST_DIGEST
fi