Merge pull request #570 from jetstack/remove_juju_errors #188
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # if changing this name, also update promotion.yaml | |
| name: release-master | |
| on: | |
| push: | |
| branches: | |
| - master | |
| tags: | |
| - v* | |
| jobs: | |
| vet: | |
| name: vet | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.22 | |
| steps: | |
| - name: "Add GitHub to the SSH known hosts file" | |
| run: | | |
| mkdir -p -m 0700 /root/.ssh | |
| cat <<EOF >/root/.ssh/known_hosts | |
| github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl | |
| github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= | |
| github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= | |
| EOF | |
| chmod 600 /root/.ssh/known_hosts | |
| touch /root/.ssh/config | |
| - uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} | |
| - uses: actions/checkout@v4 | |
| - run: make vet | |
| shell: bash | |
| test: | |
| name: go test | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.22 | |
| steps: | |
| - name: "Add GitHub to the SSH known hosts file" | |
| run: | | |
| mkdir -p -m 0700 /root/.ssh | |
| cat <<EOF >/root/.ssh/known_hosts | |
| github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl | |
| github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= | |
| github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= | |
| EOF | |
| chmod 600 /root/.ssh/known_hosts | |
| touch /root/.ssh/config | |
| - uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} | |
| - uses: actions/checkout@v4 | |
| - name: Adding github workspace as safe directory | |
| # See issue https://github.com/actions/checkout/issues/760 | |
| run: git config --global --add safe.directory $GITHUB_WORKSPACE | |
| - run: make test | |
| docker_build: | |
| name: docker_build | |
| runs-on: ubuntu-22.04 | |
| container: | |
| image: docker:23 | |
| options: -t | |
| # Setting up dind service container | |
| services: | |
| docker: | |
| image: docker:23-dind | |
| env: | |
| DOCKER_DRIVER: overlay | |
| DOCKER_HOST: tcp://localhost:2375 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Install Tools | |
| # Installing 'bash' because it's required by the 'cosign-installer' action | |
| # and 'coreutils' because the 'slsa-provenance-action' requires a version | |
| # of 'base64' that supports the -w flag. | |
| run: apk add --update make git jq rsync curl bash coreutils go | |
| - uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} | |
| - name: Adding github workspace as safe directory | |
| # See issue https://github.com/actions/checkout/issues/760 | |
| run: git config --global --add safe.directory $GITHUB_WORKSPACE | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Login to quay.io | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USER }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| run: | | |
| make push-docker-image | |
| make push-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent | |
| - name: Sign | |
| run: | | |
| make sign-docker-image | |
| make sign-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent | |
| - name: SBOM | |
| run: | | |
| make sbom-docker-image | |
| make sbom-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent | |
| # The slsa-provenance-action generates a full attestation from an artifact | |
| # as the subject. However, cosign only expects the predicate portion of | |
| # the attestation and figures out the subject itself from the image. | |
| # | |
| # So, we generate a fake artifact and then strip everything but the | |
| # predicate out from the generated attestation. | |
| - name: Create mock artifact | |
| run: echo "foobar" > mock | |
| - name: Generate provenance | |
| uses: philips-labs/SLSA-Provenance-Action@v0.9.0 | |
| with: | |
| command: generate | |
| subcommand: files | |
| arguments: --artifact-path mock | |
| - name: Extract predicate | |
| run: jq '.predicate' provenance.json > predicate.json | |
| - name: Attest | |
| run: | | |
| make attest-docker-image | |
| make attest-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent |