chore(deps): update actions/setup-go digest to 4dc6199 #552
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| required: false | |
| description: The version to release | |
| prerelease: | |
| type: boolean | |
| default: true | |
| description: If the version is a prerelease | |
| push: | |
| paths-ignore: | |
| - "action.yml" | |
| - "README.md" | |
| - "website/**" | |
| permissions: | |
| packages: write | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| jobs: | |
| generate-version: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.pick-version.outputs.version }} | |
| prerelease: ${{ steps.pick-prerelease.outputs.version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0 | |
| id: get_latest_release | |
| with: | |
| route: GET /repos/{repo}/releases/latest | |
| repo: ${{ github.repository }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate trunkver | |
| id: trunkver | |
| uses: crftd-tech/trunkver@d0490489c86c5475a3e271d97c05fa928e3a8cd1 # 1.1.2 | |
| with: | |
| baseVersion: ${{ fromJson(steps.get_latest_release.outputs.data).tag_name }} | |
| prerelease: "true" | |
| increment: "patch" | |
| - name: Workflow Version Trumps Trunkver | |
| id: pick-version | |
| env: | |
| WORKFLOW_VERSION: ${{ github.event.inputs.version }} | |
| WORKFLOW_PRERELEASE: ${{ github.event.inputs.prerelease }} | |
| TRUNKVER_VERSION: ${{ steps.trunkver.outputs.trunkver }} | |
| run: | | |
| set -euxo pipefail | |
| if ! [ -z "$WORKFLOW_VERSION" ]; | |
| then | |
| echo "version=${WORKFLOW_VERSION}" | tee "$GITHUB_OUTPUT" | |
| echo "prereleae=${WORKFLOW_PRERELEASE}" | tee -a "$GITHUB_OUTPUT" | |
| else | |
| echo "version=${TRUNKVER_VERSION}" | tee "$GITHUB_OUTPUT" | |
| echo "prereleae=true" | tee -a "$GITHUB_OUTPUT" | |
| fi | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: [generate-version] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| - name: Setup Go | |
| uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 | |
| with: | |
| go-version: 1.25 | |
| - name: Build trunkver | |
| env: | |
| VERSION: ${{ needs.generate-version.outputs.version }} | |
| run: | | |
| ( | |
| unset GITHUB_SHA | |
| unset GITHUB_RUN_ID | |
| make validate "VERSION=${VERSION}" | |
| ) | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: [generate-version, test] | |
| if: github.ref == 'refs/heads/main' | |
| outputs: | |
| imageid: ${{ steps.docker-build.outputs.imageid }} | |
| digest: ${{ steps.docker-build.outputs.digest }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| - name: Setup cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: "v2.6.0" | |
| - name: Setup syft | |
| run: | | |
| curl -vL \ | |
| -O https://github.com/anchore/syft/releases/download/v1.32.0/syft_1.32.0_checksums.txt.pem \ | |
| -O https://github.com/anchore/syft/releases/download/v1.32.0/syft_1.32.0_checksums.txt.sig \ | |
| -O https://github.com/anchore/syft/releases/download/v1.32.0/syft_1.32.0_checksums.txt \ | |
| -O https://github.com/anchore/syft/releases/download/v1.32.0/syft_1.32.0_linux_amd64.tar.gz | |
| cosign verify-blob \ | |
| --certificate syft_1.32.0_checksums.txt.pem \ | |
| --signature syft_1.32.0_checksums.txt.sig \ | |
| --certificate-identity "https://github.com/anchore/syft/.github/workflows/release.yaml@refs/heads/main" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| syft_1.32.0_checksums.txt | |
| grep syft_1.32.0_linux_amd64.tar.gz syft_1.32.0_checksums.txt | sha256sum --check | |
| tar -zxv -C /usr/local/bin/ -f syft_1.32.0_linux_amd64.tar.gz | |
| - name: Setup Go | |
| uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 | |
| with: | |
| go-version: 1.25 | |
| - name: Build trunkver | |
| env: | |
| VERSION: ${{ needs.generate-version.outputs.version }} | |
| run: | | |
| ( | |
| unset GITHUB_SHA | |
| unset GITHUB_RUN_ID | |
| make build sign "VERSION=${VERSION}" | |
| ) | |
| - name: Create release | |
| uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2 | |
| with: | |
| name: ${{ needs.generate-version.outputs.version }} | |
| tag_name: ${{ needs.generate-version.outputs.version }} | |
| draft: true | |
| prerelease: ${{ needs.generate-version.outputs.prerelease }} | |
| files: | | |
| dist/* | |
| - name: Finalize release | |
| id: release | |
| uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2 | |
| with: | |
| name: ${{ needs.generate-version.outputs.version }} | |
| tag_name: ${{ needs.generate-version.outputs.version }} | |
| draft: false | |
| prerelease: ${{ needs.generate-version.outputs.prerelease }} | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@28fdb31ff34708d19615a74d67103ddc2ea9725c | |
| with: | |
| registry: "ghcr.io" | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate metadata | |
| id: meta | |
| uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=raw,value=${{ needs.generate-version.outputs.version }} | |
| type=raw,value=latest | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d | |
| id: docker-build | |
| with: | |
| context: . | |
| push: true | |
| build-args: | | |
| VERSION=${{ needs.generate-version.outputs.version }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Sign docker image | |
| run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.docker-build.outputs.digest }} | |
| - name: Create SBOM and attest it | |
| run: | | |
| syft ghcr.io/${{ github.repository }}@${{ steps.docker-build.outputs.digest }} -o spdx-json=dist/docker-image.sbom.spdx.json | |
| cosign attest \ | |
| --yes \ | |
| --type spdxjson \ | |
| --predicate dist/docker-image.sbom.spdx.json \ | |
| ghcr.io/${{ github.repository }}@${{ steps.docker-build.outputs.digest }} | |
| - name: Add checksums to build attestations | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 | |
| with: | |
| subject-checksums: ./dist/checksums.txt | |
| - name: Add digest to build attestations | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.docker-build.outputs.digest }} | |
| push-to-registry: true | |
| update-action: | |
| runs-on: ubuntu-latest | |
| needs: [generate-version, release] | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| - name: Update the action.yml with the new image tag | |
| run: | | |
| git pull origin --ff-only | |
| yq eval \ | |
| --inplace \ | |
| '.runs.image = "docker://ghcr.io/${{ github.repository }}@${{ needs.release.outputs.digest }}"' \ | |
| action.yml | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "crftd-bot" | |
| git add action.yml | |
| git commit -m "chore: Bump image tag in action.yml" | |
| git pull origin --rebase | |
| git push origin |