From 0ba79be76a208a5ffe8b786a05ac48dcb39a6390 Mon Sep 17 00:00:00 2001 From: Alex Zenla Date: Fri, 12 Jul 2024 14:26:20 -0700 Subject: [PATCH] chore(workflow): implement oci releases --- .github/workflows/nightly.yml | 41 ++++++++++++++++++++++ .github/workflows/oci-distribution.yml | 48 -------------------------- .github/workflows/release-binaries.yml | 42 ++++++++++++++++++++++ 3 files changed, 83 insertions(+), 48 deletions(-) delete mode 100644 .github/workflows/oci-distribution.yml diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 9decffa..d723c0d 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -3,6 +3,10 @@ on: workflow_dispatch: schedule: - cron: "0 10 * * *" +permissions: + contents: read + packages: write + id-token: write jobs: server: runs-on: ubuntu-latest @@ -100,3 +104,40 @@ jobs: name: kratactl-${{ matrix.platform.os }}-${{ matrix.platform.arch }} path: "target/*/release/kratactl.exe" if: ${{ matrix.platform.os == 'windows' }} + oci: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + component: + - kratactl + - kratad + - kratanet + - krata-guest-init + name: "oci build ${{ matrix.component }}" + steps: + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + submodules: recursive + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: ghcr.io + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" + - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + id: push + with: + file: ./images/Dockerfile.${{ matrix.component }} + platforms: linux/amd64,linux/aarch64 + tags: "ghcr.io/edera-dev/${{ matrix.component }}:nightly" + push: true + - env: + DIGEST: "${{ steps.push.outputs.digest }}" + TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:nightly" + COSIGN_EXPERIMENTAL: "true" + run: cosign sign --yes "${TAGS}@${DIGEST}" diff --git a/.github/workflows/oci-distribution.yml b/.github/workflows/oci-distribution.yml deleted file mode 100644 index 1165e4f..0000000 --- a/.github/workflows/oci-distribution.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: oci-distribution -on: - workflow_dispatch: - schedule: - - cron: "0 10 * * *" -permissions: - contents: read - packages: write - id-token: write -jobs: - build: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - component: - - kratactl - - kratad - - kratanet - - krata-guest-init - name: oci build ${{ matrix.component }} - steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - submodules: recursive - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - id: push-step - with: - file: ./images/Dockerfile.${{ matrix.component }} - platforms: linux/amd64,linux/aarch64 - tags: ghcr.io/edera-dev/${{ matrix.component }}:nightly - push: true - - name: Sign the image - env: - DIGEST: ${{ steps.push-step.outputs.digest }} - TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly - COSIGN_EXPERIMENTAL: "true" - run: cosign sign --yes "${TAGS}@${DIGEST}" diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index a69828e..7f3019a 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -1,6 +1,8 @@ name: release-binaries permissions: contents: write + packages: write + id-token: write on: release: types: @@ -90,3 +92,43 @@ jobs: - run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}" env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + oci: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + component: + - kratactl + - kratad + - kratanet + - krata-guest-init + name: "release-binaries oci ${{ matrix.component }}" + steps: + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + submodules: recursive + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: ghcr.io + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" + - id: version + run: | + echo "KRATA_VERSION=$(./hack/dist/version.sh)" >> "${GITHUB_OUTPUT}" + - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + id: push + with: + file: ./images/Dockerfile.${{ matrix.component }} + platforms: linux/amd64,linux/aarch64 + tags: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}" + push: true + - env: + DIGEST: "${{ steps.push.outputs.digest }}" + TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}" + COSIGN_EXPERIMENTAL: "true" + run: cosign sign --yes "${TAGS}@${DIGEST}"