Skip to content

Commit f5fc0a7

Browse files
mchmarnymchmarny
committed
chore: use commit sha as a tag
1 parent 26dbc8d commit f5fc0a7

File tree

2 files changed

+43
-12
lines changed

2 files changed

+43
-12
lines changed

.github/actions/publish-container/action.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,3 +81,34 @@ runs:
8181
subject-name: ${{ steps.image.outputs.name }}
8282
subject-digest: ${{ steps.image.outputs.digest }}
8383
push-to-registry: true
84+
85+
- name: Derive safe filename
86+
id: name
87+
shell: bash
88+
run: |
89+
IMAGE="${{ steps.image.outputs.name }}"
90+
SAFE="$(basename "${IMAGE%%:*}")" # strip tag if present, then basename
91+
echo "safe=$SAFE" >> "$GITHUB_OUTPUT"
92+
93+
- name: Generate SBOM
94+
uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
95+
with:
96+
image: ${{ steps.image.outputs.name }}@${{ steps.image.outputs.digest }}
97+
format: cyclonedx-json
98+
output-file: sbom-${{ steps.name.outputs.safe }}.cdx.json
99+
upload-artifact: true # also uploads to the workflow run
100+
upload-release-assets: auto # 'auto' == assets on tags
101+
102+
- name: Install Cosign
103+
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
104+
105+
- name: Cosign SBOM attestation
106+
shell: bash
107+
env:
108+
COSIGN_EXPERIMENTAL: "1"
109+
run: |
110+
cosign attest \
111+
--yes \
112+
--predicate sbom-${{ steps.name.outputs.safe }}.cdx.json \
113+
--type cyclonedx \
114+
${{ steps.image.outputs.name }}@${{ steps.image.outputs.digest }}

.github/workflows/publish.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ jobs:
7171
echo "value=${{ github.ref_name }}" >> $GITHUB_OUTPUT
7272
else
7373
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
74-
echo "value=${{ github.ref_name }}-${SHORT_SHA}" >> $GITHUB_OUTPUT
74+
echo "value=${SHORT_SHA}" >> $GITHUB_OUTPUT
7575
fi
7676
7777
- name: Build image list
@@ -90,7 +90,7 @@ jobs:
9090
path: versions.txt
9191
retention-days: 90
9292

93-
container-publish:
93+
build-images-docker:
9494
runs-on: linux-amd64-cpu32
9595
timeout-minutes: 60
9696
strategy:
@@ -130,7 +130,7 @@ jobs:
130130
echo "value=${{ github.ref_name }}" >> $GITHUB_OUTPUT
131131
else
132132
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
133-
echo "value=${{ github.ref_name }}-${SHORT_SHA}" >> $GITHUB_OUTPUT
133+
echo "value=${SHORT_SHA}" >> $GITHUB_OUTPUT
134134
fi
135135
136136
- name: Publish container for ${{ matrix.component }}
@@ -144,7 +144,7 @@ jobs:
144144
tag_suffix: ${{ matrix.tag_suffix }}
145145

146146
# Build images using ko and attest provenance
147-
build-images:
147+
build-images-ko:
148148
runs-on: linux-amd64-cpu32
149149
timeout-minutes: 60
150150
permissions:
@@ -175,7 +175,7 @@ jobs:
175175
echo "value=${{ github.ref_name }}" >> $GITHUB_OUTPUT
176176
else
177177
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
178-
echo "value=${{ github.ref_name }}-${SHORT_SHA}" >> $GITHUB_OUTPUT
178+
echo "value=${SHORT_SHA}" >> $GITHUB_OUTPUT
179179
fi
180180
181181
# ko is already installed in the setup-ci-env action
@@ -190,15 +190,15 @@ jobs:
190190
run: scripts/buildko.sh
191191

192192
attest:
193-
needs: build-images
193+
needs: build-images-ko
194194
runs-on: linux-amd64-cpu32
195195
permissions:
196196
packages: write
197197
id-token: write
198198
attestations: write
199199
strategy:
200200
matrix:
201-
image: ${{ fromJson(needs.build-images.outputs.images) }}
201+
image: ${{ fromJson(needs.build-images-ko.outputs.images) }}
202202
steps:
203203
- name: Authenticate to GHCR
204204
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -216,7 +216,7 @@ jobs:
216216
push-to-registry: true
217217

218218
sbom-ko:
219-
needs: build-images
219+
needs: build-images-ko
220220
runs-on: linux-amd64-cpu32
221221
permissions:
222222
contents: read
@@ -225,7 +225,7 @@ jobs:
225225
security-events: write # only needed if you also upload SARIF somewhere
226226
strategy:
227227
matrix:
228-
image: ${{ fromJson(needs.build-images.outputs.images) }}
228+
image: ${{ fromJson(needs.build-images-ko.outputs.images) }}
229229
steps:
230230
- name: Authenticate to GHCR
231231
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -269,8 +269,8 @@ jobs:
269269
runs-on: linux-amd64-cpu32
270270
timeout-minutes: 60
271271
needs:
272-
- container-publish
273-
- build-images
272+
- build-images-docker
273+
- build-images-ko
274274
- attest
275275
- sbom-ko
276276
env:
@@ -311,7 +311,7 @@ jobs:
311311
echo "value=${{ github.ref_name }}" >> $GITHUB_OUTPUT
312312
else
313313
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
314-
echo "value=${{ github.ref_name }}-${SHORT_SHA}" >> $GITHUB_OUTPUT
314+
echo "value=${SHORT_SHA}" >> $GITHUB_OUTPUT
315315
fi
316316
317317
- name: Prep system for multi-node Kind cluster

0 commit comments

Comments
 (0)