8
8
value : ${{ jobs.build.outputs.digest }}
9
9
10
10
jobs :
11
- cross-build :
12
- name : Cross compile policy-server binary
13
- runs-on : ubuntu-latest
14
-
15
- strategy :
16
- matrix :
17
- targetarch :
18
- - aarch64
19
- - x86_64
20
-
21
- steps :
22
- - name : Checkout code
23
- uses : actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
24
-
25
- - name : Setup rust toolchain
26
- uses : actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
27
- with :
28
- toolchain : stable
29
- target : ${{matrix.targetarch}}-unknown-linux-musl
30
- override : true
31
-
32
- - uses : actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
33
- with :
34
- use-cross : true
35
- command : build
36
- args : --release --target ${{matrix.targetarch}}-unknown-linux-musl
37
-
38
- - name : Upload policy-server binary
39
- uses : actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
40
- with :
41
- name : policy-server-${{ matrix.targetarch }}
42
- path : |
43
- target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server
44
-
45
11
build :
46
12
name : Build container image
47
13
permissions :
48
14
packages : write
49
- needs :
50
- - cross-build
15
+ id-token : write
51
16
runs-on : ubuntu-latest
52
17
outputs :
53
18
repository : ${{ steps.setoutput.outputs.repository }}
@@ -57,55 +22,60 @@ jobs:
57
22
steps :
58
23
- name : Checkout code
59
24
uses : actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
25
+
26
+ - name : Install cosign
27
+ uses : sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
28
+
60
29
- name : Set up QEMU
61
30
uses : docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
31
+
62
32
- name : Set up Docker Buildx
63
33
uses : docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
34
+
64
35
- name : Login to GitHub Container Registry
65
36
uses : docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
66
37
with :
67
38
registry : ghcr.io
68
39
username : ${{ github.repository_owner }}
69
40
password : ${{ secrets.GITHUB_TOKEN }}
70
41
71
- # Download the policy-server artifacts we've built inside of the previous job
72
- - name : Download policy-server-x86_64 artifact
73
- uses : actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
74
- with :
75
- name : policy-server-x86_64
76
- path : artifacts-x86_64
77
- - name : Download policy-server-aarch64 artifact
78
- uses : actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
79
- with :
80
- name : policy-server-aarch64
81
- path : artifacts-aarch64
82
- - name : Move binaries to project root
83
- run : |
84
- mv artifacts-x86_64/policy-server policy-server-x86_64
85
- mv artifacts-aarch64/policy-server policy-server-aarch64
86
-
87
42
- name : Retrieve tag name (main branch)
88
43
if : ${{ startsWith(github.ref, 'refs/heads/main') }}
89
44
run : |
90
45
echo TAG_NAME=latest >> $GITHUB_ENV
46
+
91
47
- name : Retrieve tag name (feat branch)
92
48
if : ${{ startsWith(github.ref, 'refs/heads/feat') }}
93
49
run : |
94
50
echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
51
+
95
52
- name : Retrieve tag name (tag)
96
53
if : ${{ startsWith(github.ref, 'refs/tags/') }}
97
54
run : |
98
55
echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
56
+
99
57
- name : Push and push container image
100
58
id : build-image
101
59
uses : docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
102
60
with :
103
61
context : .
104
- file : ./Dockerfile.github
62
+ file : ./Dockerfile
105
63
platforms : linux/amd64, linux/arm64
106
64
push : true
65
+ sbom : true
66
+ provenance : mode=max
107
67
tags : |
108
68
ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }}
69
+
70
+ - name : Sign container image
71
+ run : |
72
+ cosign sign --yes ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
73
+
74
+ cosign verify \
75
+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
76
+ --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/container-image.yml@${{ github.ref }}" \
77
+ ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
78
+
109
79
- id : setoutput
110
80
name : Set output parameters
111
81
run : |
0 commit comments