71 lines
1.9 KiB
YAML
71 lines
1.9 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- '*'
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
REGISTRY_USER: ${{ github.actor }}
|
|
REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
jobs:
|
|
verify-image:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install dependencies
|
|
run: sudo apt-get install -y libfyaml-utils
|
|
|
|
- name: Read base image name from recipe
|
|
id: read_base_recipe
|
|
run: |
|
|
BASE_IMAGE="$(fy-filter -f recipe.yml /stages/-1/base)"
|
|
echo The base image is $BASE_IMAGE
|
|
if [ -z $BASE_IMAGE ]; then exit 1; fi
|
|
echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT"
|
|
echo "BASE_IMAGE=$BASE_IMAGE" >> "$GITHUB_ENV"
|
|
|
|
- name: Verify Base Image Integrity
|
|
run: |
|
|
gh attestation verify oci://ghcr.io/${{ env.BASE_IMAGE }} --owner Vanilla-OS
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
|
|
release:
|
|
runs-on: ubuntu-latest
|
|
needs: verify-image
|
|
permissions:
|
|
contents: write # Allow actions to create release
|
|
attestations: write # To create and write attestations
|
|
id-token: write # Additional permissions for the persistence of the attestations
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- uses: vanilla-os/vib-gh-action@v0.7.4
|
|
with:
|
|
recipe: 'recipe.yml'
|
|
plugins: 'Vanilla-OS/vib-fsguard:v1.5.3'
|
|
|
|
- uses: actions/upload-artifact@v4
|
|
with:
|
|
name: Containerfile
|
|
path: Containerfile
|
|
|
|
- name: Create Release
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: gh release create "${{ github.ref_name }}" --generate-notes Containerfile
|
|
|
|
- name: Attest Release Files
|
|
id: attest
|
|
uses: actions/attest-build-provenance@v1
|
|
with:
|
|
subject-path: 'Containerfile'
|