Merge pull request #582 from ericcornelissen/release-patch-ucu1hfp #16
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | |
| on: | |
| push: | |
| tags: | |
| - v* | |
| permissions: read-all | |
| jobs: | |
| branch: | |
| name: Branch | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write # To push a branch | |
| needs: | |
| - validate | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get major version | |
| uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0 | |
| id: version | |
| with: | |
| result-encoding: string | |
| script: | | |
| const ref = context.ref | |
| const tag = ref.replace(/^refs\/tags\//, "") | |
| const major = tag.replace(/\.\d+\.\d+$/, "") | |
| return major | |
| - name: Update release branch | |
| env: | |
| MAJOR_VERSION: ${{ steps.version.outputs.result }} | |
| run: git push origin "HEAD:$MAJOR_VERSION" | |
| docker-hub: | |
| name: Docker Hub | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| id-token: write # To perform keyless signing with cosign | |
| environment: | |
| name: docker | |
| url: https://hub.docker.com/r/ericornelissen/js-re-scan | |
| needs: | |
| - validate | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| auth.docker.io:443 | |
| fulcio.sigstore.dev:443 | |
| github.com:443 | |
| index.docker.io:443 | |
| nodejs.org:443 | |
| objects.githubusercontent.com:443 | |
| production.cloudflare.docker.com:443 | |
| raw.githubusercontent.com:443 | |
| registry-1.docker.io:443 | |
| registry.npmjs.org:443 | |
| rekor.sigstore.dev:443 | |
| sigstore-tuf-root.storage.googleapis.com:443 | |
| storage.googleapis.com:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
| - name: Get version | |
| uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0 | |
| id: version | |
| with: | |
| result-encoding: string | |
| script: | | |
| const ref = context.ref | |
| const tag = ref.replace(/^refs\/tags\//, "") | |
| return tag | |
| - name: Get cosign version | |
| id: versions | |
| run: | | |
| COSIGN_VERSION="$(grep cosign < .tool-versions | awk '{print $2}')" | |
| echo "cosign=$COSIGN_VERSION" >> "$GITHUB_OUTPUT" | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
| with: | |
| cosign-release: v${{ steps.versions.outputs.cosign }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and push to Docker Hub | |
| id: docker_hub | |
| uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
| with: | |
| context: . | |
| file: Containerfile | |
| push: true | |
| tags: >- | |
| ericornelissen/js-re-scan:latest, | |
| ericornelissen/js-re-scan:${{ steps.version.outputs.result }} | |
| - name: Sign container image | |
| env: | |
| IMAGE_DIGEST: ${{ steps.docker_hub.outputs.digest }} | |
| REF: ${{ github.sha }} | |
| REPO: ${{ github.repository }} | |
| WORKFLOW: ${{ github.workflow }} | |
| run: | | |
| cosign sign --yes \ | |
| -a "repo=$REPO" \ | |
| -a "workflow=$WORKFLOW" \ | |
| -a "ref=$REF" \ | |
| "docker.io/ericornelissen/js-re-scan@$IMAGE_DIGEST" | |
| validate: | |
| name: Validate | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| auth.docker.io:443 | |
| artifactcache.actions.githubusercontent.com:443 | |
| files.pythonhosted.org:443 | |
| fulcio.sigstore.dev:443 | |
| github.com:443 | |
| gitlab.com:443 | |
| nodejs.org:443 | |
| objects.githubusercontent.com:443 | |
| production.cloudflare.docker.com:443 | |
| pypi.org:443 | |
| registry-1.docker.io:443 | |
| registry.npmjs.org:443 | |
| rekor.sigstore.dev:443 | |
| sigstore-tuf-root.storage.googleapis.com:443 | |
| toolbox-data.anchore.io:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
| with: | |
| submodules: true | |
| - name: Install Node.js | |
| uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 | |
| with: | |
| cache: npm | |
| node-version-file: .nvmrc | |
| - name: Install tooling | |
| uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0 | |
| - name: Verify project validity | |
| run: make verify |