-
Notifications
You must be signed in to change notification settings - Fork 1
160 lines (158 loc) · 5.43 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: Publish
on:
push:
tags:
- v*
permissions: read-all
jobs:
branch:
name: Branch
runs-on: ubuntu-22.04
permissions:
contents: write # To push a branch
needs:
- validate
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Get major version
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0
id: version
with:
result-encoding: string
script: |
const ref = context.ref
const tag = ref.replace(/^refs\/tags\//, "")
const major = tag.replace(/\.\d+\.\d+$/, "")
return major
- name: Update release branch
env:
MAJOR_VERSION: ${{ steps.version.outputs.result }}
run: git push origin "HEAD:$MAJOR_VERSION"
docker-hub:
name: Docker Hub
runs-on: ubuntu-22.04
permissions:
id-token: write # To perform keyless signing with cosign
environment:
name: docker
url: https://hub.docker.com/r/ericornelissen/js-re-scan
needs:
- validate
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
fulcio.sigstore.dev:443
github.com:443
index.docker.io:443
nodejs.org:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
raw.githubusercontent.com:443
registry-1.docker.io:443
registry.npmjs.org:443
rekor.sigstore.dev:443
sigstore-tuf-root.storage.googleapis.com:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Get version
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0
id: version
with:
result-encoding: string
script: |
const ref = context.ref
const tag = ref.replace(/^refs\/tags\//, "")
return tag
- name: Get cosign version
id: versions
run: |
COSIGN_VERSION="$(grep cosign < .tool-versions | awk '{print $2}')"
echo "cosign=$COSIGN_VERSION" >> "$GITHUB_OUTPUT"
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
with:
cosign-release: v${{ steps.versions.outputs.cosign }}
- name: Log in to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push to Docker Hub
id: docker_hub
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
file: Containerfile
push: true
tags: >-
ericornelissen/js-re-scan:latest,
ericornelissen/js-re-scan:${{ steps.version.outputs.result }}
- name: Sign container image
env:
IMAGE_DIGEST: ${{ steps.docker_hub.outputs.digest }}
REF: ${{ github.sha }}
REPO: ${{ github.repository }}
WORKFLOW: ${{ github.workflow }}
run: |
cosign sign --yes \
-a "repo=$REPO" \
-a "workflow=$WORKFLOW" \
-a "ref=$REF" \
"docker.io/ericornelissen/js-re-scan@$IMAGE_DIGEST"
validate:
name: Validate
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
artifactcache.actions.githubusercontent.com:443
files.pythonhosted.org:443
fulcio.sigstore.dev:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
pypi.org:443
registry-1.docker.io:443
registry.npmjs.org:443
rekor.sigstore.dev:443
sigstore-tuf-root.storage.googleapis.com:443
toolbox-data.anchore.io:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Install Node.js
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install tooling
uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0
- name: Verify project validity
run: make verify