values.schema.json: enhanced readability (#1224) #51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: snapshot | |
| on: | |
| push: | |
| # Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0". | |
| # Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1". | |
| branches: | |
| - main | |
| concurrency: snapshot | |
| permissions: | |
| contents: write # for creating a release | |
| packages: write # for publishing containers | |
| id-token: write # for using OIDC tokens | |
| env: | |
| SYFT_VERSION: "0.68.1" | |
| jobs: | |
| init: | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| version: ${{steps.version.outputs.version}} | |
| steps: | |
| - name: Set version | |
| id: version | |
| env: | |
| COMMIT: ${{github.sha}} | |
| run: | | |
| echo "version=$COMMIT" >> $GITHUB_OUTPUT | |
| # check that our CI would pass | |
| ci: | |
| uses: ./.github/workflows/ci.yaml | |
| publish: | |
| needs: [ init, ci ] | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write # for using OIDC tokens | |
| runs-on: ubuntu-22.04 | |
| env: | |
| CONTAINERS: "trust trust-docs trust-tests" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v2 | |
| - name: Check cosign | |
| run: cosign version | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: ~/download | |
| - name: Display downloaded content | |
| run: ls -R ~/download | |
| - name: Load container | |
| run: | | |
| for container in $CONTAINERS; do | |
| podman load --input ~/download/${container}-container/${container}-image.tar | |
| done | |
| - name: Log in to ghcr.io | |
| uses: redhat-actions/podman-login@v1 | |
| with: | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: "ghcr.io" | |
| - name: Push to ghcr.io | |
| id: push-images | |
| run: | | |
| for container in $CONTAINERS; do | |
| IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:${{ needs.init.outputs.version }}" | |
| podman push \ | |
| "${container}:ci" \ | |
| "${IMAGE}" \ | |
| --digestfile "${RUNNER_TEMP}/push.${container}.digest" | |
| done | |
| - name: Push to ghcr.io (as latest) | |
| id: push-images-latest | |
| run: | | |
| for container in $CONTAINERS; do | |
| IMAGE="ghcr.io/${{ github.repository_owner }}/${container}:latest" | |
| podman push \ | |
| "${container}:ci" \ | |
| "${IMAGE}" | |
| done | |
| - name: Sign the images with GitHub OIDC Token | |
| env: | |
| COSIGN_EXPERIMENTAL: true | |
| run: | | |
| for container in $CONTAINERS; do | |
| imageDigest="$(cat ${RUNNER_TEMP}/push.${container}.digest)" | |
| echo "Image Digest: ${imageDigest}" | |
| # and then construct the full (pushed) name | |
| cosign sign --yes --recursive "ghcr.io/${{ github.repository_owner }}/${container}@${imageDigest}" | |
| done | |
| staging: | |
| needs: [ init, publish ] | |
| uses: ./.github/workflows/staging.yaml | |
| secrets: inherit | |
| with: | |
| releaseTag: ${{ needs.init.outputs.version }} |