fix: Justfile build command on Windows (#207) #166
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }} | |
| jobs: | |
| release-please: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| environment: release | |
| permissions: | |
| contents: write | |
| issues: write | |
| pull-requests: write | |
| outputs: | |
| new-release-created: ${{ steps.release-please-action.outputs.releases_created }} | |
| tag-name: ${{ steps.release-please-action.outputs.tag_name }} | |
| steps: | |
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| client-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| permission-contents: write | |
| permission-pull-requests: write | |
| - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 | |
| id: release-please-action | |
| with: | |
| release-type: go | |
| release-as: 0.1.0 # TODO: Remove this once the first release is cut | |
| token: ${{ steps.app-token.outputs.token }} | |
| build: | |
| name: Build ${{ matrix.name }} Image | |
| needs: release-please | |
| if: needs.release-please.outputs.new-release-created == 'true' || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 40 | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| artifact-metadata: write | |
| strategy: | |
| matrix: | |
| include: | |
| - name: hub | |
| base_image: gcr.io/distroless/base-nossl-debian13:nonroot | |
| - name: agent | |
| base_image: gcr.io/distroless/base-nossl-debian13:latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| - name: Verify distroless base image signature | |
| run: | | |
| cosign verify \ | |
| ${{ matrix.base_image }} \ | |
| --certificate-oidc-issuer https://accounts.google.com \ | |
| --certificate-identity keyless@distroless.iam.gserviceaccount.com | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata for ${{ matrix.name }} | |
| id: meta | |
| uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 | |
| with: | |
| images: ${{ env.IMAGE_PREFIX }}/${{ matrix.name }} | |
| tags: | | |
| type=semver,pattern={{version}},value=${{ needs.release-please.outputs.tag-name }},enable=${{ github.event_name != 'workflow_dispatch' }} | |
| type=semver,pattern={{major}}.{{minor}}.{{patch}},value=${{ needs.release-please.outputs.tag-name }},enable=${{ github.event_name != 'workflow_dispatch' }} | |
| type=semver,pattern={{major}}.{{minor}},value=${{ needs.release-please.outputs.tag-name }},enable=${{ github.event_name != 'workflow_dispatch' }} | |
| type=semver,pattern={{major}},value=${{ needs.release-please.outputs.tag-name }},enable=${{ github.event_name != 'workflow_dispatch' }} | |
| type=raw,value=latest,enable=${{ github.event_name != 'workflow_dispatch' }} | |
| type=raw,value=main,enable=${{ github.event_name == 'workflow_dispatch' }} | |
| - name: Build and push ${{ matrix.name }} image | |
| id: build | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| with: | |
| context: . | |
| file: ${{ matrix.name }}.Dockerfile | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| build-args: | | |
| VERSION=${{ github.event_name == 'workflow_dispatch' && 'main' || needs.release-please.outputs.tag-name }} | |
| COMMIT=${{ github.sha }} | |
| BUILD_DATE=${{ github.event.head_commit.timestamp }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: mode=max | |
| sbom: true | |
| - name: Attest ${{ matrix.name }} image | |
| uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 | |
| with: | |
| subject-name: ${{ env.IMAGE_PREFIX }}/${{ matrix.name }} | |
| subject-digest: ${{ steps.build.outputs.digest }} | |
| push-to-registry: true | |
| - name: Sign ${{ matrix.name }} image | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| run: | | |
| LOWERCASE_IMAGE_PREFIX=$(echo "$IMAGE_PREFIX" | tr '[:upper:]' '[:lower:]') | |
| cosign sign --yes \ | |
| "$LOWERCASE_IMAGE_PREFIX/${{ matrix.name }}@$DIGEST" |