policy: fix ResolveAttestations via policy callback #7405
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: frontend | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
| permissions: | |
| contents: read | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - 'master' | |
| - 'v[0-9]+.[0-9]+' | |
| tags: | |
| - 'dockerfile/*' | |
| pull_request: | |
| paths-ignore: | |
| - 'README.md' | |
| - 'docs/**' | |
| - 'frontend/dockerfile/docs/**' | |
| env: | |
| GO_VERSION: "1.25" | |
| SETUP_BUILDX_VERSION: "edge" | |
| SETUP_BUILDKIT_TAG: "moby/buildkit:latest" | |
| SCOUT_VERSION: "1.13.0" | |
| IMAGE_NAME: "docker/dockerfile-upstream" | |
| jobs: | |
| test: | |
| uses: ./.github/workflows/.test.yml | |
| secrets: inherit | |
| with: | |
| cache_scope: frontend-integration-tests | |
| pkgs: ./frontend/dockerfile | |
| kinds: | | |
| integration | |
| dockerfile | |
| codecov_flags: dockerfile-frontend | |
| prepare: | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| includes: ${{ steps.set.outputs.includes }} | |
| tag: ${{ steps.set.outputs.tag }} | |
| steps: | |
| - | |
| name: Set outputs | |
| id: set | |
| uses: actions/github-script@v8 | |
| env: | |
| INPUT_REF: ${{ github.ref }} | |
| INPUT_CHANNELS: | | |
| mainline | |
| labs | |
| INPUT_IMAGE-NAME: ${{ env.IMAGE_NAME }} | |
| with: | |
| script: | | |
| const ref = core.getInput('ref'); | |
| const channels = core.getMultilineInput('channels'); | |
| const imageName = core.getInput('image-name'); | |
| function getTags(channel) { | |
| let tagSuffix = ''; | |
| if (channel !== 'mainline') { | |
| tagSuffix = `-${channel}`; | |
| } | |
| let tagLatest = ''; | |
| let tagVersion = ''; | |
| if (ref.startsWith('refs/tags/dockerfile/')) { | |
| const version = ref.replace('refs/tags/dockerfile/', '').replace(new RegExp(`-${channel}$`), ''); | |
| if (/^[0-9]+\.[0-9]+\.[0-9]+$/.test(version)) { | |
| tagLatest = channel === 'mainline' ? 'latest' : channel; | |
| } | |
| tagVersion = version; | |
| } | |
| return { tagSuffix, tagLatest, tagVersion }; | |
| } | |
| const matrix = []; | |
| if (ref.startsWith('refs/tags/dockerfile/')) { | |
| const version = ref.replace('refs/tags/dockerfile/', ''); | |
| for (const channel of channels) { | |
| if (version.endsWith(`-${channel}`)) { | |
| const { tagSuffix, tagLatest, tagVersion } = getTags(channel); | |
| matrix.push({ | |
| channel: channel, | |
| imageName: imageName, | |
| tagSuffix: tagSuffix, | |
| tagLatest: tagLatest, | |
| tagVersion: tagVersion | |
| }); | |
| break; | |
| } | |
| } | |
| if (matrix.length === 0) { | |
| // default to mainline if no channel suffix | |
| const { tagSuffix, tagLatest, tagVersion } = getTags('mainline'); | |
| matrix.push({ | |
| channel: 'mainline', | |
| imageName: imageName, | |
| tagSuffix: tagSuffix, | |
| tagLatest: tagLatest, | |
| tagVersion: tagVersion | |
| }); | |
| } | |
| core.setOutput('tag', ref.replace('refs/tags/', '')); | |
| } else { | |
| for (const channel of channels) { | |
| const { tagSuffix, tagLatest, tagVersion } = getTags(channel); | |
| matrix.push({ | |
| channel: channel, | |
| imageName: imageName, | |
| tagSuffix: tagSuffix, | |
| tagLatest: tagLatest, | |
| tagVersion: tagVersion | |
| }); | |
| } | |
| } | |
| core.info(JSON.stringify(matrix, null, 2)); | |
| core.setOutput('includes', JSON.stringify(matrix)); | |
| image: | |
| uses: docker/github-builder/.github/workflows/bake.yml@v1 | |
| needs: | |
| - prepare | |
| - test | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.prepare.outputs.includes) }} | |
| permissions: | |
| contents: read # same as global permission | |
| id-token: write # for signing attestation(s) with GitHub OIDC Token | |
| with: | |
| runner: amd64 | |
| setup-qemu: true | |
| target: frontend-image-cross | |
| cache: true | |
| cache-scope: frontend-${{ matrix.channel }} | |
| output: image | |
| push: ${{ github.repository == 'moby/buildkit' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/dockerfile/')) }} | |
| sbom: true | |
| vars: | | |
| FRONTEND_CHANNEL=${{ matrix.channel }} | |
| set-meta-annotations: true | |
| meta-images: | | |
| ${{ matrix.imageName }} | |
| # versioning strategy | |
| ## push tag dockerfile/1.17.0 | |
| ### docker/dockerfile-upstream:1.17.0 | |
| ### docker/dockerfile-upstream:1.17 | |
| ### docker/dockerfile-upstream:1 | |
| ### docker/dockerfile-upstream:latest | |
| ## push tag dockerfile/1.17.0-labs | |
| ### docker/dockerfile-upstream:1.17.0-labs | |
| ### docker/dockerfile-upstream:1.17-labs | |
| ### docker/dockerfile-upstream:1-labs | |
| ### docker/dockerfile-upstream:labs | |
| ## push prerelease tag dockerfile/1.17.0-rc1 | |
| ### docker/dockerfile-upstream:1.17.0-rc1 | |
| ## push prerelease tag dockerfile/1.17.0-rc1-labs | |
| ### docker/dockerfile-upstream:1.17.0-rc1-labs | |
| ## push on master | |
| ### docker/dockerfile-upstream:master | |
| ### docker/dockerfile-upstream:master-labs | |
| meta-tags: | | |
| type=ref,event=branch,suffix=${{ matrix.tagSuffix }} | |
| type=ref,event=pr,suffix=${{ matrix.tagSuffix }} | |
| type=semver,pattern={{version}},value=${{ matrix.tagVersion }},suffix=${{ matrix.tagSuffix }} | |
| type=semver,pattern={{major}}.{{minor}},value=${{ matrix.tagVersion }},suffix=${{ matrix.tagSuffix }} | |
| type=semver,pattern={{major}},value=${{ matrix.tagVersion }},suffix=${{ matrix.tagSuffix }} | |
| type=raw,value=${{ matrix.tagLatest }} | |
| meta-flavor: | | |
| latest=false | |
| meta-annotations: | | |
| org.opencontainers.image.title=Dockerfile Frontend | |
| org.opencontainers.image.vendor=Moby | |
| meta-bake-target: frontend-meta-helper | |
| secrets: | |
| registry-auths: | | |
| - registry: docker.io | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| scout: | |
| runs-on: ubuntu-24.04 | |
| if: ${{ github.repository == 'moby/buildkit' && github.ref == 'refs/heads/master' }} | |
| permissions: | |
| # same as global permission | |
| contents: read | |
| # required to write sarif report | |
| security-events: write | |
| needs: | |
| - image | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tag: | |
| - master | |
| - master-labs | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v6 | |
| - | |
| name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - | |
| name: Scout | |
| id: scout | |
| uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 | |
| with: | |
| version: ${{ env.SCOUT_VERSION }} | |
| format: sarif | |
| image: registry://${{ env.IMAGE_NAME }}:${{ matrix.tag }} | |
| - | |
| name: Result output | |
| run: | | |
| jq . ${{ steps.scout.outputs.result-file }} | |
| - | |
| name: Upload SARIF report | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: ${{ steps.scout.outputs.result-file }} | |
| release: | |
| runs-on: ubuntu-24.04 | |
| if: startsWith(github.ref, 'refs/tags/dockerfile') | |
| permissions: | |
| # required to create GitHub release | |
| contents: write | |
| needs: | |
| - prepare | |
| - test | |
| - image | |
| steps: | |
| - | |
| name: GitHub Release | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| draft: true | |
| name: ${{ needs.prepare.outputs.tag }} |