feat: initial release actions (#1)

* feat: initial actions

Author: oliverbaehler

README.md

@@ -1,2 +1,3 @@
 # github-actions
+
 Github Reusable Actions

exists/action.yaml

@@ -0,0 +1,21 @@
+name: Checks if an input is defined
+
+description: Checks if an input is defined and outputs 'true' or 'false'.
+
+inputs:
+  value:
+    description: value to test
+    required: true
+
+outputs:
+  result:
+    description: outputs 'true' or 'false' if input value is defined or not
+    value: ${{ steps.check.outputs.result }}
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      id: check
+      run: |
+        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT

helm-oci-chart/action.yaml

@@ -0,0 +1,104 @@
+name: Helm OCI Chart Releaser
+description: Push Helm charts to OCI-based (Docker) registries
+inputs:
+  name:
+    required: true
+    description: Chart name
+  repository:
+    required: true
+    description: Chart repository name
+  app-version:
+    description: "Chart Application Version"
+    required: false
+  version:
+    required: false
+    description: Chart version
+  path:
+    required: false
+    description: Chart path (Default 'charts/{name}')
+  registry:
+    required: true
+    description: OCI registry
+  registry-username:
+    required: true
+    description: OCI registry username
+  registry-password:
+    required: true
+    description: OCI registry password
+  update-dependencies:
+    required: false
+    default: 'false'
+    description: Update chart dependencies before packaging (Default 'false')
+  sign-image:
+    required: false
+    default: 'false'
+    description: Sign chart package with Cosign
+  signature-repository:
+    required: true
+    description: signature repository
+
+outputs:
+  digest:
+    value: ${{ steps.helm-push.outputs.digest }}
+    description: "Chart digest"
+  image:
+    value: ${{ steps.helm-push.outputs.image }}
+    description: Chart image (Default '{registry}/{repository}/{image}:{version}')
+runs:
+  using: composite
+  steps:
+
+    - name: Helm | Login
+      shell: bash
+      run: echo ${{ inputs.registry-password }} | helm registry login -u ${{ inputs.registry-username }} --password-stdin ${{ inputs.registry }}
+      env:
+        HELM_EXPERIMENTAL_OCI: '1'
+
+    - name: Cosign | Login
+      if: inputs.sign-image == 'true'
+      shell: bash
+      run: cosign login --username ${{ inputs.registry-username }} --password ${{ inputs.registry-password }} ${{ inputs.registry }}
+    
+    - name: Helm | Dependency
+      if: inputs.update-dependencies == 'true'
+      shell: bash
+      run: helm dependency update ${{ inputs.path == null && format('{0}/{1}', 'charts', inputs.name) || inputs.path }}
+      env:
+        HELM_EXPERIMENTAL_OCI: '1'
+
+    - name: Helm | Package
+      shell: bash
+      run: helm package --destination ./chart-build/ ${{ inputs.path == null && format('{0}/{1}', 'charts', inputs.name) || inputs.path }} ${{ inputs.version != '' && format('--version={0}', inputs.version) || '' }} ${{ inputs.app-version != '' && format('--app-version={0}', inputs.app-version) || '' }}
+      env:
+        HELM_EXPERIMENTAL_OCI: '1'
+
+    - name: Helm | Push
+      shell: bash
+      id: helm-push
+      run: |
+        CHART_FILE=$(find ./chart-build -name "*.tgz" -print -quit)
+        helm push $CHART_FILE oci://${{ inputs.registry }}/${{ inputs.repository }} |& tee digest
+        DIGEST=$(sed -n '/Digest:/s/Digest: //p' digest)
+        echo "image=${{ inputs.registry }}/${{ inputs.repository }}/${{ inputs.name }}:${{ inputs.version }}" >> $GITHUB_OUTPUT
+        echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+      env:
+        HELM_EXPERIMENTAL_OCI: '1'
+
+    - name: Cosign | Sign
+      shell: bash
+      if: inputs.sign-image == 'true'
+      env:
+        COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
+      run: |
+        set -e
+        cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ${{ steps.helm-push.outputs.image }}@${{ steps.helm-push.outputs.digest }}
+
+    - name: Helm | Logout
+      shell: bash
+      run: helm registry logout ${{ inputs.registry }}
+      env:
+        HELM_EXPERIMENTAL_OCI: '1'

ko-publish-image/action.yaml

@@ -0,0 +1,88 @@
+name: Publish image
+
+description: Publishes a docker image, SBOM, scans vulns, and signs the image.
+
+inputs:
+  makefile-target:
+    required: true
+    description: makefile target to invoke for publishing image with ko
+  registry:
+    required: true
+    description: registry to publish image to
+  registry-username:
+    required: true
+    description: registry credentials username
+  registry-password:
+    required: true
+    description: registry credentials password
+  repository:
+    required: true
+    description: repository to publish image to
+  version:
+    required: true
+    description: published image version
+  sign-image:
+    required: true
+    description: sign image
+  sbom-name:
+    required: true
+    description: name of the cyclonedx sbom
+  sbom-repository:
+    required: true
+    description: sbom repository
+  signature-repository:
+    required: true
+    description: signature repository
+  main-path:
+    required: true
+    description: path to main go entry point
+
+outputs:
+  digest:
+    value: ${{ steps.digest.outputs.digest }}
+    description: published image digest
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      id: ko-publish
+      env:
+        REGISTRY: ${{ inputs.registry }}
+        REPO: ${{ inputs.repository }}
+        REGISTRY_PASSWORD: ${{ inputs.registry-password }}
+        COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+      run: |
+        set -e
+        echo "digest=$(VERSION=${{ inputs.version }} make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT
+    - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
+      with:
+        version: v1
+        args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }}
+    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      with:
+        name: ${{ inputs.sbom-name }}-bom-cdx
+        path: ${{ inputs.sbom-name }}-bom.cdx.json
+    - shell: bash
+      if: ${{ inputs.sign-image == 'true' }}
+      env:
+        COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
+      run: |
+        set -e
+        cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ${{ steps.ko-publish.outputs.digest }}
+    - shell: bash
+      env:
+        COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+      run: |
+        cosign attach sbom --sbom ./${{ inputs.sbom-name }}-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
+    - shell: bash
+      id: digest
+      run: |
+        echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
+        DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
+        echo "Digest from image is: $DIGEST"
+        echo "digest=$DIGEST" >> $GITHUB_OUTPUT