add tag to cosign target #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image CI | |
| on: | |
| push: | |
| branches: [ main, kwasm-lifecycle-manager ] | |
| tags: [ '*' ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| buildx: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # cosign uses the GitHub OIDC token | |
| id-token: write | |
| # needed to upload artifacts to a GH release | |
| contents: write | |
| packages: write | |
| repository-projects: write | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| fetch-depth: 0 | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@v1 | |
| - | |
| name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v1 | |
| - | |
| name: Log in to the Container registry | |
| uses: docker/login-action@v1 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - | |
| name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| - | |
| name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| file: Dockerfile | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - | |
| name: Install Cosign for signing Spin binary | |
| uses: sigstore/[email protected] | |
| with: | |
| cosign-release: v2.0.0 | |
| - | |
| name: Sign the binary with GitHub OIDC token | |
| shell: bash | |
| run: | | |
| cosign sign \ | |
| --yes \ | |
| --output-certificate crt.pem \ | |
| --output-signature kwasm-image.sig \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.tags }} | |
| - | |
| name: package release assets | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: | | |
| echo "+++ debug +++" | |
| cat crt.pem | |
| cat kwasm-image.sig | |
| # - | |
| # name: package release assets | |
| # if: runner.os != 'Windows' | |
| # shell: bash | |
| # run: | | |
| # mkdir _dist | |
| # cp crt.pem spin.sig README.md _dist/ | |
| # cd _dist | |
| # tar czf \ | |
| # kwasm-${{ steps.meta.outputs.tags }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
| # crt.pem spin.sig README.md | |
| # - | |
| # name: upload binary as GitHub artifact | |
| # if: runner.os != 'Windows' | |
| # uses: actions/upload-artifact@v3 | |
| # with: | |
| # name: spin | |
| # path: _dist/kwasm-${{ steps.meta.outputs.tags }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
| - | |
| name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - | |
| name: Install Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| version: v3.10.0 | |
| - | |
| name: Run chart-releaser | |
| if: github.ref == 'refs/heads/main' | |
| uses: helm/[email protected] | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |