name: Docker build and push on master on: push: branches: - main env: OPERATOR_REPO: quay.io/costoolkit/elemental-operator-ci REGISTER_REPO: quay.io/costoolkit/elemental-register-ci jobs: docker: runs-on: ubuntu-latest permissions: id-token: write # OIDC support. contents: write steps: - name: Checkout code uses: actions/checkout@v3 with: fetch-depth: 0 - name: cosign-installer uses: sigstore/cosign-installer@v2.8.0 - name: Install the bom command shell: bash run: | curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.3.0/bom-linux-amd64.tar.gz | tar xvz sudo mv ./bom /usr/bin/bom - name: Export tag id: export_tag run: | git describe --abbrev=0 --tags TAG=`git describe --abbrev=0 --tags 2>/dev/null || echo "v0.0.0"` COMMITDATE=`date -d @$(git log -n1 --format="%at") "+%FT%TZ"` echo "operator_tag=$TAG" >> $GITHUB_OUTPUT echo "commit_date=$COMMITDATE" >> $GITHUB_OUTPUT - name: Docker meta for operator master id: meta-operator uses: docker/metadata-action@v4.1.1 with: images: | ${{ env.OPERATOR_REPO }} tags: | type=sha,format=short,prefix=${{ steps.export_tag.outputs.operator_tag }}- type=raw,value=latest - name: Docker meta for register master id: meta-register uses: docker/metadata-action@v4.1.1 with: images: | ${{ env.REGISTER_REPO }} tags: | type=sha,format=short,prefix=${{ steps.export_tag.outputs.operator_tag }}- type=raw,value=latest - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v2.2.1 - name: Login to Quay uses: docker/login-action@v2.1.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - name: Build operator image uses: docker/build-push-action@v3.2.0 with: context: . tags: ${{ steps.meta-operator.outputs.tags }} labels: ${{ steps.meta-operator.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max target: elemental-operator push: true build-args: | TAG=${{ steps.export_tag.outputs.operator_tag }} COMMITDATE=${{ steps.export_tag.outputs.commit_date }} COMMIT=${{ github.sha }} - name: Build register image uses: docker/build-push-action@v3.2.0 with: context: . tags: ${{ steps.meta-register.outputs.tags }} labels: ${{ steps.meta-register.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max target: elemental-register push: true build-args: | TAG=${{ steps.export_tag.outputs.operator_tag }} COMMITDATE=${{ steps.export_tag.outputs.commit_date }} COMMIT=${{ github.sha }} - name: Create SBOM file shell: bash run: | bom generate -o elemental-operator.spdx . bom generate -o elemental-register.spdx . - name: Attach SBOM file in the container image shell: bash run: | set -e cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}" cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:latest" cosign attach sbom --sbom elemental-register.spdx "${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}" cosign attach sbom --sbom elemental-register.spdx "${{ env.REGISTER_REPO }}:latest" - name: Sign images env: COSIGN_EXPERIMENTAL: 1 run: | cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7} cosign sign ${{ env.OPERATOR_REPO }}:latest cosign sign ${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7} cosign sign ${{ env.REGISTER_REPO }}:latest