|
8 | 8 | - 'master' |
9 | 9 |
|
10 | 10 | jobs: |
11 | | - goreleaser: |
| 11 | + # goreleaser: |
| 12 | + # runs-on: 'ubuntu-latest' |
| 13 | + # permissions: |
| 14 | + # contents: 'write' # Needs write access for upload-artifact. |
| 15 | + # outputs: |
| 16 | + # hashes: '${{ steps.outputs.outputs.hashes }}' |
| 17 | + # steps: |
| 18 | + # - name: 'checkout' |
| 19 | + # uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 |
| 20 | + # with: |
| 21 | + # fetch-depth: 0 # So that goreleaser can determine the base version. |
| 22 | + # - name: 'build' |
| 23 | + # id: 'goreleaser' |
| 24 | + # uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 |
| 25 | + # with: |
| 26 | + # args: 'release --snapshot --clean --skip docker --skip publish' |
| 27 | + # version: '~> v1' |
| 28 | + # - name: 'get version' |
| 29 | + # id: 'version' |
| 30 | + # shell: 'bash' |
| 31 | + # run: | |
| 32 | + # echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" |
| 33 | + # - name: 'upload' |
| 34 | + # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 |
| 35 | + # with: |
| 36 | + # name: 'conftest_${{ steps.version.outputs.version }}' |
| 37 | + # path: 'dist/*.*' |
| 38 | + # retention-days: 30 |
| 39 | + # - name: 'generate outputs' |
| 40 | + # id: 'outputs' |
| 41 | + # env: |
| 42 | + # GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}' |
| 43 | + # shell: 'bash' |
| 44 | + # run: | |
| 45 | + # set -euo pipefail |
| 46 | + |
| 47 | + # checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n') |
| 48 | + # echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT" |
| 49 | + |
| 50 | + # binary-provenance: |
| 51 | + # needs: ['goreleaser'] |
| 52 | + # permissions: |
| 53 | + # contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. |
| 54 | + # actions: 'read' # To read the workflow path. |
| 55 | + # id-token: 'write' # To sign the provenance. |
| 56 | + # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude |
| 57 | + # with: |
| 58 | + # base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' |
| 59 | + # upload-assets: false |
| 60 | + |
| 61 | + docker: |
12 | 62 | runs-on: 'ubuntu-latest' |
13 | 63 | permissions: |
14 | | - contents: 'write' # Needs write access for upload-artifact. |
| 64 | + contents: 'read' |
15 | 65 | outputs: |
16 | | - hashes: '${{ steps.outputs.outputs.hashes }}' |
| 66 | + digest: '${{ steps.build.outputs.digest }}' |
| 67 | + env: |
| 68 | + CONFTEST_IMAGE: 'openpolicyagent/conftest' |
| 69 | + strategy: |
| 70 | + matrix: |
| 71 | + target: |
| 72 | + - '' # Conftest |
| 73 | + # - 'examples' # Examples |
| 74 | + platform: |
| 75 | + - 'linux/amd64' |
| 76 | + # - 'linux/arm64' |
17 | 77 | steps: |
18 | | - - name: 'checkout' |
19 | | - uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 |
20 | | - with: |
21 | | - fetch-depth: 0 # So that goreleaser can determine the base version. |
| 78 | + - name: 'setup docker buildx' |
| 79 | + run: 'docker buildx create --name conftestbuild --use' |
22 | 80 | - name: 'build' |
23 | | - id: 'goreleaser' |
24 | | - uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 |
| 81 | + id: 'build' |
| 82 | + uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 |
25 | 83 | with: |
26 | | - args: 'release --snapshot --clean --skip docker --skip publish' |
27 | | - version: '~> v1' |
28 | | - - name: 'get version' |
29 | | - id: 'version' |
30 | | - shell: 'bash' |
31 | | - run: | |
32 | | - echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" |
33 | | - - name: 'upload' |
34 | | - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 |
35 | | - with: |
36 | | - name: 'conftest_${{ steps.version.outputs.version }}' |
37 | | - path: 'dist/*.*' |
38 | | - retention-days: 30 |
39 | | - - name: 'generate outputs' |
40 | | - id: 'outputs' |
41 | | - env: |
42 | | - GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}' |
43 | | - shell: 'bash' |
44 | | - run: | |
45 | | - set -euo pipefail |
46 | | -
|
47 | | - checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n') |
48 | | - echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT" |
49 | | -
|
50 | | - provenance: |
51 | | - needs: ['goreleaser'] |
52 | | - permissions: |
53 | | - contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. |
54 | | - actions: 'read' # To read the workflow path. |
55 | | - id-token: 'write' # To sign the provenance. |
56 | | - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude |
57 | | - with: |
58 | | - base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' |
59 | | - upload-assets: false |
| 84 | + push: false |
| 85 | + # target: '${{ matrix.target }}' |
| 86 | + tags: '${{ env.CONFTEST_IMAGE }}:latest' |
| 87 | + # platforms: '${{ matrix.platform }}' |
0 commit comments