docs: Add sbomified badge #4909
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: at_server | |
# Runs the workflow on the below events: | |
# 1. on pull request raised to trunk branch. | |
# 2. on push event to trunk branch. | |
# 3. on tagging a release | |
on: | |
push: | |
tags: | |
- 'v*.*.*' | |
- 'c*.*.*' | |
branches: | |
- trunk | |
pull_request: | |
branches: | |
- trunk | |
env: | |
proot-working-directory: ./packages/at_persistence_root_server | |
root-working-directory: ./packages/at_root_server | |
psecondary-working-directory: ./packages/at_persistence_secondary_server | |
secondary-working-directory: ./packages/at_secondary_server | |
ftest-working-directory: ./tests/at_functional_test | |
e2etest-working-directory: ./tests/at_end2end_test | |
install-pkam-working-directory: ./tools/build_virtual_environment/install_PKAM_Keys | |
permissions: # added using https://github.com/step-security/secure-workflows | |
contents: read | |
jobs: | |
unit_tests: | |
runs-on: ubuntu-latest | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
permissions: | |
contents: write # IMPORTANT: mandatory for making GitHub Releases | |
id-token: write # IMPORTANT: mandatory for sigstore | |
attestations: write | |
strategy: | |
fail-fast: false | |
matrix: | |
dart-channel: [stable,beta] | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5 | |
with: | |
sdk: ${{ matrix.dart-channel}} | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version: 'stable' | |
cache-dependency-path: tools/osv-scanner/go.sum | |
# Runs dart lint rules and unit tests on at_persistence_root_server | |
- name: Install dependencies in at_persistence_root_server | |
working-directory: ${{ env.proot-working-directory }} | |
run: dart pub get | |
- name: Run dart analyzer in at_persistence_root_server | |
working-directory: ${{ env.proot-working-directory }} | |
run: dart analyze | |
- name: Run tests in at_persistence_root_server | |
working-directory: ${{ env.proot-working-directory }} | |
run: dart test --concurrency=1 | |
# Runs dart lint rules and unit tests on at_root_server | |
- name: Install dependencies in at_root_server | |
working-directory: ${{ env.root-working-directory }} | |
run: dart pub get | |
- name: Run dart analyzer in at_root_server | |
working-directory: ${{ env.root-working-directory }} | |
run: dart analyze | |
- name: Run tests in at_root_server | |
working-directory: ${{ env.root-working-directory }} | |
run: dart test --concurrency=1 | |
- name: Install dependencies in at_persistence_secondary_server | |
working-directory: ${{ env.psecondary-working-directory }} | |
run: dart pub get | |
- name: Run dart analyzer in at_persistence_secondary_server | |
working-directory: ${{ env.psecondary-working-directory }} | |
run: dart analyze | |
- name: Run tests in at_persistence_secondary_server | |
working-directory: ${{ env.psecondary-working-directory }} | |
run: dart test --concurrency=1 | |
# Runs dart lint rules and unit tests on at_secondary_server | |
- name: Install dependencies in at_secondary_server | |
working-directory: ${{ env.secondary-working-directory }} | |
run: dart pub get | |
- name: Run dart analyzer in at_secondary_server | |
working-directory: ${{ env.secondary-working-directory }} | |
run: dart analyze | |
- name: Run tests in at_secondary_server, with coverage | |
working-directory: ${{ env.secondary-working-directory }} | |
run: dart test --concurrency=1 --coverage="coverage" | |
# Runs osv-scanner to find any vulnerable Dart dependencies | |
# It needs to look at pubspec.lock files, which is why it's | |
# placed here, as the `dart pub get` above will create them | |
- name: Run osv-scanner | |
run: | | |
go install github.com/google/osv-scanner/cmd/osv-scanner@6316373e47d7e3e4b4fd3630c4bbc10987738de6 # v1.4.3 | |
osv-scanner --lockfile=${{ env.proot-working-directory }}/pubspec.lock | |
osv-scanner --lockfile=${{ env.root-working-directory }}/pubspec.lock | |
osv-scanner --lockfile=${{ env.psecondary-working-directory }}/pubspec.lock | |
osv-scanner --lockfile=${{ env.secondary-working-directory }}/pubspec.lock | |
# Generating SBOMs also needs pubspec.lock | |
# Only run on stable channel | |
- if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }} | |
name: Create sbom folder | |
run: mkdir sboms | |
- if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }} | |
name: Generate atDirectory SBOM | |
uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0 | |
env: | |
TOKEN: ${{ secrets.SBOMIFY_TOKEN }} | |
COMPONENT_ID: '3hQHrn8mwK' | |
LOCK_FILE: ${{ env.root-working-directory }}/pubspec.lock | |
SBOM_VERSION: ${{github.ref_name}} | |
OUTPUT_FILE: 'sboms/atdirectory-gha${{github.run_number}}-sbom.cdx.json' | |
AUGMENT: true | |
ENRICH: true | |
UPLOAD: true | |
- if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }} | |
name: Generate atServer SBOM | |
uses: sbomify/github-action@a04e82ca42a0d9e6bdb57a2cb1a8978e96b4f45c # v0.3.0 | |
env: | |
TOKEN: ${{ secrets.SBOMIFY_TOKEN }} | |
COMPONENT_ID: 'wF66pn8rHZ' | |
LOCK_FILE: ${{ env.secondary-working-directory }}/pubspec.lock | |
SBOM_VERSION: ${{github.ref_name}} | |
OUTPUT_FILE: 'sboms/atserver-gha${{github.run_number}}-sbom.cdx.json' | |
AUGMENT: true | |
ENRICH: true | |
UPLOAD: true | |
- if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }} | |
name: Rename SBOMs to use release tag | |
run: | | |
cd sboms | |
mv atdirectory-gha${{github.run_number}}-sbom.cdx.json \ | |
atdirectory-${{github.ref_name}}-sbom.cdx.json | |
mv atserver-gha${{github.run_number}}-sbom.cdx.json \ | |
atserver-${{github.ref_name}}-sbom.cdx.json | |
- if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }} | |
name: Generate SHA256 checksums | |
working-directory: sboms | |
run: sha256sum * > checksums.txt | |
- if: ${{ matrix.dart-channel == 'stable' && github.event_name == 'push' }} | |
name: Upload SBOMs | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: SBOMs | |
path: sboms/** | |
- if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }} | |
name: Upload artifacts to GitHub Release | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
# Upload to GitHub Release using the `gh` CLI. | |
# `dist/` contains the built packages, and the | |
# sigstore-produced signatures and certificates. | |
run: >- | |
gh release upload | |
'${{ github.ref_name }}' sboms/** | |
--repo '${{ github.repository }}' | |
- if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }} | |
id: hash | |
name: Pass artifact hashes for SLSA provenance | |
working-directory: sboms | |
run: | | |
echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }} | |
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | |
with: | |
subject-path: 'sboms/**' | |
# Commenting out for now, need to investigate and fix but there are hotter fires burning right now | |
# - name: Convert coverage to LCOV format | |
# working-directory: ${{ env.secondary-working-directory }} | |
# run: dart pub run coverage:format_coverage --lcov --in=coverage --out=coverage.lcov --packages=.packages --report-on=lib | |
# | |
# - name: Upload coverage to Codecov | |
# uses: codecov/[email protected] | |
# with: | |
# token: ${{secrets.CODECOV_TOKEN_AT_SERVER}} | |
# file: ${{ env.secondary-working-directory }}/coverage.lcov | |
sbom_provenance: | |
if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
needs: [unit_tests] | |
permissions: | |
actions: read # Needed for detection of GitHub Actions environment. | |
id-token: write # Needed for provenance signing and ID | |
contents: write # Needed for release uploads | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # 5a775b367a56d5bd118a224a811bba288150a563 | |
with: | |
base64-subjects: "${{ needs.unit_tests.outputs.hashes }}" | |
upload-assets: true | |
# Runs functional tests on at_secondary. | |
# If tests are successful, uploads root server and secondary server binaries for subsequent jobs | |
functional_tests: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
dart-channel: [stable,beta] | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5 | |
with: | |
sdk: ${{ matrix.dart-channel}} | |
- name: Install dependencies | |
working-directory: ${{ env.ftest-working-directory }} | |
run: dart pub get | |
- name: Run dart analyzer | |
working-directory: ${{ env.ftest-working-directory }} | |
run: dart analyze | |
- name: Add entry to hosts file | |
run: echo "127.0.0.1 vip.ve.atsign.zone" | sudo tee -a /etc/hosts | |
- name: Generate secondary server binary | |
working-directory: ${{ env.secondary-working-directory }} | |
run: dart pub get && dart compile exe bin/main.dart -o secondary | |
- name: copy secondary to tools/build_virtual_environment/ve | |
run: | | |
cp packages/at_secondary_server/secondary tools/build_virtual_environment/ve/contents/atsign/secondary/ | |
cp packages/at_secondary_server/pubspec.yaml tools/build_virtual_environment/ve/contents/atsign/secondary/ | |
chmod 755 tools/build_virtual_environment/ve/contents/atsign/secondary/secondary | |
ls -laR tools/build_virtual_environment/ve/* | |
- name: Build docker image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
file: tools/build_virtual_environment/ve/Dockerfile | |
context: tools/build_virtual_environment/ve | |
tags: at_virtual_env:trunk | |
- name: Run docker container | |
# -d: run container in detached mode. --rm: remove container on stop -p: bind ports to host | |
run: docker run -d --rm --name at_virtual_env_cont -e testingMode="true" -p 6379:6379 -p 25000-25019:25000-25019 -p 64:64 at_virtual_env:trunk | |
- name: Check docker readiness to load PKAM keys | |
working-directory: ${{ env.ftest-working-directory }} | |
run: dart run test/check_docker_readiness.dart | |
- name: Check root server readiness to load PKAM keys | |
working-directory: ${{ env.ftest-working-directory }} | |
run: dart run test/check_root_server_readiness.dart | |
# Set PKAM keys to the atsign's | |
- name: Load PKAM Keys | |
working-directory: ${{ env.install-pkam-working-directory }} | |
run: | | |
dart pub get | |
dart bin/install_PKAM_Keys.dart | |
# could save around 4s here using a compiled binary | |
- name: Check test environment readiness | |
working-directory: ${{ env.ftest-working-directory }} | |
run: dart run test/check_test_env.dart | |
- name: Run tests | |
working-directory: ${{ env.ftest-working-directory }} | |
run: dart run test --concurrency=1 | |
# On push event, upload secondary server binary | |
- name: upload secondary server | |
if: ${{ github.event_name == 'push' && matrix.dart-channel == 'stable' }} | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: secondary-server | |
path: packages/at_secondary_server/secondary | |
- name: Stop docker container | |
run: docker container stop at_virtual_env_cont | |
# Remove image created for at_virtual_env:trunk for running functional tests in pipeline. | |
- name: Remove docker image | |
run: docker rmi at_virtual_env:trunk | |
end2end_test_prep: | |
# Don't run on PRs from a fork or Dependabot as the secrets aren't available | |
if: ${{ github.event.pull_request.head.repo.fork == false && github.actor != 'dependabot[bot]'}} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Place run number into version within pubspec.yaml | |
working-directory: ${{ env.secondary-working-directory }} | |
run: | | |
sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml | |
grep version pubspec.yaml | head -1 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Builds and pushes the secondary server image to docker hub. | |
- name: Build and push secondary image for x64 | |
id: docker_build_secondary | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
provenance: false | |
file: tools/build_secondary/Dockerfile | |
context: . | |
tags: | | |
atsigncompany/secondary:dess_cicd | |
atsigncompany/secondary:cicd-${{ env.BRANCH }}-gha${{ github.run_number }} | |
platforms: | | |
linux/amd64 | |
# Logs into CICD VMs and runs script to update to just pushed image | |
- name: update image on cicd VMs | |
uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0 | |
with: | |
host: "cicd1.atsign.wtf,cicd2.atsign.wtf" | |
username: ubuntu | |
key: ${{ secrets.CICD_SSH_KEY }} | |
script: | | |
scriptURL="https://raw.githubusercontent.com/atsign-foundation/at_server/trunk/tools/${HOSTNAME}/update_image.sh" | |
echo "$scriptURL" | |
wget -q -O update_image.sh "$scriptURL" | |
./update_image.sh | |
# The job runs end-to-end tests between the @cicd1[trunk] and @cicd2[trunk] secondaries | |
end2end_test_12: | |
needs: [ end2end_test_prep ] | |
concurrency: cicd12 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v 1.6.5 | |
with: | |
sdk: stable | |
- name: Install dependencies | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart pub get | |
# Create demo_data.dart from CICD_DATA_DART secret | |
- name: Get CICD keys into place | |
run: echo "${{secrets.CICD_DATA_DART}}" > tests/at_end2end_test/test/at_demo_data.dart | |
# Put config file in place | |
- name: Config for @cicd1/2 | |
run: mv tests/at_end2end_test/config/config12.yaml tests/at_end2end_test/config/config.yaml | |
# Run end-to-end test | |
- name: end-to-end test | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart test --concurrency=1 | |
# The job runs end-to-end tests between the @cicd3[trunk] and @cicd4[prod] secondaries | |
end2end_test_34: | |
needs: [ end2end_test_prep ] | |
concurrency: cicd34 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5 | |
with: | |
sdk: stable | |
- name: Install dependencies | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart pub get | |
# Create demo_data.dart from CICD_DATA_DART secret | |
- name: Get CICD keys into place | |
run: echo "${{secrets.CICD_DATA_DART}}" > tests/at_end2end_test/test/at_demo_data.dart | |
# Put config file in place | |
- name: Config for @cicd3/4 | |
run: mv tests/at_end2end_test/config/config34.yaml tests/at_end2end_test/config/config.yaml | |
# Run end-to-end test | |
- name: end-to-end test | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart test --concurrency=1 | |
# The job runs end-to-end tests between the @cicd5[prod] and @cicd6[trunk] secondaries | |
end2end_test_56: | |
needs: [ end2end_test_prep ] | |
concurrency: cicd56 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5 | |
with: | |
sdk: stable | |
- name: Install dependencies | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart pub get | |
# Create demo_data.dart from CICD_DATA_DART secret | |
- name: Get CICD keys into place | |
run: echo "${{secrets.CICD_DATA_DART}}" > tests/at_end2end_test/test/at_demo_data.dart | |
# Put config file in place | |
- name: Config for @cicd5/6 | |
run: mv tests/at_end2end_test/config/config56.yaml tests/at_end2end_test/config/config.yaml | |
# Run end-to-end test | |
- name: end-to-end test | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart test --concurrency=1 | |
# The job runs end-to-end tests between the staging run time secondaries | |
end2end_test_staging: | |
needs: [ end2end_test_prep ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout at_server repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Create atSigns | |
id: atsign_names | |
run: | | |
AT_SIGN_1_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/get-atsign/' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' -w '%{http_code}' -o at_sign_1_resp.json) | |
AT_SIGN_2_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/get-atsign/' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' -w '%{http_code}' -o at_sign_2_resp.json) | |
if [ $AT_SIGN_1_RESP -eq 200 ] && [ $AT_SIGN_2_RESP -eq 200 ]; then | |
AT_SIGN_1=$(cat at_sign_1_resp.json | jq -r '.value.atSign') | |
AT_SIGN_1_KEY=$(cat at_sign_1_resp.json | jq -r '.value.ActivationKey') | |
AT_SIGN_2=$(cat at_sign_2_resp.json | jq -r '.value.atSign') | |
AT_SIGN_2_KEY=$(cat at_sign_2_resp.json | jq -r '.value.ActivationKey') | |
echo "AT_SIGN_1: $AT_SIGN_1" | |
echo "AT_SIGN_1_KEY: $AT_SIGN_1_KEY" | |
echo "AT_SIGN_2: $AT_SIGN_2" | |
echo "AT_SIGN_2_KEY: $AT_SIGN_2_KEY" | |
echo "AT_SIGN_1=$(echo $AT_SIGN_1)" >> $GITHUB_OUTPUT | |
echo "AT_SIGN_1_KEY=$(echo $AT_SIGN_1_KEY)" >> $GITHUB_OUTPUT | |
echo "AT_SIGN_2=$(echo $AT_SIGN_2)" >> $GITHUB_OUTPUT | |
echo "AT_SIGN_2_KEY=$(echo $AT_SIGN_2_KEY)" >> $GITHUB_OUTPUT | |
else | |
echo "Error fetching atsign name" | |
exit 1 | |
fi | |
- name: Install Dart | |
uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5 | |
with: | |
sdk: stable | |
- name: Install dependencies | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart pub get | |
- name: Cloning at_libraries | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: atsign-foundation/at_libraries | |
path: at_libraries | |
ref: trunk | |
- name: Cloning at_tools | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: atsign-foundation/at_tools | |
path: at_tools | |
ref: trunk | |
- name: Fetch Cram Keys | |
id: cram_keys | |
env: | |
AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }} | |
AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} | |
AT_SIGN_1_KEY: ${{ steps.atsign_names.outputs.AT_SIGN_1_KEY }} | |
AT_SIGN_2_KEY: ${{ steps.atsign_names.outputs.AT_SIGN_2_KEY }} | |
run: | | |
for try in {1..5}; do | |
CRAM_1_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/activate-atsign' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' --data-raw "{\"atSign\":\"$AT_SIGN_1\",\"ActivationKey\":\"$AT_SIGN_1_KEY\"}" -w '%{http_code}' -o cram_1_resp.json) | |
CRAM_2_RESP=$(curl -s --location --request POST 'https://my.atsign.wtf/api/app/v3/activate-atsign' --header 'Authorization: ${{secrets.NODE_API_CREATE}}' --header 'Content-Type: application/json' --data-raw "{\"atSign\":\"$AT_SIGN_2\",\"ActivationKey\":\"$AT_SIGN_2_KEY\"}" -w '%{http_code}' -o cram_2_resp.json) | |
if [ $CRAM_1_RESP -eq 200 ] && [ $CRAM_2_RESP -eq 200 ]; then | |
CRAM_KEY_1=$(cat cram_1_resp.json | jq -r '.cramkey' | sed 's/^[ \t]*//;s/[ \t]*$//' | cut -d':' -f2) | |
CRAM_KEY_2=$(cat cram_2_resp.json | jq -r '.cramkey' | sed 's/^[ \t]*//;s/[ \t]*$//' | cut -d':' -f2) | |
echo "CRAM_KEY_1: $CRAM_KEY_1" | |
echo "CRAM_KEY_2: $CRAM_KEY_2" | |
echo "CRAM_KEY_1=$(echo $CRAM_KEY_1)" >> $GITHUB_OUTPUT | |
echo "CRAM_KEY_2=$(echo $CRAM_KEY_2)" >> $GITHUB_OUTPUT | |
break | |
else | |
echo "Error fetching Cram Keys on attempt ${try}" | |
if [ $try -eq 5 ]; then | |
echo "Tried 5 times. Quitting." | |
exit 1 | |
fi | |
fi | |
sleep 20 | |
done | |
- name: Fetch atSign Hostname | |
id: atsign_hosts | |
env: | |
AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }} | |
AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} | |
run: | | |
for try in {1..5}; do | |
AT_SIGN_1_HOST_RESP=$(./tools/scripts/staging_root_lookup.sh $AT_SIGN_1) | |
AT_SIGN_2_HOST_RESP=$(./tools/scripts/staging_root_lookup.sh $AT_SIGN_2) | |
if [ ! -z "$AT_SIGN_1_HOST_RESP" ] && [ ! -z "$AT_SIGN_2_HOST_RESP" ]; then | |
AT_SIGN_1_HOST=$(echo $AT_SIGN_1_HOST_RESP | cut -d':' -f1) | |
AT_SIGN_1_PORT=$(echo $AT_SIGN_1_HOST_RESP | cut -d':' -f2 | sed 's/\s*$//') | |
AT_SIGN_2_HOST=$(echo $AT_SIGN_2_HOST_RESP | cut -d':' -f1) | |
AT_SIGN_2_PORT=$(echo $AT_SIGN_2_HOST_RESP | cut -d':' -f2 | sed 's/\s*$//') | |
echo "AT_SIGN_1_HOST: $AT_SIGN_1_HOST" | |
echo "AT_SIGN_1_PORT: $AT_SIGN_1_PORT" | |
echo "AT_SIGN_2_HOST: $AT_SIGN_2_HOST" | |
echo "AT_SIGN_2_PORT: $AT_SIGN_2_PORT" | |
echo "AT_SIGN_1_HOST=$(echo $AT_SIGN_1_HOST)" >> $GITHUB_OUTPUT | |
echo "AT_SIGN_1_PORT=$(echo $AT_SIGN_1_PORT)" >> $GITHUB_OUTPUT | |
echo "AT_SIGN_2_HOST=$(echo $AT_SIGN_2_HOST)" >> $GITHUB_OUTPUT | |
echo "AT_SIGN_2_PORT=$(echo $AT_SIGN_2_PORT)" >> $GITHUB_OUTPUT | |
break | |
else | |
echo "Error fetching atSigns Hostname and Port on attempt ${try}" | |
if [ $try -eq 5 ]; then | |
echo "Tried 5 times. Quitting." | |
exit 1 | |
fi | |
fi | |
sleep 20 | |
done | |
- name: Check Connection | |
env: | |
AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }} | |
AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} | |
AT_SIGN_1_HOST: ${{ steps.atsign_hosts.outputs.AT_SIGN_1_HOST }} | |
AT_SIGN_1_PORT: ${{ steps.atsign_hosts.outputs.AT_SIGN_1_PORT }} | |
AT_SIGN_2_HOST: ${{ steps.atsign_hosts.outputs.AT_SIGN_2_HOST }} | |
AT_SIGN_2_PORT: ${{ steps.atsign_hosts.outputs.AT_SIGN_2_PORT }} | |
run: | | |
for try in {1..5}; do | |
HOST_1_STATUS=$(./tools/scripts/staging_atsign_info.sh $AT_SIGN_1_HOST:$AT_SIGN_1_PORT) | |
HOST_2_STATUS=$(./tools/scripts/staging_atsign_info.sh $AT_SIGN_2_HOST:$AT_SIGN_2_PORT) | |
echo "atSign1 status : $HOST_1_STATUS" | |
echo "atsign2 status : $HOST_2_STATUS" | |
if [ ! -z "$HOST_1_STATUS" ] && [ ! -z "$HOST_2_STATUS" ]; then | |
sed -i "s/ATSIGN_1_NAME/@$AT_SIGN_1/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml | |
sed -i "s/ATSIGN_1_PORT/$AT_SIGN_1_PORT/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml | |
sed -i "s/ATSIGN_1_HOST/$AT_SIGN_1_HOST/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml | |
sed -i "s/ATSIGN_2_NAME/@$AT_SIGN_2/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml | |
sed -i "s/ATSIGN_2_PORT/$AT_SIGN_2_PORT/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml | |
sed -i "s/ATSIGN_2_HOST/$AT_SIGN_2_HOST/g" tests/at_end2end_test/config/config-e2e_test_runtime.yaml | |
mv tests/at_end2end_test/config/config-e2e_test_runtime.yaml tests/at_end2end_test/config/config.yaml | |
cat tests/at_end2end_test/config/config.yaml | |
echo "Connection successfull" | |
break | |
else | |
echo "Connection error on attempt ${try}" | |
if [ $try -eq 5 ]; then | |
echo "Tried 5 times. Quitting." | |
exit 1 | |
fi | |
fi | |
sleep $((try * 20)) | |
done | |
- name: Activating atsign | |
env: | |
AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }} | |
AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} | |
CRAM_KEY_1: ${{ steps.cram_keys.outputs.CRAM_KEY_1 }} | |
CRAM_KEY_2: ${{ steps.cram_keys.outputs.CRAM_KEY_2 }} | |
run: | | |
mkdir -p /home/runner/.atsign/keys | |
ls -lrth at_libraries | |
cd at_libraries/packages/at_onboarding_cli/ | |
dart pub get | |
dart run bin/activate_cli.dart -a @$AT_SIGN_1 -c $CRAM_KEY_1 -r root.atsign.wtf | |
dart run bin/activate_cli.dart -a @$AT_SIGN_2 -c $CRAM_KEY_2 -r root.atsign.wtf | |
- name: Generate the at_demo_data.dart | |
run: | | |
cd at_tools/packages/at_dump_atKeys/ | |
dart pub get | |
dart bin/generate_at_demo_data.dart -d /home/runner/.atsign/keys/ -p pkam | |
cp at_demo_data.dart ../../../${{ env.e2etest-working-directory }}/test | |
- name: End-to-end test | |
working-directory: ${{ env.e2etest-working-directory }} | |
run: dart test --concurrency=1 | |
- name: Delete atSigns | |
if: always() # Always try to clear up atSigns even if an earlier step has failed. | |
env: | |
AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }} | |
AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} | |
run: | | |
delete_atSign() { | |
curl -s --location --request POST 'https://infrastructure-api-b.dev.atsign.cloud/api/infrastructure/delete' \ | |
--header 'Authorization: ${{secrets.NODE_API_DELETE}}' \ | |
--header 'Content-Type: application/json' \ | |
--data-raw '{ | |
"atsign" : "'$1'" | |
}' | |
} | |
delete_atSign "$AT_SIGN_1" | |
delete_atSign "$AT_SIGN_2" | |
- name: Check that atSigns have been deleted | |
env: | |
AT_SIGN_1: ${{ steps.atsign_names.outputs.AT_SIGN_1 }} | |
AT_SIGN_2: ${{ steps.atsign_names.outputs.AT_SIGN_2 }} | |
# TODO if this step fails then it should do a gChat notification rather than exit 1 | |
# TODO this only checks that entry has been removed from root | |
run: | | |
sleep 20 | |
AT_SIGN_1_HOST_RESP=$((echo $AT_SIGN_1; sleep 1) | openssl s_client -connect root.atsign.wtf:64 2>/dev/null | grep --color=none "^@.*:" | cut -d'@' -f2) | |
AT_SIGN_2_HOST_RESP=$((echo $AT_SIGN_2; sleep 1) | openssl s_client -connect root.atsign.wtf:64 2>/dev/null | grep --color=none "^@.*:" | cut -d'@' -f2) | |
if [ -z "$AT_SIGN_1_HOST_RESP" ] && [ -z "$AT_SIGN_2_HOST_RESP" ]; then | |
echo "atSigns deleted successfully" | |
else | |
echo "atSigns still exist" | |
exit 1 | |
fi | |
# This job runs on trigger event 'push' to trunk branch. | |
# The job builds the staging version of at_virtual_env and pushes the image to docker hub. | |
push_staging_virtual_env_images: | |
# Runs only after functional tests are completed. | |
needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56, end2end_test_staging ] | |
if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'trunk') }} | |
environment: staging | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Place run number into version within pubspec.yaml | |
working-directory: ${{ env.secondary-working-directory }} | |
run: | | |
sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml | |
grep version pubspec.yaml | head -1 | |
# Extract branch for docker tag | |
- name: Get branch name | |
run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Builds and pushes the at_virtual_env to docker hub. | |
- name: Build and push | |
id: docker_build | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
file: tools/build_virtual_environment/ve/Dockerfile.vip | |
context: . | |
push: true | |
provenance: false | |
tags: | | |
atsigncompany/virtualenv:dev_env | |
atsigncompany/virtualenv:${{ env.BRANCH }}-gha${{ github.run_number }} | |
platforms: | | |
linux/amd64 | |
linux/arm64/v8 | |
- name: Image digest of at_virtual_env | |
run: echo ${{ steps.docker_build_trunk.outputs.digest }} | |
# This job run's on trigger event 'push' to trunk branch. | |
# The job builds the staging version of secondary server image and pushes to docker hub. | |
# The job runs on completion of 'run_end2end_tests' job. | |
push_staging_secondary_image: | |
# Runs only after full test suite has completed. | |
needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56, end2end_test_staging ] | |
if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'trunk') }} | |
environment: staging | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Place run number into version within pubspec.yaml | |
working-directory: ${{ env.secondary-working-directory }} | |
run: | | |
sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml | |
grep version pubspec.yaml | head -1 | |
# Extract branch for docker tag | |
- name: Get branch name | |
run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Builds and pushes the secondary server image to docker hub. | |
- name: Build and push secondary image for amd64 and arm64 | |
id: docker_build_secondary | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
provenance: false | |
file: tools/build_secondary/Dockerfile | |
context: . | |
tags: | | |
atsigncompany/secondary:dev_env | |
atsigncompany/secondary:dess_wtf | |
atsigncompany/secondary:dev_env-${{ env.BRANCH }}-gha${{ github.run_number }} | |
platforms: | | |
linux/amd64 | |
linux/arm64/v8 | |
- name: Image digest of secondary server | |
run: echo ${{ steps.docker_build_secondary.outputs.digest }} | |
# This job run's on trigger event 'push' to trunk branch. | |
# The job builds the staging version of observable secondary server image and pushes to docker hub. | |
# The job runs on completion of 'run_end2end_tests' job. | |
push_staging_observable_secondary_image: | |
# Runs only after full test suite has completed. | |
needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56, end2end_test_staging ] | |
if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'trunk') }} | |
environment: staging | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Place run number into version within pubspec.yaml | |
working-directory: ${{ env.secondary-working-directory }} | |
run: | | |
sed -i "0,/version/ s/version\:.*/&+gha${{ github.run_number }}/" pubspec.yaml | |
grep version pubspec.yaml | head -1 | |
# Extract branch for docker tag | |
- name: Get branch name | |
run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Builds and pushes the secondary server image to docker hub. | |
- name: Build and push secondary image for amd64 and arm64 | |
id: docker_build_observable_secondary | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
provenance: false | |
file: tools/build_secondary/Dockerfile.observe | |
context: . | |
tags: | | |
atsigncompany/secondary:dev_obs | |
atsigncompany/secondary:dev_obs-${{ env.BRANCH }}-gha${{ github.run_number }} | |
platforms: | | |
linux/amd64 | |
linux/arm64/v8 | |
- name: Image digest of secondary server | |
run: echo ${{ steps.docker_build_observable_secondary.outputs.digest }} | |
# The below jobs run's on completion of 'run_end2end_tests' job. | |
# This job run's on trigger event 'push' and when a canary release is tagged. | |
# The job builds the canary version of secondary server docker image and pushes to docker hub. | |
push_canary_secondary_image: | |
# Runs only after all tests are completed. | |
needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ] | |
if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/c') }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
outputs: | |
digest: ${{ steps.docker_build_secondary.outputs.digest }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
# Extract version for docker tag | |
- name: Get version | |
run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- name: Place canary version into pubspec.yaml | |
working-directory: ${{ env.secondary-working-directory }} | |
run: | | |
sed -i "0,/version/ s/version\:.*/&+${GITHUB_REF#refs/tags/}/" pubspec.yaml | |
grep version pubspec.yaml | head -1 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Builds and pushes the secondary server image to docker hub. | |
- name: Build and push secondary image for amd64 and arm64 | |
id: docker_build_secondary | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
provenance: false | |
file: tools/build_secondary/Dockerfile | |
context: . | |
tags: | | |
atsigncompany/secondary:canary | |
atsigncompany/secondary:canary-${{ env.VERSION }} | |
platforms: | | |
linux/amd64 | |
linux/arm64/v8 | |
linux/arm/v7 | |
provenance_canary_secondary_image: | |
needs: [push_canary_secondary_image] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: "atsigncompany/secondary" | |
digest: ${{ needs.push_canary_secondary_image.outputs.digest }} | |
secrets: | |
registry-username: ${{ secrets.DOCKERHUB_USERNAME }} | |
registry-password: ${{ secrets.DOCKERHUB_TOKEN }} | |
push_canary_virtualenv_image: | |
needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ] | |
if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/c') }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
outputs: | |
digest: ${{ steps.docker_build.outputs.digest }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Get version | |
run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- name: Place canary version into pubspec.yaml | |
working-directory: ${{ env.secondary-working-directory }} | |
run: | | |
sed -i "0,/version/ s/version\:.*/&+${GITHUB_REF#refs/tags/}/" pubspec.yaml | |
grep version pubspec.yaml | head -1 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build and push | |
id: docker_build | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
file: tools/build_virtual_environment/ve/Dockerfile.vip | |
context: . | |
push: true | |
provenance: false | |
tags: | | |
atsigncompany/virtualenv:canary | |
atsigncompany/virtualenv:canary-${{ env.VERSION }} | |
platforms: | | |
linux/amd64 | |
linux/arm64/v8 | |
- name: Image digest | |
run: echo ${{ steps.docker_build.outputs.digest }} | |
provenance_canary_virtualenv_image: | |
needs: [push_canary_virtualenv_image] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: "atsigncompany/virtualenv" | |
digest: ${{ needs.push_canary_virtualenv_image.outputs.digest }} | |
secrets: | |
registry-username: ${{ secrets.DOCKERHUB_USERNAME }} | |
registry-password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# The below jobs run's on completion of 'run_end2end_tests' job. | |
# This job run's on trigger event 'push' and when a release is tagged. | |
# The job builds the production version of secondary server docker image and pushes to docker hub. | |
push_prod_secondary_image: | |
# Runs only after all tests are completed. | |
needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ] | |
if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/v') }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
outputs: | |
digest: ${{ steps.docker_build_secondary.outputs.digest }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
# Extract version for docker tag | |
- name: Get version | |
run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Builds and pushes the secondary server image to docker hub. | |
- name: Build and push secondary image for amd64 and arm64 | |
id: docker_build_secondary | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
push: true | |
provenance: false | |
file: tools/build_secondary/Dockerfile | |
context: . | |
tags: | | |
atsigncompany/secondary:prod | |
atsigncompany/secondary:prod-${{ env.VERSION }} | |
atsigncompany/secondary:dess | |
platforms: | | |
linux/amd64 | |
linux/arm64/v8 | |
linux/arm/v7 | |
provenance_prod_secondary_image: | |
needs: [push_prod_secondary_image] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: "atsigncompany/secondary" | |
digest: ${{ needs.push_prod_secondary_image.outputs.digest }} | |
secrets: | |
registry-username: ${{ secrets.DOCKERHUB_USERNAME }} | |
registry-password: ${{ secrets.DOCKERHUB_TOKEN }} | |
push_prod_virtualenv_image: | |
needs: [ unit_tests, functional_tests, end2end_test_12, end2end_test_34, end2end_test_56 ] | |
if: ${{ github.repository == 'atsign-foundation/at_server' && github.event_name == 'push' && contains(github.ref, 'refs/tags/v') }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
outputs: | |
digest: ${{ steps.docker_build.outputs.digest }} | |
steps: | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build and push | |
id: docker_build | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
file: tools/build_virtual_environment/ve/Dockerfile.vip | |
context: . | |
push: true | |
provenance: false | |
tags: | | |
atsigncompany/virtualenv:vip | |
atsigncompany/virtualenv:at_server-gha${{ github.run_number }} | |
platforms: | | |
linux/amd64 | |
linux/arm64/v8 | |
- name: Image digest | |
run: echo ${{ steps.docker_build.outputs.digest }} | |
- name: Google Chat Notification | |
uses: Co-qn/google-chat-notification@3691ccf4763537d6e544bc6cdcccc1965799d056 # v1 | |
with: | |
name: New Docker image for atsigncompany/virtualenv:vip | |
url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }} | |
status: ${{ job.status }} | |
provenance_prod_virtualenv_image: | |
needs: [push_prod_virtualenv_image] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: "atsigncompany/virtualenv" | |
digest: ${{ needs.push_prod_virtualenv_image.outputs.digest }} | |
secrets: | |
registry-username: ${{ secrets.DOCKERHUB_USERNAME }} | |
registry-password: ${{ secrets.DOCKERHUB_TOKEN }} |