Fix incorrect usage of env variable in workflow #138

Workflow file for this run

	name: Create docker image

	on:
	push:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	env:
	GOOGLE_REGISTRY: europe-north1-docker.pkg.dev
	EARTHLY_USE_INLINE_CACHE: true
	EARTHLY_SAVE_INLINE_CACHE: true
	EARTHLY_VERBOSE: true
	EARTHLY_FULL_TARGET: true
	EARTHLY_OUTPUT: true
	FEATURE: aiven-poke

	jobs:
	version:
	name: Version
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # ratchet:actions/checkout@v3
	- name: Generate image environment variable
	id: set-image-tag
	run: \|
	version="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')"
	echo "version=${version}" >> $GITHUB_OUTPUT
	outputs:
	version: ${{ steps.set-image-tag.outputs.version }}
	build:
	runs-on: ubuntu-latest
	needs:
	- version
	permissions:
	contents: "read"
	id-token: "write"
	packages: "write"
	steps:
	- name: Install earthly
	uses: earthly/actions-setup@135d686cdc4619918fd1b542d0a08d61dd104518 # ratchet:earthly/actions-setup@v1
	with:
	version: "latest" # or pin to an specific version, e.g. "v0.6.10"
	- name: Install cosign
	uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@main
	with:
	cosign-release: 'v2.0.0'
	- name: Verify runner image
	run: cosign verify --certificate-identity https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com cgr.dev/chainguard/python:3.11
	- name: Checkout
	uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
	- id: "auth"
	name: "Authenticate to Google Cloud"
	if: github.ref == 'refs/heads/main'
	uses: "google-github-actions/[email protected]" # ratchet:google-github-actions/[email protected]
	with:
	workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
	service_account: "[email protected]"
	token_format: "access_token"
	- name: Login to Google Artifact Registry
	if: github.ref == 'refs/heads/main'
	uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
	with:
	registry: ${{ env.GOOGLE_REGISTRY }}
	username: "oauth2accesstoken"
	password: "${{ steps.auth.outputs.access_token }}"
	- name: "Set image tag"
	id: set-image-tag
	run: \|
	export IMAGE_TAG="${{ needs.version.outputs.version }}"
	echo "IMAGE_TAG=${IMAGE_TAG}" >> ${GITHUB_ENV}

	export IMAGE="${GOOGLE_REGISTRY}/nais-io/nais/images/${FEATURE}"
	echo "IMAGE=${IMAGE}" >> $GITHUB_ENV
	- name: Build and possibly push
	env:
	EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}"
	run: \|
	earthly --version
	earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --BASEIMAGE="${IMAGE}"
	- name: Retrieve image digest
	id: imgdigest
	if: github.ref == 'refs/heads/main'
	run: \|
	docker pull ${IMAGE}:${IMAGE_TAG}
	echo "digest=$(docker inspect ${IMAGE}:${IMAGE_TAG} \| jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT
	- name: Sign the container image
	if: github.ref == 'refs/heads/main'
	run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }}
	- name: Create SBOM
	if: github.ref == 'refs/heads/main'
	run: \|
	sudo apt-get update && sudo apt-get install -y python3-pip
	pip3 install cyclonedx-bom
	cyclonedx-py -p --format json -o sbom.json
	- name: Attest image
	if: github.ref == 'refs/heads/main'
	run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }}

	chart:
	permissions:
	contents: 'read'
	id-token: 'write'
	name: Build and push chart
	runs-on: ubuntu-latest
	needs:
	- version
	steps:
	- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033' # ratchet:google-github-actions/[email protected]
	with:
	workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
	service_account: '[email protected]'
	token_format: 'access_token'
	- name: 'Set up Cloud SDK'
	uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # ratchet:google-github-actions/setup-gcloud@v1
	- name: 'Log in to Google Artifact Registry'
	run: \|-
	echo '${{ steps.auth.outputs.access_token }}' \| docker login -u oauth2accesstoken --password-stdin https://${{ env.GOOGLE_REGISTRY }}
	- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # ratchet:azure/setup-helm@v3
	name: 'Setup Helm'
	with:
	version: '3.8.0'
	- name: Set versions
	run: \|-
	for chart in charts/*; do
	yq e '.version = "${{ needs.version.outputs.version }}"' --inplace "${chart}/Chart.yaml"
	yq e '.image.tag = "${{ needs.version.outputs.version }}"' --inplace "${chart}/values.yaml"
	done
	- name: Build Chart
	run: \|-
	for chart in charts/*; do
	helm package "$chart"
	done
	- name: Push Chart
	run: \|-
	for chart in *.tgz; do
	helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
	done

	rollout:
	name: Rollout
	if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/main'
	needs:
	- version
	- build
	- chart
	runs-on: fasit-deploy
	permissions:
	id-token: write
	steps:
	- uses: nais/fasit-deploy@badff0705af8a57bcf0ab172895273da09ae5959 # ratchet:nais/fasit-deploy@v2
	with:
	chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ env.FEATURE }}
	version: ${{ needs.version.outputs.version }}
	feature_name: ${{ env.FEATURE }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix incorrect usage of env variable in workflow #138

Workflow file

Fix incorrect usage of env variable in workflow #138

Jobs

Run details

Workflow file for this run