🍜 Build/publish all runners #39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🍜 Build/publish all runners | |
| on: | |
| workflow_dispatch: # build on demand | |
| schedule: | |
| - cron: "43 6 * * 0" # build every Sunday at 6:43 AM UTC | |
| jobs: | |
| build-all: | |
| runs-on: ubuntu-latest # use the GitHub-hosted runner to build the image | |
| permissions: | |
| contents: write # for uploading the SBOM to the release | |
| packages: write # for uploading the finished container | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs | |
| strategy: | |
| matrix: | |
| os: [rootless-ubuntu-jammy, rootless-ubuntu-numbat, ubi8, ubi9, wolfi] | |
| arch: [amd64, arm64] | |
| continue-on-error: true | |
| steps: | |
| - name: Checkout the repo | |
| uses: actions/checkout@v4 | |
| - name: Set version | |
| run: echo "VERSION=$(cat ${GITHUB_EVENT_PATH} | jq -r '.release.tag_name')" >> $GITHUB_ENV | |
| if: github.event_name == 'release' | |
| - name: Set short SHA | |
| run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build the container | |
| uses: docker/build-push-action@v6 | |
| with: | |
| file: ./images/${{ matrix.os }}.Dockerfile | |
| push: false | |
| load: true | |
| platforms: linux/${{ matrix.arch }} | |
| tags: | | |
| ghcr.io/${{ github.repository }}/${{ matrix.os }}:latest | |
| ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }} | |
| - name: Scan it | |
| uses: anchore/scan-action@v5 | |
| id: scan | |
| with: | |
| image: "ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}" | |
| fail-build: false | |
| - name: Upload the container scan report | |
| id: upload | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| wait-for-processing: true | |
| - name: Dismiss alerts on other architectures | |
| if: matrix.arch != 'amd64' | |
| uses: advanced-security/dismiss-alerts@v1 | |
| with: | |
| sarif-id: ${{ steps.upload.outputs.sarif-id }} | |
| sarif-file: ${{ steps.scan.outputs.sarif }} | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Generate that SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: "ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}" | |
| artifact-name: "${{ matrix.os }}-${{ matrix.arch }}-${{ env.SHA_SHORT }}.sbom" | |
| - name: Get image digest | |
| run: | | |
| echo "IMAGE_DIGEST=$(docker inspect \ | |
| ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }} | \ | |
| jq -r '.[0].Id')" >> $GITHUB_ENV | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Log in to GHCR | |
| run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Sign the published Docker image | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: cosign sign -y ghcr.io/${{ github.repository }}/${{ matrix.os }}@${{ env.IMAGE_DIGEST }} | |
| - name: Push the container | |
| uses: docker/build-push-action@v6 | |
| with: | |
| file: ./images/${{ matrix.os }}.Dockerfile | |
| platforms: ${{ matrix.arch }} | |
| push: true | |
| tags: | | |
| ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }} | |
| ghcr.io/${{ github.repository }}/${{ matrix.os }}:latest |