Skip to content

Commit 5734df8

Browse files
dflookdflook
committed
Verify base & sign commits/tags
1 parent 0a9d304 commit 5734df8

File tree

1 file changed

+27
-8
lines changed

1 file changed

+27
-8
lines changed

.github/workflows/release.yaml

Lines changed: 27 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,15 @@ jobs:
5353
- name: Build action image
5454
id: image_build
5555
env:
56-
RELEASE_TAG: "test"
56+
RELEASE_TAG: "test.0.0"
5757
run: |
58+
BASE_TAG=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:latest --format '{{json .}}' | jq -r '.manifest.annotations."ref.tag"')
59+
BASE_DIGEST=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:$BASE_TAG --format '{{json .}}' | jq -r '.manifest.digest')
60+
61+
gh attestation verify --repo dflook/terraform-github-actions "oci://index.docker.io/danielflook/terraform-github-actions-base@$BASE_DIGEST"
62+
63+
sed -i "s|FROM danielflook/terraform-github-actions-base:latest|FROM danielflook/terraform-github-actions-base@$BASE_DIGEST|" "image/Dockerfile"
64+
5865
docker buildx build \
5966
--build-arg FETCH_CHECKSUMS=yes \
6067
--build-arg VERSION="${RELEASE_TAG:1}" \
@@ -72,6 +79,7 @@ jobs:
7279
--annotation "index,manifest:builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
7380
--annotation "index,manifest:ref.tag=$RELEASE_TAG" \
7481
--annotation "index,manifest:org.opencontainers.image.base.name=docker.io/danielflook/terraform-github-actions-base" \
82+
--annotation "index:org.opencontainers.image.base.ref=$BASE_TAG" \
7583
--push \
7684
--iidfile manifest-list-digest.txt \
7785
image
@@ -97,26 +105,34 @@ jobs:
97105
- image
98106
environment:
99107
name: release
100-
url: https://github.com/dflook/terraform-github-actions/releases/tag/${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
108+
url: https://github.com/dflook/terraform-github-actions/releases/tag/test.0.0"
101109
steps:
102110
- name: Checkout
103111
uses: actions/checkout@v4
104112
with:
105-
persist-credentials: true
113+
fetch-depth: 0
114+
persist-credentials: false
115+
116+
- name: Configure git
117+
env:
118+
GPG_KEY: ${{ secrets.RELEASE_GPG_KEY }}
119+
run: |
120+
echo "$GPG_KEY" | gpg --import
121+
git config --global user.name "Daniel Flook"
122+
git config --global user.email "daniel@flook.org"
123+
git config --global user.signingkey "26AAA6B35318E5B7CF0823170FDD1CF4BEE12274"
124+
git config --global commit.gpgSign true
125+
git config --global tag.gpgSign true
106126
107127
- name: Release actions
108128
env:
109129
GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
110-
RELEASE_TAG: "${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
130+
RELEASE_TAG: "test.0.0"
111131
IMAGE_DIGEST: ${{ needs.image.outputs.digest }}
112132
run: |
113-
exit 0
114133
export major=$(echo "$RELEASE_TAG" | cut -d. -f1)
115134
export minor=$(echo "$RELEASE_TAG" | cut -d. -f2)
116135
117-
git config --global user.name "Daniel Flook"
118-
git config --global user.email "daniel@flook.org"
119-
120136
function prepare_release() {
121137
rsync -r "$GITHUB_WORKSPACE/$action/" "$HOME/$action"
122138
rm -rf "$HOME/$action/.github"
@@ -138,6 +154,9 @@ jobs:
138154
git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG"
139155
git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major"
140156
git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor"
157+
git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG-dockerhub"
158+
git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major-dockerhub"
159+
git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor-dockerhub"
141160
git -C "$HOME/$action" push --force
142161
git -C "$HOME/$action" push --force --tags
143162

0 commit comments

Comments
 (0)