refactor!: Configuration of signer moved into jwt finalizer (#1534)
#3779
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release | |
| pull_request: | |
| branches: | |
| - main | |
| - release | |
| env: | |
| GO_VERSION: "1.22.4" | |
| GOLANGCI_LINT_VERSION: "v1.59.0" | |
| HELM_VERSION: "3.14.1" | |
| KUBECONFORM_VERSION: "0.6.4" | |
| KUBERNETES_API_VERSION: "1.27.0" | |
| NODE_VERSION: "18.16" | |
| COSIGN_VERSION: "v2.2.3" | |
| CYCLONEDX_GOMOD_VERSION: "v1.4.1" | |
| DOCUMENTATION_URL: "https://dadrus.github.io/heimdall/" | |
| permissions: read-all | |
| jobs: | |
| check-changes: | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| code_changed: ${{steps.code-changes.outputs.count > 0}} | |
| test_data_changed: ${{steps.test-data-changes.outputs.count > 0}} | |
| image_config_changed: ${{steps.image-config-changes.outputs.count > 0}} | |
| helm_chart_changed: ${{steps.helm-chart-changes.outputs.count > 0}} | |
| docs_changed: ${{steps.docs-changes.outputs.count > 0}} | |
| ci_config_changed: ${{steps.ci-changes.outputs.count > 0}} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Check code changes | |
| id: code-changes | |
| uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2 | |
| with: | |
| PATTERNS: | | |
| *.go | |
| **/*.go | |
| schema/*.json | |
| FILES: | | |
| go.mod | |
| go.sum | |
| - name: Check test data changes | |
| id: test-data-changes | |
| uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2 | |
| with: | |
| PATTERNS: | | |
| cmd/**/*.yaml | |
| internal/**/*.yaml | |
| - name: Check container image config changes | |
| id: image-config-changes | |
| uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2 | |
| with: | |
| PATTERNS: | | |
| docker/Dockerfile | |
| - name: Check helm chart changes | |
| id: helm-chart-changes | |
| uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2 | |
| with: | |
| PATTERNS: | | |
| charts/** | |
| - name: Check documentation changes | |
| id: docs-changes | |
| uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2 | |
| with: | |
| PATTERNS: | | |
| docs/** | |
| - name: Check CI settings changes | |
| id: ci-changes | |
| uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2 | |
| with: | |
| PATTERNS: | | |
| .github/workflows/*.yaml | |
| check-licenses: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - check-changes | |
| if: > | |
| needs.check-changes.outputs.code_changed == 'true' || | |
| needs.check-changes.outputs.ci_config_changed == 'true' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: Get google/go-licenses package | |
| run: go install github.com/google/[email protected] | |
| - name: Check the licenses | |
| run: go-licenses check --disallowed_types=forbidden,restricted,reciprocal,permissive,unknown . | |
| lint-code: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| pull-requests: write | |
| needs: | |
| - check-changes | |
| if: > | |
| needs.check-changes.outputs.code_changed == 'true' || | |
| needs.check-changes.outputs.ci_config_changed == 'true' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Review code | |
| uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2.6.1 | |
| with: | |
| go_version: "${{ env.GO_VERSION }}" | |
| golangci_lint_version: "${{ env.GOLANGCI_LINT_VERSION }}" | |
| reporter: github-pr-review | |
| fail_on_error: true | |
| lint-api: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - check-changes | |
| if: > | |
| needs.check-changes.outputs.docs_changed == 'true' || | |
| needs.check-changes.outputs.ci_config_changed == 'true' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Install Redocly CLI | |
| run: npm i -g @redocly/[email protected] | |
| - name: Run Redocly Lint | |
| run: redocly lint | |
| lint-dockerfiles: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - check-changes | |
| if: > | |
| needs.check-changes.outputs.image_config_changed == 'true' || | |
| needs.check-changes.outputs.ci_config_changed == 'true' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Run hadolint | |
| uses: reviewdog/action-hadolint@66dae8a08183f1075386da9fff19a32512ddd31f # v1.42.0 | |
| with: | |
| reporter: github-pr-review | |
| fail_on_error: true | |
| lint-helm-chart: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - check-changes | |
| if: > | |
| needs.check-changes.outputs.helm_chart_changed == 'true' || | |
| needs.check-changes.outputs.ci_config_changed == 'true' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Setup k8s tools | |
| uses: yokawasa/action-setup-kube-tools@5fe385031665158529decddddb51d6224422836e # v0.11.1 | |
| with: | |
| setup-tools: | | |
| helm | |
| kubeconform | |
| helm: '${{ env.HELM_VERSION }}' | |
| kubeconform: '${{ env.KUBECONFORM_VERSION }}' | |
| - name: Helm Lint | |
| run: helm lint ./charts/heimdall | |
| - name: Kubeconform decision mode deployment | |
| run: | | |
| helm template ./charts/heimdall > decision-config.yaml | |
| kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} decision-config.yaml | |
| - name: Kubeconform proxy mode deployment | |
| run: | | |
| helm template --set operationMode=proxy ./charts/heimdall > proxy-config.yaml | |
| kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} proxy-config.yaml | |
| test: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - check-changes | |
| if: > | |
| needs.check-changes.outputs.code_changed == 'true' || | |
| needs.check-changes.outputs.test_data_changed == 'true' || | |
| needs.check-changes.outputs.ci_config_changed == 'true' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: Test | |
| run: go test -v -coverprofile=coverage.cov -coverpkg=./... ./... | |
| - name: Code Coverage | |
| uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 | |
| with: | |
| files: coverage.cov | |
| verbose: true | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| prepare-release: | |
| runs-on: ubuntu-22.04 | |
| if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release' | |
| permissions: | |
| pull-requests: write | |
| contents: write | |
| outputs: | |
| release_created: ${{ steps.release_prepare.outputs.release_created }} | |
| tag_name: ${{ steps.release_prepare.outputs.tag_name }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Prepare Release | |
| id: release_prepare | |
| uses: googleapis/release-please-action@f3969c04a4ec81d7a9aa4010d84ae6a7602f86a7 # v4.1.1 | |
| with: | |
| target-branch: ${{ github.ref_name }} | |
| build-binaries: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - test | |
| - prepare-release | |
| if: always() && needs.prepare-release.outputs.release_created == false && needs.test.result == 'success' | |
| strategy: | |
| matrix: | |
| # build and publish in parallel: linux/amd64, linux/arm64, windows/amd64, darwin/amd64, darwin/arm64 | |
| goos: [ linux, windows, darwin ] | |
| goarch: [ amd64, arm64, arm ] | |
| exclude: | |
| - goarch: arm | |
| goos: darwin | |
| - goarch: arm | |
| goos: windows | |
| - goarch: arm64 | |
| goos: windows | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: Build | |
| run: CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -trimpath -ldflags="-buildid= -w -s -X github.com/dadrus/heimdall/version.Version=${{ github.sha }}" -o ./build/ | |
| - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| if: github.ref == 'refs/heads/main' | |
| with: | |
| name: build-result-${{ matrix.goos }}-${{ matrix.goarch }} | |
| path: ./build/* | |
| retention-days: 30 | |
| release-binaries: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - prepare-release | |
| if: needs.prepare-release.outputs.release_created | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
| with: | |
| cosign-release: "${{ env.COSIGN_VERSION }}" | |
| - name: Install CycloneDX gomod | |
| run: go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected] | |
| - name: Generate SBOM | |
| uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0 | |
| with: | |
| version: "${{ env.CYCLONEDX_GOMOD_VERSION }}" | |
| args: app -licenses -assert-licenses -json -std -output CycloneDX-SBOM.json -main . | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 | |
| with: | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # this job builds container images for PRs, as well as publishes these on merges to main | |
| build-dev-container-images: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| packages: write | |
| id-token: write | |
| needs: | |
| - test | |
| - check-changes | |
| - prepare-release | |
| if: > | |
| github.ref == 'refs/heads/main' && | |
| needs.prepare-release.outputs.release_created == false && | |
| (needs.test.result == 'success' || (needs.test.result == 'skipped' && needs.check-changes.outputs.image_config_changed == 'true')) | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Install Cosign | |
| if: github.ref == 'refs/heads/main' | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
| with: | |
| cosign-release: "${{ env.COSIGN_VERSION }}" | |
| - name: Set up Go # required as the sbom generator is compiled using go < 1.21 | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: Generate SBOM | |
| if: github.ref == 'refs/heads/main' | |
| uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0 | |
| with: | |
| version: "${{ env.CYCLONEDX_GOMOD_VERSION }}" | |
| args: app -licenses -assert-licenses -json -std -output CycloneDX-SBOM.json -main . | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
| - name: Collect container meta-info | |
| id: meta | |
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
| with: | |
| images: ${{ github.repository }} | |
| labels: | | |
| org.opencontainers.image.version=${{ github.sha }} | |
| org.opencontainers.image.documentation=${{ env.DOCUMENTATION_URL }} | |
| - name: Build images | |
| if: github.ref != 'refs/heads/main' | |
| uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
| with: | |
| context: . | |
| file: ./docker/Dockerfile | |
| platforms: linux/amd64,linux/arm64,linux/arm | |
| push: false | |
| build-args: VERSION=${{ github.sha }} | |
| tags: ${{ github.repository }}:local | |
| - name: Login to DockerHub | |
| if: github.ref == 'refs/heads/main' | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub | |
| if: github.ref == 'refs/heads/main' | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push dev images to container registry | |
| if: github.ref == 'refs/heads/main' | |
| id: publish-image | |
| uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
| with: | |
| context: . | |
| file: ./docker/Dockerfile | |
| platforms: linux/amd64,linux/arm64,linux/arm | |
| push: true | |
| build-args: VERSION=${{ github.sha }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| tags: | | |
| ${{ github.repository }}:dev | |
| ${{ github.repository }}:dev-${{ github.sha }} | |
| ghcr.io/${{ github.repository }}:dev | |
| ghcr.io/${{ github.repository }}:dev-${{ github.sha }} | |
| # DockerHub | |
| - name: Sign the image published in DockerHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ${{ github.repository }}-signatures | |
| run: cosign sign --yes ${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| - name: Attest and attach SBOM to the image published in DockerHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ${{ github.repository }}-sbom | |
| run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| # GHCR | |
| - name: Sign the image published in GitHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-signatures | |
| run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| - name: Attest and attach SBOM to the image published in GitHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-sbom | |
| run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| # this job releases container images | |
| release-container-images: | |
| if: needs.prepare-release.outputs.release_created | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| packages: write | |
| id-token: write | |
| needs: | |
| - prepare-release | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Prepare image version | |
| id: image-version | |
| run: | | |
| export version=$(echo ${{ needs.prepare-release.outputs.tag_name }} | sed 's/v//g') | |
| echo "result=$version" >> $GITHUB_OUTPUT | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
| with: | |
| cosign-release: "${{ env.COSIGN_VERSION }}" | |
| - name: Set up Go # required as the sbom generator is compiled using go < 1.21 | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: Generate SBOM | |
| uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0 | |
| with: | |
| version: "${{ env.CYCLONEDX_GOMOD_VERSION }}" | |
| args: app -licenses -assert-licenses -json -std -output CycloneDX-SBOM.json -main . | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Collect Docker meta-info | |
| id: meta | |
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
| with: | |
| images: ${{ github.repository }} | |
| labels: | | |
| org.opencontainers.image.version=${{ steps.image-version.outputs.result }} | |
| org.opencontainers.image.documentation=${{ env.DOCUMENTATION_URL }} | |
| - name: Build and push images to container registry | |
| id: publish-image | |
| uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
| with: | |
| context: . | |
| file: ./docker/Dockerfile | |
| platforms: linux/amd64,linux/arm64,linux/arm | |
| push: true | |
| build-args: VERSION=${{ needs.prepare-release.outputs.tag_name }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| tags: | | |
| ${{ github.repository }}:latest | |
| ${{ github.repository }}:${{ steps.image-version.outputs.result }} | |
| ghcr.io/${{ github.repository }}:latest | |
| ghcr.io/${{ github.repository }}:${{ steps.image-version.outputs.result }} | |
| # DockerHub | |
| - name: Sign the image published in DockerHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ${{ github.repository }}-signatures | |
| run: cosign sign --yes ${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| - name: Attest and attach SBOM to the image published in DockerHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ${{ github.repository }}-sbom | |
| run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| - name: Update DockerHub repository description & readme | |
| uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| repository: ${{ github.repository }} | |
| short-description: ${{ github.event.repository.description }} | |
| readme-filepath: ./DockerHub-README.md | |
| # GHCR | |
| - name: Sign the image published in GitHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-signatures | |
| run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| - name: Attest and attach SBOM to the image published in GitHub | |
| if: steps.publish-image.conclusion == 'success' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COSIGN_REPOSITORY: ghcr.io/${{ github.repository }}-sbom | |
| run: cosign attest --yes --predicate CycloneDX-SBOM.json --type cyclonedx ghcr.io/${{ github.repository }}@${{ steps.publish-image.outputs.digest }} | |
| release-helm-chart: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write | |
| needs: | |
| - prepare-release | |
| - release-container-images | |
| if: needs.prepare-release.outputs.release_created | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Prepare image version | |
| id: image-version | |
| run: | | |
| export version=$(echo ${{ needs.prepare-release.outputs.tag_name }} | sed 's/v//g') | |
| echo "result=$version" >> $GITHUB_OUTPUT | |
| - name: Publish Helm Chart | |
| uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| target_dir: charts | |
| linting: off | |
| app_version: ${{ steps.image-version.outputs.result }} | |
| build-dev-documentation: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write | |
| needs: | |
| - prepare-release | |
| - check-changes | |
| if: > | |
| github.ref == 'refs/heads/main' && | |
| needs.prepare-release.outputs.release_created == false && | |
| (needs.check-changes.outputs.docs_changed == 'true' || needs.check-changes.outputs.ci_config_changed == 'true') | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| submodules: true # Fetch Hugo themes (true OR recursive) | |
| fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod | |
| - name: Setup Hugo | |
| uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0 | |
| with: | |
| hugo-version: 0.100.1 | |
| extended: true | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: 17.7 | |
| - name: Setup ruby | |
| uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 | |
| with: | |
| ruby-version: 3.1.3 | |
| - name: Install asciidoctor | |
| run: gem install asciidoctor asciidoctor-diagram asciidoctor-html5s rouge | |
| - name: Install dependencies | |
| working-directory: ./docs | |
| run: npm install | |
| - name: Update version string to dev version | |
| uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0 # v3 | |
| with: | |
| find: "x-current-version" | |
| replace: "dev" | |
| regex: false | |
| include: docs/** | |
| - name: Build documentation | |
| working-directory: ./docs | |
| run: hugo --minify -d ./public | |
| - name: Deploy documentation | |
| if: github.ref == 'refs/heads/main' | |
| uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./docs/public | |
| destination_dir: dev | |
| release-documentation: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write | |
| id-token: write | |
| pull-requests: write | |
| needs: | |
| - prepare-release | |
| if: needs.prepare-release.outputs.release_created | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| submodules: true # Fetch Hugo themes (true OR recursive) | |
| fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod | |
| - name: Setup Hugo | |
| uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0 | |
| with: | |
| hugo-version: 0.100.1 | |
| extended: true | |
| - name: Setup Node | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: 17.7 | |
| - name: Install mermaid | |
| run: npm install -g @mermaid-js/[email protected] | |
| - name: Setup ruby | |
| uses: ruby/setup-ruby@78c01b705fd9d5ad960d432d3a0cfa341d50e410 # v1.179.1 | |
| with: | |
| ruby-version: 2.7 | |
| - name: Install asciidoctor | |
| run: gem install asciidoctor asciidoctor-diagram asciidoctor-html5s rouge | |
| - name: Install dependencies | |
| working-directory: ./docs | |
| run: npm install | |
| - name: Update version string to new released version | |
| uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0 # v3 | |
| with: | |
| find: "x-current-version" | |
| replace: "${{ needs.prepare-release.outputs.tag_name }}" | |
| regex: false | |
| include: docs/** | |
| - name: Build documentation | |
| working-directory: ./docs | |
| run: hugo --minify -d ./public | |
| - name: Update uri for redirecting to new version | |
| uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0 # v3 | |
| with: | |
| find: "x-released-version" | |
| replace: "${{ needs.prepare-release.outputs.tag_name }}" | |
| regex: false | |
| include: docs/** | |
| - name: Update versions JSON document | |
| id: update-version-json | |
| run: | | |
| cat ./docs/versions/data.json | jq '. + [{ "version": "${{ needs.prepare-release.outputs.tag_name }}", "path": "/heimdall/${{ needs.prepare-release.outputs.tag_name }}" }]' | tee ./docs/versions/data.json | |
| - name: Deploy documentation | |
| uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./docs/public | |
| destination_dir: ${{ needs.prepare-release.outputs.tag_name }} | |
| - name: Deploy redirect to new released version | |
| uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./docs/redirect | |
| keep_files: true | |
| - name: Deploy versions JSON document | |
| uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./docs/versions | |
| keep_files: true | |
| - name: Setup GitSign | |
| uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8 # main | |
| - name: Create a PR for the updated versions JSON document | |
| if: steps.update-version-json.outcome == 'success' | |
| uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 | |
| with: | |
| title: 'chore(${{ github.ref_name }}): Update to data.json to include the new released documentation version' | |
| commit-message: 'chore(${{ github.ref_name }}): Update to data.json to include the new released documentation version' | |
| body: > | |
| data.json updated by the release-documentation job to include the entry | |
| referencing the released ${{ needs.prepare-release.outputs.tag_name }} documentation version | |
| add-paths: | | |
| docs/versions/*.json |