Skip to content

release

release #999

Workflow file for this run

name: Release
on:
repository_dispatch:
workflow_dispatch:
push:
branches:
- main
paths-ignore:
- "CONTRIBUTING.md"
- "README.md"
- ".github/**"
- ".gitignore"
- ".pre-commit-config.yaml"
permissions: read-all
env:
PYTHON_VERSION: "3.11"
jobs:
update-checkov:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
outputs:
version: ${{ steps.version.outputs.version }}
major_version: ${{ steps.version.outputs.major_version }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Get latest checkov version tag
id: version
run: |
version=$(curl -s curl -s https://api.github.com/repos/bridgecrewio/checkov/tags | jq -r '.[0].name')
echo "version=$version" >> "$GITHUB_OUTPUT"
# grab major version for later image tag usage
major_version=$(echo "${version}" | head -c1)
echo "major_version=$major_version" >> "$GITHUB_OUTPUT"
- name: Update checkov dependency
run: |
# install needed tools
python -m pip install --no-cache-dir --upgrade pipenv
# remove venv, if exists
pipenv --rm || true
# update Pipfile
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install checkov==${{ steps.version.outputs.version }}
pipenv lock
- uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v4
with:
commit_message: Bump checkov version to ${{ steps.version.outputs.version }} [skip ci]
tagging_message: ${{ steps.version.outputs.version }}
publish-image:
needs: update-checkov
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
packages: write
id-token: write # Enable OIDC
env:
DH_IMAGE_NAME: bridgecrew/whorf
GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
FULL_IMAGE_TAG: ${{ needs.update-checkov.outputs.version }}
SHORT_IMAGE_TAG: ${{ needs.update-checkov.outputs.major_version }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3 # needed for self-hosted builds
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and export image to Docker
# buildx changes the driver to 'docker-container' which doesn't expose the image to the host,
# so it is built and loaded to Docker and in the next step pushed to the registry
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: .
no-cache: true
load: true
tags: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
- name: Push Docker image
id: docker_push
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: .
push: true
tags: |
${{ env.DH_IMAGE_NAME }}:latest
${{ env.DH_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
${{ env.GHCR_IMAGE_NAME }}:latest
${{ env.GHCR_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
${{ env.GHCR_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
- name: Generate SBOM
continue-on-error: true
uses: bridgecrewio/checkov-action@master # use latest and greatest
with:
api-key: ${{ secrets.BC_API_KEY }}
docker_image: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
dockerfile_path: Dockerfile
output_format: cyclonedx_json
output_file_path: cyclonedx.json,
- name: Sign and attest image
run: |
# sign image
cosign sign -y ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
# attest SBOM
cosign attest -y \
--type cyclonedx \
--predicate cyclonedx.json \
${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
cosign attest -y \
--type cyclonedx \
--predicate cyclonedx.json \
${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
- name: Update deployment
uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0 # v3
with:
find: "image: bridgecrew/whorf@sha256:[a-f0-9]{64}"
replace: "image: ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}"
include: "k8s/deployment.yaml"
- uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v4
with:
commit_message: update k8s deployment [skip ci]
file_pattern: k8s/*.yaml