Build and deploy with evidence #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and deploy with evidence | |
| on: | |
| [workflow_dispatch] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| Docker-build-with-evidence: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install jfrog cli | |
| uses: jfrog/setup-jfrog-cli@v4 | |
| env: | |
| JF_URL: ${{ vars.ARTIFACTORY_URL }} | |
| JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} | |
| - uses: actions/checkout@v4 | |
| - name: Log in to Artifactory Docker Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ vars.ARTIFACTORY_URL }} | |
| username: ${{ secrets.JF_USER }} | |
| password: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| install: true | |
| - name: Build Docker image | |
| run: | | |
| URL=$(echo ${{ vars.ARTIFACTORY_URL }} | sed 's|^https://||') | |
| REPO_URL=${URL}'/example-project-docker-dev-virtual' | |
| docker build --build-arg REPO_URL=${REPO_URL} -f Dockerfile . \ | |
| --tag ${REPO_URL}/example-project-app:${{ github.run_number }} \ | |
| --output=type=image --platform linux/amd64 --metadata-file=build-metadata --push | |
| jfrog rt build-docker-create example-project-docker-dev --image-file build-metadata --build-name ${{ vars.BUILD_NAME }} --build-number ${{ github.run_number }} | |
| - name: Evidence on docker | |
| run: | | |
| echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json | |
| jf evd create --package-name example-project-app --package-version 65 --package-repo-name example-project-docker-dev-local \ | |
| --key "${{ secrets.PRIVATE_KEY }}" --key-alias cosign-pub \ | |
| --predicate ./sign.json --predicate-type https://jfrog.com/evidence/signature/v1 | |
| echo 'π Evidence attached: `signature` π ' | |
| - name: Upload readme file | |
| run: | | |
| jf rt upload ./README.md example-project-generic-dev/readme/${{ github.run_number }}/ --build-name ${{ vars.BUILD_NAME }} --build-number ${{ github.run_number }} | |
| jf evd create --subject-repo-path example-project-generic-dev/readme/${{ github.run_number }}/README.md \ | |
| --key "${{ secrets.PRIVATE_KEY }}" --key-alias cosign-pub \ | |
| --predicate ./sign.json --predicate-type https://jfrog.com/evidence/signature/v1 | |
| - name: Publish build info | |
| run: jfrog rt build-publish ${{ vars.BUILD_NAME }} ${{ github.run_number }} | |
| - name: Sign build evidence | |
| run: | | |
| echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json | |
| jf evd create --build-name ${{ vars.BUILD_NAME }} --build-number ${{ github.run_number }} \ | |
| --predicate ./sign.json --predicate-type https://jfrog.com/evidence/build-signature/v1 \ | |
| --key "${{ secrets.PRIVATE_KEY }}" --key-alias cosign-pub | |
| echo 'π Evidence attached: `build-signature` π ' >> $GITHUB_STEP_SUMMARY | |
| - name: Create release bundle | |
| run: | | |
| echo '{ "files": [ {"build": "'"${{ vars.BUILD_NAME }}/${{ github.run_number }}"'" } ] }' > bundle-spec.json | |
| jf release-bundle-create ${{ vars.BUNDLE_NAME }} ${{ github.run_number }} --signing-key PGP-RSA-2048 --spec bundle-spec.json --sync=true | |
| NAME_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ vars.BUNDLE_NAME }}'&bundleToFlash='${{ vars.BUNDLE_NAME }}'&repositoryKey=example-project-release-bundles-v2&activeKanbanTab=promotion' | |
| VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ vars.BUNDLE_NAME }}'&bundleToFlash='${{ vars.BUNDLE_NAME }}'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=example-project-release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion' | |
| echo 'π¦ Release bundle ['${{ vars.BUNDLE_NAME }}']('${NAME_LINK}'):['${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY | |
| Promote-to-qa-and-test: | |
| needs: Docker-build-with-evidence | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install jfrog cli | |
| uses: jfrog/setup-jfrog-cli@v4 | |
| env: | |
| JF_URL: ${{ vars.ARTIFACTORY_URL }} | |
| JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} | |
| - name: Promote to QA | |
| run: | | |
| jf release-bundle-promote ${{ vars.BUNDLE_NAME }} ${{ github.run_number }} QA --signing-key PGP-RSA-2048 --sync=true | |
| echo "π Succesfully promote to `QA` environemnt" >> $GITHUB_STEP_SUMMARY | |
| - name: Evidence on release-bundle | |
| run: | | |
| echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > rbv2_evidence.json | |
| JF_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ vars.BUNDLE_NAME }}'&bundleToFlash='${{ vars.BUNDLE_NAME }}'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion' | |
| echo 'Test on Release bundle ['${{ vars.BUNDLE_NAME }}':'${{ github.run_number }}']('${JF_LINK}') success' >> $GITHUB_STEP_SUMMARY | |
| jf evd create --release-bundle ${{ vars.BUNDLE_NAME }} --release-bundle-version ${{ github.run_number }} \ | |
| --predicate ./rbv2_evidence.json --predicate-type https://jfrog.com/evidence/rbv2-signature/v1 \ | |
| --key "${{ secrets.PRIVATE_KEY }}" --key-alias cosign-pub | |
| echo 'π Evidence attached: integration-test π§ͺ ' >> $GITHUB_STEP_SUMMARY |