-
Notifications
You must be signed in to change notification settings - Fork 83
74 lines (60 loc) · 2.02 KB
/
upload-oci-artifacts.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Update OCI Artifacts
on:
workflow_dispatch:
jobs:
publish-oci-artifacts:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
matrix: ${{ steps.oci_build.outputs.REGISTRY_UPDATE_STATUS }}
steps:
- name: Checkout Plugins
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '^1.21'
- name: Build registry artifact tool
working-directory: build/registry
run: make
- name: Upload OCI artifacts to GitHub packages
id: oci_build
env:
REGISTRY: ghcr.io
REGISTRY_USER: ${{ github.repository_owner }}
REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_GITHUB: https://github.com/${{ github.repository_owner }}/plugins.git
working-directory: build/registry
run: |
REGISTRY_UPDATE_STATUS=$(./bin/registry update-oci-registry ../../registry.yaml)
echo "REGISTRY_UPDATE_STATUS=${REGISTRY_UPDATE_STATUS}" >> $GITHUB_OUTPUT
# Create signatures of the plugin artifacts as OCI artifacts
sign-oci-artifacts:
needs: [ publish-oci-artifacts ]
runs-on: ubuntu-latest
if: ${{ needs.publish-oci-artifacts.outputs.matrix != '[]' }}
strategy:
matrix:
value: ${{ fromJson(needs.publish-oci-artifacts.outputs.matrix) }}
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.1.0'
- run: cosign version
- name: Log into ghcr.io
uses: docker/login-action@master
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign the artifacts with GitHub OIDC Token
run: cosign sign --yes ${{ matrix.value.repository.ref }}@${{ matrix.value.artifact.digest }}