chore(actions)(deps): bump chainguard-dev/actions (#74) #185

Workflow file for this run

.github/workflows/unstable.yaml at bea6816

	name: Unstable Release

	on:
	push:
	branches:
	- 'main'
	tags-ignore:
	- '*'
	paths-ignore:
	- 'demo/**'
	- 'docs/**'
	- 'examples/**'
	- 'helm/ggbridge/README.md'
	- 'LICENSE'
	- 'README.md'
	- 'SECURITY.md'
	workflow_dispatch:
	inputs:
	runner:
	description: "Specify the runner to use"
	required: true
	default: "ubuntu-latest"

	permissions:
	contents: read
	packages: write
	attestations: write
	id-token: write

	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id }}
	cancel-in-progress: true


	jobs:
	build-packages:
	strategy:
	matrix:
	include:
	- os: ubuntu-24.04
	arch: amd64
	- os: ubuntu-24.04-arm
	arch: arm64
	name: Build packages for ${{ matrix.arch }}
	runs-on: ${{ matrix.os }}
	steps:
	- name: Checkout
	uses: actions/checkout@v5

	- name: Set GitHub vars
	id: github
	uses: ./.github/actions/github

	- name: Write Melange Signing Key
	id: melange-signing-key
	shell: bash
	env:
	PUBLIC_KEY_BASE64: ${{ vars.MELANGE_PUBLIC_KEY_BASE64 }}
	SIGNING_KEY_BASE64: ${{ secrets.MELANGE_SIGNING_KEY_BASE64 }}
	run: \|
	mkdir -p ${{ github.workspace }}/packages
	echo -n "$PUBLIC_KEY_BASE64" \| base64 -d > ${{ github.workspace }}/packages/melange.rsa.pub
	echo -n "$SIGNING_KEY_BASE64" \| base64 -d > ${{ github.workspace }}/packages/melange.rsa
	file ${{ github.workspace }}/packages/melange.rsa

	- name: Build packages
	id: apk
	uses: ./.github/actions/melange
	with:
	arch: ${{ steps.github.outputs.arch }}
	signing-key: ${{ github.workspace }}/packages/melange.rsa
	output-dir: ${{ github.workspace }}/packages

	- name: Upload packages
	uses: actions/upload-artifact@v4
	with:
	name: packages-${{ steps.github.outputs.arch }}
	path: ${{ github.workspace }}/packages/${{ steps.github.outputs.arch }}/
	retention-days: 1

	publish:
	strategy:
	matrix:
	include:
	- variant: prod
	tag-suffix: ''
	- variant: shell
	tag-suffix: '-shell'
	name: Publish ${{ matrix.variant }} image
	needs: [build-packages]
	runs-on: ubuntu-24.04
	steps:
	- uses: imjasonh/[email protected]
	- uses: sigstore/cosign-installer@v3

	- name: Checkout
	uses: actions/checkout@v5

	- name: Set GitHub vars
	id: github
	uses: ./.github/actions/github

	- name: Login to GitHub registry
	uses: docker/login-action@v3
	id: login-to-github
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ github.token }}

	- name: Login to DockerHub registry
	uses: docker/login-action@v3
	id: login-to-docker-hub
	with:
	username: ${{ vars.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Write Melange Public Key
	id: melange-public-key
	shell: bash
	env:
	PUBLIC_KEY_BASE64: ${{ vars.MELANGE_PUBLIC_KEY_BASE64 }}
	run: \|
	mkdir -p ${{ github.workspace }}/packages
	echo -n "$PUBLIC_KEY_BASE64" \| base64 -d > ${{ github.workspace }}/packages/melange.rsa.pub

	- name: Download aarch64 packages
	uses: actions/download-artifact@v5
	with:
	name: packages-aarch64
	path: ${{ github.workspace }}/packages/aarch64

	- name: Download x86_64 packages
	uses: actions/download-artifact@v5
	with:
	name: packages-x86_64
	path: ${{ github.workspace }}/packages/x86_64

	- name: Publish image
	id: publish
	uses: ./.github/actions/apko
	with:
	config: 'apko/${{ matrix.variant }}.yaml'
	tag: 'ghcr.io/${{ steps.github.outputs.repository }}:unstable-${{ steps.github.outputs.short-sha }}${{ matrix.tag-suffix }}'
	repository-append: ${{ github.workspace }}/packages
	keyring-append: ${{ github.workspace }}/packages/melange.rsa.pub
	publish: 'true'

	- name: Scan image
	id: scan
	uses: anchore/scan-action@v7
	with:
	image: 'ghcr.io/${{ steps.github.outputs.repository }}:unstable-${{ steps.github.outputs.short-sha }}${{ matrix.tag-suffix }}'
	cache-db: true
	fail-build: 'false'
	severity-cutoff: 'high'
	output-format: 'sarif'

	- name: Sign and Attest
	id: sign
	uses: ./.github/actions/cosign
	with:
	image: 'ghcr.io/${{ steps.github.outputs.repository }}:unstable-${{ steps.github.outputs.short-sha }}${{ matrix.tag-suffix }}'

	- name: Copy image to DockerHub
	id: copy
	shell: bash
	env:
	COSIGN_YES: "true"
	run: \|
	cosign copy \
	--force \
	ghcr.io/${{ steps.github.outputs.repository }}:unstable-${{ steps.github.outputs.short-sha }}${{ matrix.tag-suffix }} \
	docker.io/${{ steps.github.outputs.repository }}:unstable-${{ steps.github.outputs.short-sha }}${{ matrix.tag-suffix }}

	- name: Tag image as unstable
	shell: bash
	run: \|
	crane tag \
	ghcr.io/${{ steps.github.outputs.repository }}:unstable-${{ steps.github.outputs.short-sha }}${{ matrix.tag-suffix }} \
	unstable${{ matrix.tag-suffix }}
	crane tag \
	docker.io/${{ steps.github.outputs.repository }}:unstable-${{ steps.github.outputs.short-sha }}${{ matrix.tag-suffix }} \
	unstable${{ matrix.tag-suffix }}

	publish-chart:
	name: Publish Helm Chart
	needs: [publish]
	runs-on: ubuntu-24.04
	steps:
	- uses: azure/[email protected]

	- name: Checkout
	uses: actions/checkout@v5

	- name: Set GitHub vars
	id: github
	uses: ./.github/actions/github

	- name: Login to GitHub registry
	shell: bash
	run: \|
	echo "${{ secrets.GITHUB_TOKEN }}" \| helm registry login \
	ghcr.io \
	--username ${{ github.actor }} \
	--password-stdin

	- name: Publish Helm chart
	uses: ./.github/actions/helm
	with:
	chart: ${{ github.workspace }}/helm/ggbridge
	version: '0.1.0-${{ github.run_number }}'
	app-version: 'unstable-${{ steps.github.outputs.short-sha }}'
	publish: 'true'
	registry: oci://ghcr.io/${{ steps.github.outputs.repository }}/helm

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(actions)(deps): bump chainguard-dev/actions (#74) #185

Workflow file

chore(actions)(deps): bump chainguard-dev/actions (#74) #185

Uh oh!

Jobs

Run details

Workflow file for this run