release #308

Workflow file for this run

.github/workflows/release.yml at baacf62

	name: release

	on:
	schedule:
	- cron: '20 10 * * *'
	push:
	tags:
	- "v*"
	branches:
	- main
	## uncomment if you want to release on PR merge
	# pull_request:
	# branches:
	# - main

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: false

	permissions: {}

	jobs:
	docker-publish:
	outputs:
	digest: ${{ steps.build-and-push.outputs.digest }}
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write # sign archives with cosign
	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	fetch-depth: 0
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
	- name: Install Cosign
	uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
	- name: Login to GitHub Container Registry
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract Docker metadata
	id: meta
	uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
	with:
	images: ghcr.io/${{ github.repository }}
	tags: \|
	# set latest tag for default branch
	type=raw,value=latest,enable={{is_default_branch}}
	# tag
	type=ref,event=tag
	# If pull request event
	type=ref,event=pr
	- name: Build and push Docker image
	id: build-and-push
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	context: .
	tags: ${{ steps.meta.outputs.tags }}
	push: true
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max
	- name: Syft SBOM generation
	uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
	with:
	image: ghcr.io/natrontech/gcp-mysql-backup@${{ steps.build-and-push.outputs.digest }}
	format: cyclonedx-json
	output-file: gcp-mysql-backup-bom.cdx.json
	upload-artifact: false
	upload-release-assets: false
	- name: Cosign sign image
	# env:
	# COSIGN_REPOSITORY: ghcr.io/${{ github.repository_owner }}/signatures
	run: \|
	set -e
	cosign sign --yes \
	-a "repo=${{ github.repository }}" \
	-a "workflow=${{ github.workflow }}" \
	-a "ref=${{ github.sha }}" \
	ghcr.io/natrontech/gcp-mysql-backup@${{ steps.build-and-push.outputs.digest }}
	- name: Cosign sign sbom
	# env:
	# COSIGN_REPOSITORY: ghcr.io/${{ github.repository_owner }}/sbom
	run: \|
	cosign attest --yes \
	--predicate ./gcp-mysql-backup-bom.cdx.json \
	--type cyclonedx \
	--oidc-provider github-actions \
	ghcr.io/natrontech/gcp-mysql-backup@${{ steps.build-and-push.outputs.digest }}

	image-provenance:
	needs: [docker-publish]
	permissions:
	actions: read
	id-token: write
	packages: write
	# MUST be referenced by tag (see https://github.com/slsa-framework/slsa-github-generator/?tab=readme-ov-file#referencing-slsa-builders-and-generators)
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
	digest: ${{ needs.docker-publish.outputs.digest }}
	registry-username: ${{ github.actor }}
	provenance-registry-username: ${{ github.actor }}
	#provenance-repository: ghcr.io/${{ github.repository_owner }}/signatures
	secrets:
	registry-password: ${{ secrets.GITHUB_TOKEN }}
	provenance-registry-password: ${{ secrets.GITHUB_TOKEN }}

	verification-with-cosign:
	needs: [docker-publish, image-provenance]
	runs-on: ubuntu-latest
	permissions: read-all
	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	fetch-depth: 0

	- name: Login
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Install Cosign
	uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

	- name: Verify provenance of image
	env:
	IMAGE: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
	DIGEST: ${{ needs.docker-publish.outputs.digest }}
	REPOSITORY: ${{ github.repository_owner }}
	run: \|
	cosign verify-attestation \
	--type slsaprovenance \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	--certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
	--policy policy.cue \
	$IMAGE@$DIGEST

	- name: Verify signature of image
	env:
	IMAGE: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
	DIGEST: ${{ needs.docker-publish.outputs.digest }}
	REPOSITORY: ${{ github.repository_owner }}
	run: \|
	cosign verify \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	--certificate-identity-regexp '^https://github.com/natrontech/gcp-mysql-backup/.github/workflows/release.yml@refs/.*$' \
	$IMAGE@$DIGEST

	- name: Verify sbom of image
	env:
	IMAGE: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
	DIGEST: ${{ needs.docker-publish.outputs.digest }}
	REPOSITORY: ${{ github.repository_owner }}
	run: \|
	cosign verify-attestation \
	--type cyclonedx \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	--certificate-identity-regexp '^https://github.com/natrontech/gcp-mysql-backup/.github/workflows/release.yml@refs/.*$' \
	$IMAGE@$DIGEST

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

release #308

Workflow file

release #308

Uh oh!

Jobs

Run details

Workflow file for this run