Skip to content

chore: Prepare v0.16.0 release (#456) #392

chore: Prepare v0.16.0 release (#456)

chore: Prepare v0.16.0 release (#456) #392

Workflow file for this run

name: pre-release
on:
workflow_dispatch: # used for testing
push:
branches:
- main
permissions:
contents: write
packages: write
id-token: write
jobs:
pre-release:
runs-on: ubuntu-latest
timeout-minutes: 360
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: block
allowed-endpoints: >
auth.docker.io:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
*.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
registry-1.docker.io:443
rekor.sigstore.dev:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
sum.golang.org:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-tags: true
fetch-depth: 0
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set LDFLAGS
run: |
set -x
GIT_COMMIT=$(git rev-list --abbrev-commit --tags --max-count=1)
GIT_TAG=$(git describe --abbrev=0 --tags ${GIT_COMMIT} 2>/dev/null)
echo LDFLAGS="-X github.com/sozercan/aikit/pkg/version.Version=${GIT_TAG}" >> $GITHUB_ENV
- name: Build and push
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
id: build-and-push
with:
push: true
tags: ghcr.io/sozercan/aikit:dev
cache-from: type=gha,scope=aikit
cache-to: type=gha,scope=aikit,mode=max
sbom: true
provenance: true
build-args: |
LDFLAGS=${{ env.LDFLAGS }}
platforms: linux/amd64,linux/arm64
env:
LDFLAGS: ${{ env.LDFLAGS }}
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: cosign sign --yes "ghcr.io/sozercan/aikit@${DIGEST}"
- name: Verify image signature
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign verify ghcr.io/sozercan/aikit@${DIGEST} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/sozercan/aikit/.github/workflows/pre-release.yaml@refs/heads/main