diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 1eccb57..10e0f8c 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -1,42 +1,32 @@ name: os -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - on: schedule: - - cron: '0 5 8,18,28 * *' # 5 am three times every month + - cron: '0 5 8,18,28 * *' push: paths: - - 'Dockerfile' - - 'etc/**' - - 'usr/**' - - 'repo/**' + - 'Dockerfile' + - 'etc/**' + - 'usr/**' + - 'repo/**' + - '.github/workflows/os.yml' + workflow_dispatch: env: - # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - # github.repository as / IMAGE_NAME: ${{ github.repository }} - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - jobs: build: - runs-on: ubuntu-latest permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write + id-token: write # Påkrævet til cosign keyless signering steps: - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v1 + uses: AdityaGarg8/remove-unwanted-software@v5 with: remove-dotnet: 'true' remove-android: 'true' @@ -44,72 +34,62 @@ jobs: - name: Get current date id: date - run: echo "::set-output name=date::$(date +'%Y%m%d')" - - - name: Test with environment variables - run: echo $DATE - env: - DATE: ${{ steps.date.outputs.date }} + run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 - with: - cosign-release: 'v2.1.1' - - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # Vi konstruerer tags her med branch-navnet som præfiks + tags: | + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} + type=raw,value=${{ github.ref_name }}-10 + type=raw,value=${{ github.ref_name }}-10.${{ steps.date.outputs.date }} - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }}, ${{ steps.meta.outputs.tags }}-10, ${{ steps.meta.outputs.tags }}-10.${{ steps.date.outputs.date }} - # labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - squash: true + - name: Log into GHCR + if: github.event_name != 'pull_request' + run: | + buildah login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ${{ env.REGISTRY }} + - name: Build image with Buildah + id: build-image + run: | + # Vi bygger med 'raw-img' lokalt + buildah bud \ + --label "org.opencontainers.image.source=https://github.com/${{ github.repository }}" \ + -t raw-img . - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + # Gem det primære tag til signering (vi tager det første fra listen) + PRIMARY_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1) + echo "primary_tag=$PRIMARY_TAG" >> $GITHUB_OUTPUT + + - name: Push to GHCR + if: github.event_name != 'pull_request' + run: | + for tag in $(echo "${{ steps.meta.outputs.tags }}"); do + echo "Tagging and pushing: $tag" + buildah tag raw-img "$tag" + buildah push "$tag" + done + + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v3.3.0 + + # VI TILFØJER LOGIN TIL COSIGN HER + - name: Log into GHCR (Cosign) + if: github.event_name != 'pull_request' + run: | + cosign login ${{ env.REGISTRY }} -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} + + - name: Sign image + if: github.event_name != 'pull_request' + run: | + # Vi signerer det primære tag. + # Vi bruger --yes til at acceptere betingelserne automatisk. + cosign sign --yes "${{ steps.build-image.outputs.primary_tag }}"