docs: readme #5

Summary
Jobs
- skip
- build
- publish
Run details
- Usage
- Workflow file

Workflow file for this run

	name: CI

	permissions:
	contents: read
	pull-requests: read
	actions: read

	env:
	REPO: "sealio"
	VERSION: "${{ github.ref_name }}"
	BUILD_PLATFORMS: "linux/amd64,linux/arm64"
	PARALLELIZE: "false"
	GO_VERSION: "1.21.5"

	defaults:
	run:
	shell: bash

	on:
	push:
	branches:
	- "main"
	- "release/*"
	tags:
	- "v..*"
	pull_request:
	branches:
	- "main"
	- "release/*"
	workflow_dispatch: {}

	jobs:
	skip:
	timeout-minutes: 5
	runs-on: ubuntu-22.04
	permissions:
	contents: read
	pull-requests: read
	actions: write
	outputs:
	should: ${{ steps.duplicate.outputs.should_skip }}
	steps:
	- name: Check Duplicate
	id: duplicate
	uses: fkirc/skip-duplicate-actions@v5
	with:
	github_token: "${{ github.token }}"
	paths_ignore: '[".md", ".mdx", ".png", ".jpg"]'
	do_not_skip: '["workflow_dispatch"]'
	continue-on-error: true

	build:
	needs:
	- skip
	if: needs.skip.outputs.should != 'true'
	timeout-minutes: 60
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	with:
	# checkout the whole histories for commitsar,
	# currently commitsar needs full git objects to work correctly.
	fetch-depth: 0
	persist-credentials: false
	- name: Setup Go
	timeout-minutes: 15
	uses: actions/setup-go@v4
	with:
	go-version: "${{ env.GO_VERSION }}"
	cache-dependency-path: \|
	**/go.sum
	- name: Setup Toolbox
	timeout-minutes: 5
	uses: actions/cache@v3
	with:
	# restore/save service binaries, e.g. goimports, golangci-lint, commitsar.
	key: toolbox-${{ runner.os }}
	path: \|
	${{ github.workspace }}/.sbin
	- name: Build
	run: make ci
	env:
	LINT_DIRTY: "true"
	PACKAGE_BUILD: "false"
	- name: Archive Publish Result
	uses: actions/cache/save@v3
	with:
	# save package resources, e.g. go build result, downloaded UI, entrypoint script.
	key: archive-${{ runner.os }}-${{ github.sha }}
	path: \|
	${{ github.workspace }}/.dist/package

	publish:
	needs:
	- build
	- skip
	if: needs.skip.outputs.should != 'true'
	permissions:
	contents: write
	actions: read
	id-token: write
	timeout-minutes: 60
	runs-on: ubuntu-22.04
	strategy:
	matrix:
	include:
	- target: hermitcrab
	task: server
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	with:
	fetch-depth: 1
	persist-credentials: false
	- name: Setup QEMU
	uses: docker/setup-qemu-action@v2
	with:
	image: tonistiigi/binfmt:qemu-v7.0.0
	platforms: "arm64"
	- name: Setup Buildx
	uses: docker/setup-buildx-action@v2
	- name: Login DockerHub
	if: ${{ github.event_name != 'pull_request' }}
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.CI_DOCKERHUB_USERNAME }}
	password: ${{ secrets.CI_DOCKERHUB_PASSWORD }}
	- name: Unarchive Publish Result
	timeout-minutes: 5
	uses: actions/cache/restore@v3
	with:
	# restore package resources, e.g. go build result, downloaded UI, entrypoint script.
	key: archive-${{ runner.os }}-${{ github.sha }}
	path: \|
	${{ github.workspace }}/.dist/package
	- name: Get Metadata
	id: metadata
	uses: docker/metadata-action@v4
	with:
	images: ${{ env.REPO }}/${{ matrix.target }}
	- name: Package
	uses: docker/build-push-action@v4
	id: package
	with:
	push: ${{ github.event_name != 'pull_request' }}
	file: .dist/package/${{ matrix.target }}/${{ matrix.task }}/image/Dockerfile
	context: .dist/package/${{ matrix.target }}/${{ matrix.task }}/
	platforms: ${{ env.BUILD_PLATFORMS }}
	tags: ${{ steps.metadata.outputs.tags }}
	labels: ${{ steps.metadata.outputs.labels }}
	# configure build cache,
	# ref to https://github.com/moby/buildkit/tree/v0.11.5#registry-push-image-and-cache-separately.
	cache-from: \|
	type=registry,ref=${{ env.REPO }}/build-cache:${{ matrix.target }}-${{ matrix.task }}
	cache-to: \|
	${{ github.event_name != 'pull_request' && format('type=registry,mode=max,oci-mediatypes=false,compression=gzip,ref={0}/build-cache:{1}-{2},ignore-error=true', env.REPO, matrix.target, matrix.task) \|\| '' }}
	no-cache-filters: \|
	fetch
	- name: Setup Cosign
	if: ${{ github.event_name != 'pull_request' }}
	uses: sigstore/[email protected]
	with:
	cosign-release: v2.0.0
	- name: Prove
	if: ${{ github.event_name != 'pull_request' }}
	run: \|
	set -euo pipefail

	# login
	cosign login "docker.io" -u "${DOCKERHUB_USERNAME}" -p "${DOCKERHUB_PASSWORD}"

	# prove
	curl -o slsa-generator --retry 3 --retry-all-errors --retry-delay 3 -sSfL \
	"https://github.com/slsa-framework/slsa-github-generator/releases/download/${SLSA_GITHUB_GENERATOR_VERSION}/${SLSA_GITHUB_GENERATOR}"
	chmod a+x slsa-generator
	predicate_name="predicate.json"
	./slsa-generator generate --predicate="${predicate_name}"
	cosign attest --predicate="${predicate_name}" \
	--type slsaprovenance \
	--yes \
	"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
	env:
	COSIGN_EXPERIMENTAL: "1"
	SLSA_GITHUB_GENERATOR: "slsa-generator-container-linux-amd64"
	SLSA_GITHUB_GENERATOR_VERSION: "v1.5.0"
	GITHUB_CONTEXT: "${{ toJSON(github) }}"
	UNTRUSTED_IMAGE: "${{ env.REPO }}/${{ matrix.target }}"
	UNTRUSTED_DIGEST: "${{ steps.package.outputs.digest }}"
	DOCKERHUB_USERNAME: "${{ secrets.CI_DOCKERHUB_USERNAME }}"
	DOCKERHUB_PASSWORD: "${{ secrets.CI_DOCKERHUB_PASSWORD }}"
	continue-on-error: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: readme #5

Workflow file

docs: readme #5

Jobs

Run details

Workflow file for this run