Skip to content
Container

ci: renovate skip digest and fix cosign command #1737

Sign in to view logs

ci: renovate skip digest and fix cosign command

ci: renovate skip digest and fix cosign command #1737

Workflow file for this run

.github/workflows/container.yml at c7630c6
name: Container
on:
push:
branches:
- main
- release-*
pull_request:
branches:
- main
- release-*
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
cancel-in-progress: true
env:
GORELEASER_VERSION: "~> v2"
IMAGE_NAME: ghcr.io/parca-dev/parca-load
jobs:
skip-check:
name: Skip check
continue-on-error: true
runs-on: ubuntu-latest
timeout-minutes: 10
outputs:
should_skip: ${{ steps.skip-check.outputs.should_skip }}
permissions:
actions: write
contents: read
steps:
- id: skip-check
uses: fkirc/skip-duplicate-actions@v5
with:
do_not_skip: '["schedule", "workflow_dispatch"]'
paths: |-
[
"**.go",
".github/workflows/container.yml",
"Dockerfile",
"go.mod",
"go.sum"
]
skip_after_successful_duplicate: false
build-binary:
name: Build binary using goreleaser
needs: skip-check
runs-on: ubuntu-latest
timeout-minutes: 45
if: ${{ needs.skip-check.outputs.should_skip != 'true' }}
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version-file: 'go.mod'
check-latest: true
cache: true
- name: Build binaries
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: ${{ env.GORELEASER_VERSION }}
args: build --clean --skip=validate --snapshot --verbose
- name: Archive generated artifacts
uses: actions/upload-artifact@v4
with:
name: parca-load-dist-container
if-no-files-found: error
path: |
dist
!dist/*.txt
build-and-push-container:
name: Container build and push (when merged)
needs: build-binary
runs-on: ubuntu-latest
timeout-minutes: 30
container:
# https://github.com/containers/podman/tree/main/contrib/podmanimage
image: quay.io/containers/podman:v4.9.4
options: >-
--device /dev/fuse:rw
--privileged
--security-opt label=disable
--security-opt seccomp=unconfined
permissions:
id-token: write
packages: write
contents: read
steps:
- name: Install dependencies
run: dnf install --assumeyes --repo fedora jq
- name: Check out code into the Go module directory
uses: actions/checkout@v6
- uses: actions/download-artifact@v4
with:
name: parca-load-dist-container
path: dist
- name: Set build environment variables
shell: bash
run: |
BRANCH_NAME="$(tr / - <<< "${GITHUB_REF#refs/heads/}")"
COMMIT="${GITHUB_SHA:0:8}"
echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV
echo "COMMIT=${COMMIT}" >> $GITHUB_ENV
echo "IMAGE_TAG=${BRANCH_NAME}-${COMMIT}" >> $GITHUB_ENV
- name: Build container
run: podman build --platform linux/amd64,linux/arm64 --timestamp 0 --manifest "${IMAGE_NAME}:${IMAGE_TAG}" .
- name: Check images created
run: >-
[ -n "$(podman images --noheading --filter="reference=${IMAGE_NAME}:${IMAGE_TAG}")" ]
- name: Install cosign
if: ${{ github.event_name != 'pull_request' }}
uses: sigstore/cosign-installer@v3
- name: Install crane
if: ${{ github.event_name != 'pull_request' }}
uses: imjasonh/[email protected]
- name: Login to registry
if: ${{ github.event_name != 'pull_request' }}
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | podman login -u parca-dev --password-stdin ghcr.io
- name: Push and sign container
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: true
run: |
podman manifest push --all "${IMAGE_NAME}:${IMAGE_TAG}" "docker://${IMAGE_NAME}:${IMAGE_TAG}"
crane digest "${IMAGE_NAME}:${IMAGE_TAG}"
cosign sign -y -a "GIT_HASH=${COMMIT}" -a "GIT_VERSION=${IMAGE_TAG}" ghcr.io/parca-dev/parca-load@$(crane digest "${IMAGE_NAME}:${IMAGE_TAG}")