amp-devcontainer/.github/workflows/build-push.yml at 41da09a2d69075b7584391a6e829f7e9a4226054 · philips-software/amp-devcontainer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
name: Build & Push

on:
  merge_group:
  pull_request:
  push:
    tags: ["v*.*.*"]
  workflow_dispatch:

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

permissions:
  contents: read

env:
  REGISTRY: ghcr.io

jobs:
  build-push:
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      # dependency-submission needs contents write permission.
      contents: write
      # attest-build-provenance needs id-token write permission.
      id-token: write
      packages: write
      pull-requests: write
    strategy:
      matrix:
        flavor: ["cpp", "rust"]
    steps:
      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: github.event_name != 'merge_group'
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        if: matrix.flavor == 'cpp'
        id: buildkit-cache
        with:
          path: root-ccache
          key: buildkit-cache-${{ github.run_id }}
          restore-keys: |
            buildkit-cache
      - uses: reproducible-containers/buildkit-cache-dance@653a570f730e3b9460adc576db523788ba59a0d7 # v3.2.0
        if: matrix.flavor == 'cpp'
        with:
          cache-map: |
            {
              "root-ccache": "/root/.ccache"
            }
          skip-extraction: ${{ steps.buildkit-cache.outputs.cache-hit }}
      - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        id: metadata
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
        with:
          images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
          # Generate Docker tags based on the following events/attributes
          tags: |
            type=raw,value=latest,enable={{is_default_branch}}
            type=ref,event=pr
            type=semver,pattern={{raw}}
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
      # Generate image LABEL for devcontainer.metadata
      # the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"])
      - run: echo "metadata=$(jq -cj '[.]' .devcontainer/${{ matrix.flavor }}/devcontainer-metadata-vscode.json | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT"
        id: devcontainer-metadata
      - run: echo "git-commit-epoch=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
        id: devcontainer-epoch
      - uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
        id: build-and-push
        env:
          SOURCE_DATE_EPOCH: ${{ steps.devcontainer-epoch.outputs.git-commit-epoch }}
        with:
          file: .devcontainer/${{ matrix.flavor }}/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name != 'merge_group' }}
          tags: ${{ steps.metadata.outputs.tags }}
          labels: |
            ${{ steps.metadata.outputs.labels }}
            devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }}
          annotations: ${{ steps.metadata.outputs.annotations }}
          sbom: true
          cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }}
          cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }}
      - uses: ./.github/actions/container-size-diff
        id: container-size-diff
        with:
          from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:latest
          to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
      - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
        with:
          header: container-size-diff-${{ matrix.flavor }}
          message: |
            ${{ steps.container-size-diff.outputs.size-diff-markdown }}
      - uses: anchore/sbom-action@9f7302141466aa6482940f15371237e9d9f4c34a # v0.19.0
        if: steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group'
        with:
          image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
          dependency-snapshot: true
      - uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0
        if: github.event_name == 'pull_request'
        with:
          comment-summary-in-pr: on-failure
          fail-on-severity: critical
      - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
        if: github.event_name != 'merge_group'
        with:
          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
          subject-digest: ${{ steps.build-and-push.outputs.digest }}
          push-to-registry: true
      - name: Verify attestation
        if: github.event_name != 'merge_group'
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
      - name: Upload provenance to release
        if: startsWith(github.ref, 'refs/tags/')
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ matrix.flavor }}_sha256_${{ steps.build-and-push.outputs.digest }}.intoto.jsonl
          gh release upload ${{ github.ref_name }} ./*.intoto.jsonl
      - name: Update package details in release
        if: startsWith(github.ref, 'refs/tags/')
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          UPDATED_NOTES=$(gh release view ${{ github.ref_name }} --json body -q '.body')
          UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-version }}'/'${{ github.ref_name }}'}
          UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-sha }}'/'${{ steps.build-and-push.outputs.digest }}'}
          gh release edit ${{ github.ref_name }} --notes "${UPDATED_NOTES}"
  acceptance-test:
    if: github.event_name == 'pull_request'
    needs: build-push
    secrets: inherit
    uses: ./.github/workflows/acceptance-test.yml
    with:
      flavor: cpp