-
Notifications
You must be signed in to change notification settings - Fork 0
140 lines (137 loc) · 4.62 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
---
name: ci
"on":
workflow_dispatch:
push:
branches:
- master
paths-ignore:
- LICENSE
- README.md
- '.gitignore'
- '.github/workflows/*'
- '.github/dependabot.yaml'
pull_request:
branches:
- master
paths-ignore:
- LICENSE
- README.md
- '.gitignore'
- '.github/workflows/*'
- '.github/dependabot.yaml'
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: build filmbot
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: checkout project
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
- name: rust stable latest
id: rust
run: |
latest="$(curl -sL https://api.github.com/repos/rust-lang/rust/releases/latest | jq -r .tag_name)"
echo "rust stable latest: ${latest}"
echo "stable_latest=${latest}" >> "$GITHUB_OUTPUT"
- name: check cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
id: cache
with:
path: |
~/.cargo/
~/.rustup/
target/
key: ${{ runner.os }}-rust-${{ steps.rust.outputs.stable_latest }}-${{ hashFiles('Cargo.toml') }}-${{ hashFiles('Cargo.lock') }}
- name: cargo fmt
run: |
cargo fmt -- --check --verbose
- name: cargo clippy
run: |
cargo clippy --locked --workspace
- name: build filmbot
run: |
cargo build --release --locked
- name: upload filmbot
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
with:
name: filmbot
path: target/release/filmbot
if-no-files-found: error
retention-days: 1
docker:
name: docker filmbot
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
steps:
- name: checkout project
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
- name: install cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
- name: verify base images
run: |
cosign dockerfile verify \
--certificate-identity \
'https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
Dockerfile | jq .
- name: download filmbot
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
with:
name: filmbot
path: target/release/filmbot
- name: restore permissions
run: |
chmod 0755 target/release/filmbot
- name: docker buildx
id: buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
- name: login ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: docker metadata
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934
with:
images: ${{ env.IMAGE_NAME }}
- name: build filmbot (devel)
id: docker
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:devel
labels: ${{ steps.meta.outputs.labels }}
builder: ${{ steps.buildx.outputs.name }}
sbom: true
provenance: true
- name: smoke test
run: |
set -x
# only ensure runtime deps are ok
docker run --rm \
"${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }}" || true
docker run --rm \
"${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }}" || \
grep --quiet --fixed-strings "TELOXIDE_TOKEN"
- name: cosign filmbot
run: |
cosign sign -y "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }}"
- name: install crane
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
- name: tag filmbot (latest)
run: |
crane tag "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:devel" latest