-
Notifications
You must be signed in to change notification settings - Fork 0
93 lines (80 loc) · 2.94 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Spack buildcache build
on:
push:
branches:
- main
pull_request:
env:
SPACK_COLOR: always
SPACK_BACKTRACE: please
REGISTRY: ghcr.io
IMAGE_NAME: ukri-excalibur/github-actions-buildcache
jobs:
rebuild:
timeout-minutes: 360
runs-on: ubuntu-22.04
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Spack
run: |
git clone --depth=1 --branch=oci/dump-oci-digest-upon-upload https://github.com/haampie/spack.git
echo "${PWD}/spack/bin/" >> "${GITHUB_PATH}"
- name: Spack version
run: spack debug report
- name: Set authentication method for mirror
if: ${{ github.event_name == 'push' }}
run: |
spack -e . mirror set --oci-username ${{ github.actor }} --oci-password "${{ secrets.GITHUB_TOKEN }}" excalibur-buildcache
- name: Concretize
run: spack -e . concretize
- name: Install
timeout-minutes: 350
run: |
spack -e . env depfile -o Makefile
make -Orecurse -j $(($(nproc) + 1)) SPACK_INSTALL_FLAGS=--no-check-signature
- name: Push packages and update index
timeout-minutes: 10
run: |
spack -e . buildcache push -j $(($(nproc) + 1)) --oci-output-digests digests.txt --unsigned --update-index excalibur-buildcache
if: always()
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v1.13.1'
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Write signing key to disk (only needed for `cosign sign --key`)
run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published images
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_PASSWORD: ""
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
DIGESTS="$(cat digests.txt)"
if [[ -n "${DIGESTS}" ]]; then
for image in ${DIGESTS}; do
echo "Signing ${image}..."
cosign sign --key cosign.key "${image}"
done
fi