docs: Add detailed release instructions (#246) #109
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Push Melange and Apko | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
workflow_dispatch: {} | |
permissions: | |
packages: write | |
jobs: | |
build-and-push: | |
runs-on: ubuntu-latest | |
env: | |
TAG_MODE: git | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
proxy.golang.org:443 | |
storage.googleapis.com:443 | |
sum.golang.org:443 | |
registry-1.docker.io:443 | |
auth.docker.io:443 | |
ghcr.io:443 | |
cgr.dev:443 | |
9236a389bd48b984df91adc1bc924620.r2.cloudflarestorage.com:443 | |
packages.wolfi.dev:443 | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3 | |
with: | |
# there is a bug with the fetch-tags that requires that we have fetch-depth: 0 | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: Set up Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v2 | |
- name: Cache Docker layers | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Log in to GHCR | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GHCR_PAT }} # Use PAT with write:packages permission | |
- name: Run build script | |
run: ./scripts/build-apko-images.sh | |
- name: Push Docker images | |
run: | | |
docker push ghcr.io/defenseunicorns/uds-security-hub:latest | |
docker push ghcr.io/defenseunicorns/uds-security-hub-store:latest | |
# push the tag if it exists, but skip main because there is no "main" tag | |
if [[ "${TAG_MODE:-}" == "git" && "${GIT_TAG}" != "main" ]]; then | |
docker push ghcr.io/defenseunicorns/uds-security-hub:${GIT_TAG} | |
docker push ghcr.io/defenseunicorns/uds-security-hub-store:${GIT_TAG} | |
fi | |
env: | |
GIT_TAG: ${{ github.ref_name }} | |