Skip to content

fully qualify names

fully qualify names #2

# This workflow file is a modified version of the goreleaser workflow file which runs during releases.
# Its purpose is to attest the Docker images produced in https://github.com/fleetdm/fleet/actions/runs/13139072879,
# which successfully built the images but failed to upload an attestation due to an error in the attest-build-provenance action.
# Under normal circumstances, the attest-build-provenance action would be run in the goreleaser workflow file.
name: attest 4.63.0 docker images
on:
push:
branches:
- attest-4.63.0-images
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
goreleaser:
runs-on: ubuntu-20.04-4-cores
environment: Docker Hub
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0 # Needed for goreleaser
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Copy artifacts file # this is the artifacts file from the goreleaser run
run: |
mkdir ./dist
cp ./.github/workflows/config/artifacts.json ./dist/artifacts.json
- name: Get tag
run: |
echo "TAG=v4.63.0" >> $GITHUB_OUTPUT
id: docker
# Get the image digests from the goreleaser artifacts
- name: Get image digests
continue-on-error: true
id: image_digests
run: |
digest_fleet=$(cat ./dist/artifacts.json | jq -r 'first(.[]|select(.type == "Published Docker Image" and (.name == "fleetdm/fleet:${{ steps.docker.outputs.tag }}")) | select(. != null)|.extra.Digest)')
echo "digest_fleet=$digest_fleet" >> "$GITHUB_OUTPUT"
digest_fleetctl=$(cat ./dist/artifacts.json | jq -r 'first(.[]|select(.type == "Published Docker Image" and (.name == "fleetdm/fleetctl:${{ steps.docker.outputs.tag }}")) | select(. != null)|.extra.Digest)')
echo "digest_fleetctl=$digest_fleetctl" >> "$GITHUB_OUTPUT"
- name: Pull Docker images
run: |
docker pull fleetdm/fleet:${{ steps.docker.outputs.tag }}
docker pull fleetdm/fleetctl:${{ steps.docker.outputs.tag }}
- name: Attest Fleet image
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
continue-on-error: true
with:
subject-digest: ${{steps.image_digests.outputs.digest_fleet}}
subject-name: "docker.io/fleetdm/fleet"
push-to-registry: true
- name: Attest FleetCtl image
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
continue-on-error: true
with:
subject-digest: ${{steps.image_digests.outputs.digest_fleetctl}}
subject-name: "docker.io/fleetdm/fleetctl"
push-to-registry: true