Skip to content

Bump actions/checkout from 4.1.4 to 4.1.7 (#212) #109

Bump actions/checkout from 4.1.4 to 4.1.7 (#212)

Bump actions/checkout from 4.1.4 to 4.1.7 (#212) #109

Workflow file for this run

name: build-push
on:
push:
branches:
- main
workflow_dispatch:
# permission can be added at job level or workflows level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
packages: write # push to GHCR
jobs:
build:
name: build
runs-on: ubuntu-latest
strategy:
matrix:
image:
- aws-auth
- github-issue-opener
- image-copy-ecr
- image-copy-gcp
- image-diff
- jira-issue-opener
- slack-webhook
- tag-history
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ${{ matrix.image }}/go.mod
- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.0.2
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- env:
KO_DOCKER_REPO: ghcr.io/chainguard-dev/${{matrix.image}}
COSIGN_YES: true
working-directory: ${{ matrix.image }}
run: |
ko build --image-refs=ko.images --bare .
echo "ko build $(cat ko.images)"
echo "Signing $(cat ko.images)"
cosign sign "$(cat ko.images)"
cosign download sbom "$(cat ko.images)" --output-file bom.spdx.json
cosign attest --timeout=0 --type spdxjson --predicate bom.spdx.json "$(cat ko.images)"
cosign verify-attestation --type spdxjson \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-identity "https://github.com/chainguard-dev/platform-examples/.github/workflows/build-push.yaml@refs/heads/main" \
"$(cat ko.images)"