feat(container): update image ghcr.io/grafana/helm-charts/grafana-ope… #1423
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: "Publish OCI artifact" | |
| on: | |
| workflow_dispatch: {} | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/oci.yaml | |
| - kubernetes/** | |
| # Default GITHUB_TOKEN token permissions do NOT support cosign and must be enabled. | |
| # This is to set the package and id_token permissions to read|write. | |
| # Current default permissions can be viewed here: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| permissions: write-all | |
| env: | |
| OCI_REPO: "oci://ghcr.io/xunholy/manifests/${{ github.event.repository.name }}" | |
| GHCR_REPO: "ghcr.io/xunholy/manifests/${{ github.event.repository.name }}" | |
| jobs: | |
| publish: | |
| runs-on: ubuntu-latest | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| COSIGN_YES: "true" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Flux CLI | |
| uses: fluxcd/flux2/action@main | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Crane | |
| uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # v0.5 | |
| - name: Setup Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Login to GHCR | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create OCI artifact | |
| run: | | |
| flux push artifact "$OCI_REPO:$(git rev-parse --short HEAD)" \ | |
| --path="./kubernetes" \ | |
| --source="$(git config --get remote.origin.url)" \ | |
| --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \ | |
| --ignore-paths="sops-gpg.encrypted.yaml,sops-age.encrypted.yaml,.sops.pub.asc" \ | |
| --reproducible | |
| - name: Create OCI artifact tag | |
| run: | | |
| flux tag artifact "$OCI_REPO:$(git rev-parse --short HEAD)" --tag main | |
| - name: Get the digest of the OCI artifact | |
| id: crane | |
| run: | | |
| DIGEST=$(crane digest "$GHCR_REPO:$(git rev-parse --short HEAD)") | |
| echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT | |
| - name: Sign the OCI artifact | |
| run: cosign sign "$GHCR_REPO@${{ steps.crane.outputs.DIGEST }}" -y |