Skip to content

🧩 quarkus 3.13.1, dependencies updated 🧩 #194

🧩 quarkus 3.13.1, dependencies updated 🧩

🧩 quarkus 3.13.1, dependencies updated 🧩 #194

name: Build containers
on:
push:
branches: [ master ]
paths-ignore:
- 'README.md'
pull_request:
branches: [ master ]
paths-ignore:
- 'README.md'
workflow_dispatch:
env:
REGISTRY: quay.io
IMAGE_NAME: ${{ github.repository }}
TAGS: latest
jobs:
build:
runs-on: ubuntu-24.04
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
# Setup S2i and Build container image from source
- name: Setup and Build
id: build_image
uses: redhat-actions/s2i-build@v2
with:
path_context: '.'
# Builder image for a java project
builder_image: 'registry.access.redhat.com/ubi9/openjdk-21:latest'
image: ${{ env.IMAGE_NAME }}
tags: ${{ env.TAGS }}
log_level: 2
include_git: true
- name: List docker images
run: |
docker --version
docker info
docker image ls
# Build runtime image from s2i image output
- name: Buildah Action
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: ${{ env.TAGS }}
containerfiles: |
./Dockerfile.actions
# Login to Registry
- name: Log in to the Container registry
uses: redhat-actions/podman-login@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.QUAY_USER }} # ${{ github.actor }} - for ghcr.io
password: ${{ secrets.QUAY_TOKEN }} # quay.io
# password: ${{ secrets.GITHUB_TOKEN }} # ghcr.io
- name: Push to Container Repository
id: push-to-registry
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: ${{ env.TAGS }}
registry: ${{ env.REGISTRY }}
# Provenance signing image
- name: Install cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v2.1.1'
- name: Write signing key to disk
run: echo "${{ secrets.SIGNING_SECRET }}" > cosign.key
- name: Sign container image
run: |
cosign sign --key cosign.key \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
-y \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }}
env:
COSIGN_PASSWORD: ""
# Provenance SBOM and attestation
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }}
registry-username: ${{ secrets.QUAY_USER }}
registry-password: ${{ secrets.QUAY_TOKEN }}
output-file: /tmp/pet-battle-api.sbom
- name: Attach SBOM to image
run: |
cosign attach sbom --sbom /tmp/pet-battle-api.sbom \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }}
env:
COSIGN_PASSWORD: ""
- name: Sign SBOM
run: |
cosign sign --key cosign.key \
--yes \
--attachment sbom \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }}
env:
COSIGN_PASSWORD: ""
- name: Attest SBOM to public rekor
run: |
cosign attest --yes --key cosign.key \
--predicate /tmp/pet-battle-api.sbom \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }}
env:
COSIGN_PASSWORD: ""