Skip to content

Bump golang.org/x/crypto from 0.15.0 to 0.17.0 in /image-copy-ecr (#147) #90

Bump golang.org/x/crypto from 0.15.0 to 0.17.0 in /image-copy-ecr (#147)

Bump golang.org/x/crypto from 0.15.0 to 0.17.0 in /image-copy-ecr (#147) #90

Workflow file for this run

name: build-push
on:
push:
branches:
- main
workflow_dispatch:
# permission can be added at job level or workflows level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
packages: write # push to GHCR
jobs:
build:
name: build
runs-on: ubuntu-latest
strategy:
matrix:
image:
- aws-auth
- github-issue-opener
- image-copy-ecr
- image-copy-gcr
- image-diff
- jira-issue-opener
- slack-webhook
- tag-history
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ${{ matrix.image }}/go.mod
- uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.0.2
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- env:
KO_DOCKER_REPO: ghcr.io/chainguard-dev/${{matrix.image}}
COSIGN_YES: true
working-directory: ${{ matrix.image }}
run: |
ko build --image-refs=ko.images --bare .
echo "ko build $(cat ko.images)"
echo "Signing $(cat ko.images)"
cosign sign "$(cat ko.images)"
cosign download sbom "$(cat ko.images)" --output-file bom.spdx.json
cosign attest --timeout=0 --type spdxjson --predicate bom.spdx.json "$(cat ko.images)"
cosign verify-attestation --type spdxjson \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-identity "https://github.com/chainguard-dev/platform-examples/.github/workflows/build-push.yaml@refs/heads/main" \
"$(cat ko.images)"