digest output to return digest of image pushed or artifact uploaded #205
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: .test-bake | ||
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | ||
| permissions: | ||
| contents: read | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| branches: | ||
| - 'main' | ||
| - 'releases/v*' | ||
| paths: | ||
| - '.github/workflows/.test-bake.yml' | ||
| - '.github/workflows/bake.yml' | ||
| - '.github/workflows/verify.yml' | ||
| - 'test/**' | ||
| pull_request: | ||
| paths: | ||
| - '.github/workflows/.test-bake.yml' | ||
| - '.github/workflows/bake.yml' | ||
| - '.github/workflows/verify.yml' | ||
| - 'test/**' | ||
| jobs: | ||
| bake-aws-single: | ||
| uses: ./.github/workflows/bake.yml | ||
|
Check failure on line 31 in .github/workflows/.test-bake.yml
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| cache: true | ||
| cache-scope: bake-aws-single | ||
| context: test | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| target: hello | ||
| meta-images: | | ||
| public.ecr.aws/q3b5f1u4/test-docker-action | ||
| meta-tags: | | ||
| type=raw,value=bake-ghbuilder-single-${{ github.run_id }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-aws-single-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-aws-single | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-aws-single.outputs) }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-aws-single-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-aws-single | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws-single.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-aws: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| cache: true | ||
| cache-scope: bake-aws | ||
| context: test | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| target: hello-cross | ||
| meta-images: | | ||
| public.ecr.aws/q3b5f1u4/test-docker-action | ||
| meta-tags: | | ||
| type=raw,value=bake-ghbuilder-${{ github.run_id }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-aws-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-aws | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-aws.outputs) }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-aws-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-aws | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-aws-scan: | ||
| runs-on: ubuntu-24.04 | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-aws | ||
| steps: | ||
| - | ||
| name: Login to registry | ||
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | ||
| with: | ||
| registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| - | ||
| name: Scan for vulnerabilities | ||
| uses: crazy-max/ghaction-container-scan@a0a3900b79d158c85ccf034e5368fae620a9233a # v4.0.0 | ||
| with: | ||
| image: public.ecr.aws/q3b5f1u4/test-docker-action@${{ needs.bake-aws.outputs.digest }} | ||
| bake-aws-nosign: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| cache: true | ||
| cache-scope: bake-aws-nosign | ||
| context: test | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| sign: false | ||
| target: hello-cross | ||
| meta-images: | | ||
| public.ecr.aws/q3b5f1u4/test-docker-action | ||
| meta-tags: | | ||
| type=raw,value=bake-ghbuilder-nosign-${{ github.run_id }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-aws-nosign-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-aws-nosign | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-aws-nosign.outputs) }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-aws-nosign-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-aws-nosign | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws-nosign.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-dockerhub-stage: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| context: test | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| target: hello-cross | ||
| meta-images: | | ||
| registry-1-stage.docker.io/docker/github-builder-test | ||
| meta-tags: | | ||
| type=raw,value=bake-ghbuilder-${{ github.run_id }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: registry-1-stage.docker.io | ||
| username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} | ||
| bake-dockerhub-stage-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-dockerhub-stage | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: registry-1-stage.docker.io | ||
| username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} | ||
| bake-dockerhub-stage-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-dockerhub-stage | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-stage.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-ghcr-and-aws: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| packages: write | ||
| with: | ||
| context: test | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| target: hello-cross | ||
| meta-images: | | ||
| ghcr.io/docker/github-builder-test | ||
| public.ecr.aws/q3b5f1u4/test-docker-action | ||
| meta-tags: | | ||
| type=raw,value=${{ github.run_id }},prefix=bake-ghcr-and-aws- | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-ghcr-and-aws-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-ghcr-and-aws | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-ghcr-and-aws-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-ghcr-and-aws | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-local: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| artifact-name: bake-output | ||
| artifact-upload: true | ||
| context: test | ||
| output: local | ||
| sbom: true | ||
| sign: ${{ github.event_name != 'pull_request' }} | ||
| target: hello-cross | ||
| bake-local-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-local | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-local.outputs) }} | ||
| bake-local-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-local | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-local-single: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| artifact-name: bake-single-output | ||
| artifact-upload: true | ||
| context: test | ||
| output: local | ||
| sbom: true | ||
| sign: ${{ github.event_name != 'pull_request' }} | ||
| target: hello | ||
| bake-local-single-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-local-single | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-local-single.outputs) }} | ||
| bake-local-single-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-local-single | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local-single.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-local-noupload: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| artifact-upload: false | ||
| context: test | ||
| output: local | ||
| sbom: true | ||
| target: hello-cross | ||
| bake-local-noupload-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| needs: | ||
| - bake-local-noupload | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-local-noupload.outputs) }} | ||
| bake-local-noupload-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-local-noupload | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local-noupload.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-local-nosign: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| artifact-name: bake-nosign-output | ||
| artifact-upload: true | ||
| context: test | ||
| output: local | ||
| sbom: true | ||
| sign: false | ||
| target: hello-cross | ||
| bake-local-nosign-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| needs: | ||
| - bake-local-nosign | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-local-nosign.outputs) }} | ||
| bake-local-nosign-outputs: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - bake-local-nosign | ||
| steps: | ||
| - | ||
| name: Builder outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| env: | ||
| INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-local-nosign.outputs) }} | ||
| with: | ||
| script: | | ||
| const builderOutputs = JSON.parse(core.getInput('builder-outputs')); | ||
| core.info(JSON.stringify(builderOutputs, null, 2)); | ||
| bake-set-runner: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| runner: amd64 | ||
| context: test | ||
| output: image | ||
| push: false | ||
| target: hello-cross | ||
| meta-images: | | ||
| public.ecr.aws/q3b5f1u4/test-docker-action | ||
| meta-tags: | | ||
| type=raw,value=bake-ghbuilder-${{ github.run_id }} | ||
| bake-qemu: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| setup-qemu: true | ||
| artifact-upload: false | ||
| context: test | ||
| output: local | ||
| sbom: true | ||
| target: hello-cross | ||
| bake-aws-nodistrib: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| distribute: false | ||
| cache: true | ||
| cache-scope: bake-aws-nodistrib | ||
| context: test | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| target: hello-cross | ||
| meta-images: | | ||
| public.ecr.aws/q3b5f1u4/test-docker-action | ||
| meta-tags: | | ||
| type=raw,value=bake-ghbuilder-nodistrib-${{ github.run_id }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: public.ecr.aws | ||
| username: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| bake-local-nodistrib: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| distribute: false | ||
| artifact-name: bake-nodistrib-output | ||
| artifact-upload: true | ||
| context: test | ||
| output: local | ||
| sbom: true | ||
| sign: ${{ github.event_name != 'pull_request' }} | ||
| target: hello-cross | ||
| bake-vars: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| setup-qemu: true | ||
| artifact-upload: false | ||
| context: test | ||
| output: local | ||
| target: go | ||
| vars: | | ||
| XX_VERSION=1.9.0 | ||
| bake-auth-scope: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| context: test | ||
| output: image | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| sbom: true | ||
| target: hello-cross | ||
| meta-images: | | ||
| registry-1-stage.docker.io/docker/github-builder-test | ||
| meta-tags: | | ||
| type=raw,value=bake-ghbuilder-scope-${{ github.run_id }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: registry-1-stage.docker.io | ||
| username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} | ||
| scope: '@push' | ||
| bake-auth-scope-verify: | ||
| uses: ./.github/workflows/verify.yml | ||
| if: ${{ github.event_name != 'pull_request' }} | ||
| needs: | ||
| - bake-auth-scope | ||
| with: | ||
| builder-outputs: ${{ toJSON(needs.bake-auth-scope.outputs) }} | ||
| secrets: | ||
| registry-auths: | | ||
| - registry: registry-1-stage.docker.io | ||
| username: ${{ vars.DOCKERHUB_STAGE_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }} | ||
| bake-namedcontexts: | ||
| uses: ./.github/workflows/bake.yml | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| with: | ||
| artifact-name: bake-namedcontexts-output | ||
| artifact-upload: true | ||
| context: test | ||
| output: local | ||
| sbom: true | ||
| sign: ${{ github.event_name != 'pull_request' }} | ||
| target: go-cross-with-contexts | ||
