Build with Evidence #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build with Evidence | |
| on: | |
| workflow_dispatch | |
| # [push, workflow_dispatch] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| DOCKER_REGISTRY: tomjfrog.jfrog.io | |
| # Name for the Docker image | |
| IMAGE_NAME: example-basic-image | |
| # Name of the Docker Registry; i.e., the JFrog Cloud server base URL | |
| DOKCER_REGISTRY: tomjfrog.jfrog.io | |
| # Virtual repository for the Docker image build and deploy operations | |
| DOCKER_VIRTUAL: evdemo-docker-virtual | |
| # Local Docker repository member of the virtual repository. Required for Evidence attachment | |
| DOCKER_LOCAL: evdemo-docker-local | |
| # Name of the generic repo for the README file | |
| GENERIC_LOCAL: evdemo-generic-local | |
| # GENERIC_QA_LOCAL: evdemo-generic-local | |
| # Name of the signing key residing in the JFrog Artifactory | |
| PRIVATE_KEY_NAME: ${{ secrets.PRIVATE_KEY_NAME }} | |
| # Name of the Docker Metadata file | |
| DOCKER_METADATA: build-metadata | |
| # Name of the Build | |
| BUILD_NAME: evdemo-basic-build | |
| # name of the Release bundle | |
| BUNDLE_NAME: evdemo-basic-bundle | |
| # Public Key Alias Name of the "Public Key" uploaded to the JFrog Platform under "Keys Management" | |
| # Used to verify the signature on attached evidence | |
| KEY_ALIAS: evidence-key | |
| # Project Name | |
| JF_PROJECT: evdemo | |
| # Sonar Cloud Token | |
| # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| # # Sonar Cloud Organization | |
| # SONAR_ORGANIZATION: tomjfrog | |
| # # Sonar Cloud Project Key | |
| # SONAR_PROJECT_KEY: tomjfrog_Evidence-Examples | |
| # # SonarQube Scan Result File Name | |
| # SONAR_RESULT_FILE: sonar-results.json | |
| jobs: | |
| Docker-Build-With-Evidence: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install jfrog cli | |
| uses: jfrog/setup-jfrog-cli@v4 | |
| id: cli | |
| env: | |
| JF_URL: https://tomjfrog.jfrog.io | |
| JF_PROJECT: evdemo | |
| with: | |
| oidc-provider-name: github-oidc-integration | |
| oidc-audience: jfrog-github | |
| disable-auto-build-publish: true | |
| - uses: actions/checkout@v4 | |
| - name: Log in to Artifactory Docker Registry | |
| id: docker-login | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.DOCKER_REGISTRY }} | |
| username: ${{ steps.cli.outputs.oidc-user }} | |
| password: ${{ steps.cli.outputs.oidc-token }} | |
| - name: Set up QEMU | |
| id: setup-qemu | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| id: setup-buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| install: true | |
| - name: Setup Signing Key | |
| id: setup-signing-key | |
| run: | | |
| echo "${{ secrets.PRIVATE_KEY_EXPORT }}" > "${{ secrets.PRIVATE_KEY_NAME }}" | |
| chmod 600 ${{ secrets.PRIVATE_KEY_NAME }} | |
| openssl rsa -in ${{ secrets.PRIVATE_KEY_NAME }} -check | |
| - name: Build Docker image | |
| id: build-docker-image | |
| run: | | |
| URL=$(echo ${{ env.ARTIFACTORY_URL }} | sed 's|^https://||') | |
| REPO_URL=${URL}'/${{ env.DOCKER_VIRTUAL}}' | |
| docker build \ | |
| --build-arg REPO_URL=${REPO_URL} -f Dockerfile . \ | |
| --tag ${REPO_URL}/example-project-image:${{ github.run_number }} \ | |
| --output=type=image \ | |
| --platform linux/amd64 \ | |
| --metadata-file=build-metadata \ | |
| --push | |
| - name: Create Build Info from Docker Build Metadata | |
| id: create-build-info | |
| run: | | |
| jf rt build-docker-create ${{ env.DOCKER_VIRTUAL}} \ | |
| --image-file build-metadata \ | |
| --build-name ${{ env.BUILD_NAME }} \ | |
| --build-number ${{ github.run_number }} | |
| - name: Evidence on docker | |
| id: evidence-on-docker | |
| run: | | |
| echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json | |
| jf evd create \ | |
| --package-name example-project-image \ | |
| --package-version ${{ github.run_number }} \ | |
| --package-repo-name ${{ env.DOCKER_VIRTUAL}} \ | |
| --key "${{ secrets.PRIVATE_KEY_NAME }}" \ | |
| --predicate ./sign.json \ | |
| --predicate-type https://jfrog.com/evidence/signature/v1 | |
| echo '🔎 Evidence attached: `signature` 🔏 ' | |
| - name: Upload Readme File | |
| id: upload-readme | |
| run: | | |
| jf rt upload ./README.md evdemo-generic-local/readme/${{ github.run_number }}/ \ | |
| --build-name ${{ env.BUILD_NAME }} \ | |
| --build-number ${{ github.run_number }} | |
| jf evd create \ | |
| --subject-repo-path evdemo-generic-local/readme/${{ github.run_number }}/README.md \ | |
| --key "${{ secrets.PRIVATE_KEY_NAME }}" \ | |
| --predicate ./sign.json \ | |
| --predicate-type https://jfrog.com/evidence/signature/v1 | |
| - name: Collecting Information from Git | |
| run: jf rt build-add-git ${{ env.BUILD_NAME }} ${{ github.run_number }} | |
| - name: Collecting Environment Variables | |
| run: jf rt build-collect-env ${{ env.BUILD_NAME }} ${{ github.run_number }} | |
| - name: Publish build info | |
| run: jfrog rt build-publish ${{ env.BUILD_NAME }} ${{ github.run_number }} | |
| - name: Publish build info | |
| id: publish-build-info | |
| run: | | |
| jfrog rt build-publish ${{ env.BUILD_NAME }} ${{ github.run_number }} | |
| - name: Sign Build Evidence | |
| id: sign-build-evidence | |
| run: | | |
| echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json | |
| jf evd create \ | |
| --build-name ${{ env.BUILD_NAME }} \ | |
| --build-number ${{ github.run_number }} \ | |
| --predicate ./sign.json \ | |
| --predicate-type https://jfrog.com/evidence/build-signature/v1 \ | |
| --key "${{ secrets.PRIVATE_KEY_NAME }}" | |
| echo '🔎 Evidence attached: `build-signature` 🔏 ' >> $GITHUB_STEP_SUMMARY | |
| - name: Create release bundle | |
| id: create-release-bundle | |
| run: | | |
| echo '{ "files": [ {"build": "'"${{ env.BUILD_NAME }}/${{ github.run_number }}"'" } ] }' > bundle-spec.json | |
| jf release-bundle-create ${{ env.BUNDLE_NAME }} ${{ github.run_number }} \ | |
| --signing-key "${{ secrets.GPG_KEY_NAME }}" \ | |
| --spec bundle-spec.json \ | |
| --sync=true | |
| NAME_LINK=${{ env.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ env.BUNDLE_NAME }}'&bundleToFlash='${{ env.BUNDLE_NAME }}'&repositoryKey=example-project-release-bundles-v2&activeKanbanTab=promotion' | |
| VER_LINK=${{ env.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ env.BUNDLE_NAME }}'&bundleToFlash='${{ env.BUNDLE_NAME }}'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=example-project-release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion' | |
| echo '📦 Release bundle ['${{ env.BUNDLE_NAME }}']('${NAME_LINK}'):['${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY | |
| - name: Evidence on release-bundle v2 | |
| id: create-release-bundle-evidence | |
| run: | | |
| echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > rbv2_evidence.json | |
| JF_LINK=${{ env.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ env.BUNDLE_NAME }}'&bundleToFlash='${{ env.BUNDLE_NAME }}'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion' | |
| echo 'Test on Release bundle ['${{ env.BUNDLE_NAME }}':'${{ github.run_number }}']('${JF_LINK}') success' >> $GITHUB_STEP_SUMMARY | |
| jf evd create \ | |
| --release-bundle ${{ env.BUNDLE_NAME }} \ | |
| --release-bundle-version ${{ github.run_number }} \ | |
| --predicate ./rbv2_evidence.json \ | |
| --predicate-type https://jfrog.com/evidence/testing-results/v1 \ | |
| --key "${{ secrets.PRIVATE_KEY_NAME }}" | |
| echo '🔎 Evidence attached: integration-test 🧪 ' >> $GITHUB_STEP_SUMMARY |