From 7b0df07e578d2f554af95d0b66a9da37ec73c578 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fernando=20Fern=C3=A1ndez?= Date: Thu, 19 Dec 2024 16:45:58 +0000 Subject: [PATCH] ci: generate provenance attestation from artifacts instead of files Reference: https://github.com/actions/attest-build-provenance/issues/290 --- .github/workflows/__package.yml | 46 +++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/.github/workflows/__package.yml b/.github/workflows/__package.yml index c318a922f30..2578211e7b0 100644 --- a/.github/workflows/__package.yml +++ b/.github/workflows/__package.yml @@ -48,6 +48,7 @@ jobs: env: WORKING_DIR: packaging/tauri + ARTIFACT_NAME: ${{ format('jellyfin-vue_{0}', runner.os) }} ARTIFACTS_PATH: ${{ format('target/release/{0}', matrix.platform == 'windows' && 'jellyfin-vue-tauri.exe' || format('bundle/*/*.{0}', matrix.platform == 'macos' && 'dmg' || 'AppImage')) @@ -86,19 +87,21 @@ jobs: - name: Build application πŸ› οΈ run: npm run build - - name: Create provenance attestation πŸ” - uses: actions/attest-build-provenance@v2.1.0 - continue-on-error: true - with: - subject-path: ${{ env.WORKING_DIR }}/${{ env.ARTIFACTS_PATH }} - - name: Upload built application artifact β¬†οΈπŸ§πŸŽπŸͺŸ uses: actions/upload-artifact@v4.5.0 + id: artifact with: compression-level: 0 - name: jellyfin-vue_${{ runner.os }} + name: ${{ env.ARTIFACT_NAME }} path: ${{ env.WORKING_DIR }}/${{ env.ARTIFACTS_PATH }} + - name: Create provenance attestation πŸ” + uses: actions/attest-build-provenance@v2.1.0 + continue-on-error: true + with: + subject-name: ${{ env.ARTIFACT_NAME }} + subject-digest: sha256:${{ steps.artifact.outputs.artifact-digest }} + docker_inputs: name: Prepare Docker build variables 🏷️🐳 runs-on: ubuntu-latest @@ -171,6 +174,9 @@ jobs: matrix: platform: ${{ fromJson(inputs.architectures) }} + env: + ARTIFACT_NAME: ${{ format('docker_image-linux_{0}', matrix.platform) }} + steps: - name: Checkout ⬇️ uses: actions/checkout@v4.2.2 @@ -205,16 +211,18 @@ jobs: - name: Upload Docker image as artifact β¬†οΈπŸ“¦ uses: actions/upload-artifact@v4.5.0 + id: artifact with: compression-level: 0 - name: docker_image-linux_${{ matrix.platform }} + name: ${{ env.ARTIFACT_NAME }} path: docker_image.tar - name: Create provenance attestation πŸ” uses: actions/attest-build-provenance@v2.1.0 continue-on-error: true with: - subject-path: docker_image.tar + subject-name: ${{ env.ARTIFACT_NAME }} + subject-digest: sha256:${{ steps.artifact.outputs.artifact-digest }} - name: Upload cache artifact β¬†οΈβš™οΈ uses: actions/upload-artifact@v4.5.0 @@ -230,6 +238,9 @@ jobs: runs-on: ubuntu-latest needs: docker + env: + ARTIFACT_NAME: frontend + steps: - name: Download Docker image artifact πŸ“¦β¬‡οΈ uses: actions/download-artifact@v4.1.8 @@ -243,19 +254,21 @@ jobs: ASSETS=$(docker inspect $IMAGE_SHA --format='{{range .Config.Env}}{{println .}}{{end}}' | grep ^ASSETS= | cut -d '=' -f2-) docker cp $(docker create --name jf $IMAGE_SHA):$ASSETS/ ./dist - - name: Create provenance attestation πŸ” - uses: actions/attest-build-provenance@v2.1.0 - continue-on-error: true - with: - subject-path: dist - - name: Upload client artifact β¬†οΈπŸ’» uses: actions/upload-artifact@v4.5.0 + id: artifact with: compression-level: 0 - name: frontend + name: ${{ env.ARTIFACT_NAME }} path: dist + - name: Create provenance attestation πŸ” + uses: actions/attest-build-provenance@v2.1.0 + continue-on-error: true + with: + subject-name: ${{ env.ARTIFACT_NAME }} + subject-digest: sha256:${{ steps.artifact.outputs.artifact-digest }} + docker_merge: name: Merge Docker images πŸ’ΏπŸ³ runs-on: ubuntu-latest @@ -317,6 +330,7 @@ jobs: - name: Remove cache artifacts πŸ—‘οΈ uses: geekyeggo/delete-artifact@v5.1.0 + continue-on-error: true with: name: | buildx-*