github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-19 16:38:00 +00:00
Code Issues Projects Releases Wiki Activity

ci: add arm64 attestation

Browse Source 
Do the very same thing that we do on amd64 and add attestation

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
This commit is contained in:
Zvonko Kaiser 2025-01-29 18:50:02 +00:00
parent 9a7dff9c40
commit 45bd451fa0
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@ -24,6 +24,11 @@ on:
jobs: jobs:
build-asset: build-asset:
runs-on: ubuntu-22.04-arm runs-on: ubuntu-22.04-arm
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy: strategy:
matrix: matrix:
asset: asset:
@ -38,6 +43,8 @@ jobs:
- qemu - qemu
- stratovirt - stratovirt
- virtiofsd - virtiofsd
env:
PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }} if: ${{ inputs.push-to-registry == 'yes' }}
@ -74,6 +81,34 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }} TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: Parse OCI image name and digest
id: parse-oci-segments
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
run: |
oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
- uses: oras-project/setup-oras@v1
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
version: "1.2.0"
# for pushing attestations to the registry
- uses: docker/login-action@v3
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@v1
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
push-to-registry: true
- name: store-artifact ${{ matrix.asset }} - name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with: