Fix attestation

Switch to new Docker driver
Fix auto Docker tag creation
2024-07-13 11:48:27 +01:00 · 2024-07-13 11:39:59 +01:00 · 2024-07-13 11:36:49 +01:00 · 2024-07-13 11:33:09 +01:00 · 2024-07-13 11:29:24 +01:00 · 2024-07-13 11:22:33 +01:00
5 changed files with 125 additions and 20 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@ -5,7 +5,7 @@
    ":semanticCommitTypeAll(fix)"
  ],
  "baseBranches": [
-    "next"
+    "main"
  ],
  "platformCommit": true,
  "dependencyDashboardAutoclose": true,
--- a/.github/workflows-old/release.yml
+++ b/.github/workflows-old/release.yml
@ -3,6 +3,10 @@ on:
  push:
    branches: [main]

+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
  release:
    name: Release
@ -29,29 +33,32 @@ jobs:
    name: GitHub Container Registry
    runs-on: ubuntu-latest
    needs: release
+    permissions:
+      contents: read
+      packages: write
    steps:
      - uses: actions/checkout@v4
      - name: Login to GitHub Container Registry
-        run: echo ${{ secrets.GHCR_ACCESS_TOKEN }} | docker login ghcr.io -u luketainton --password-stdin
+        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
      - name: Build image for GitHub Package Registry
        run: |
          docker build . --file Dockerfile \
          --build-arg "version=${{ needs.release.outputs.new_tag }}" \
-          --tag ghcr.io/luketainton/roboluke-tasks:${{ needs.release.outputs.new_tag }} \
-          --tag ghcr.io/luketainton/roboluke-tasks:latest
+          --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release.outputs.new_tag }} \
+          --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
      - name: Push image to GitHub Package Registry
        run: |
-          docker push ghcr.io/luketainton/roboluke-tasks:latest
-          docker push ghcr.io/luketainton/roboluke-tasks:${{ needs.release.outputs.new_tag }}
+          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release.outputs.new_tag }}

-  deploy:
-    name: Update Portainer Deployment
-    runs-on: ubuntu-latest
-    needs: publish
-    steps:
-      - uses: fjogeleit/http-request-action@v1
-        with:
-          url: ${{ secrets.PORTAINER_WEBHOOK_URL }}
-          method: POST
-          timeout: 60000
-          preventFailureOnNoResponse: "true"
+  # deploy:
+  #   name: Update Portainer Deployment
+  #   runs-on: ubuntu-latest
+  #   needs: publish
+  #   steps:
+  #     - uses: fjogeleit/http-request-action@v1
+  #       with:
+  #         url: ${{ secrets.PORTAINER_WEBHOOK_URL }}
+  #         method: POST
+  #         timeout: 60000
+  #         preventFailureOnNoResponse: "true"
--- a/.github/workflows/create_release.yml
+++ b/.github/workflows/create_release.yml
@ -0,0 +1,36 @@
+name: Create Release
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 9 * * *"
+
+jobs:
+  create_release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    outputs:
+      new_tag: ${{ steps.tag_version.outputs.new_tag }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Bump version and push tag
+        id: tag_version
+        uses: mathieudutour/github-tag-action@v6.2
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          default_bump: minor
+
+      - name: Create a GitHub release
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}
+          generateReleaseNotes: true
+
+  create_docker:
+    name: Create Docker Image
+    needs: create_release
+    uses: luketainton/roboluke-tasks/.github/workflows/docker_publish.yml@main
+    with:
+      release: ${{ needs.create_release.outputs.new_tag }}
--- a/.github/workflows/docker_publish.yml
+++ b/.github/workflows/docker_publish.yml
@ -0,0 +1,61 @@
+name: Publish Docker Image
+
+on:
+  workflow_call:
+    inputs:
+      release:
+        required: true
+        type: string
+
+jobs:
+  publish:
+    name: Publish Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.release }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern=v{{version}},value=${{ inputs.release }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          push: true
+          # provenance: mode=max
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:${{ inputs.release }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
--- a/requirements.txt
+++ b/requirements.txt
@ -1,5 +1,5 @@
 appdirs==1.4.4
-astroid==3.2.2
+astroid==3.2.3
 attrs==23.2.0
 autopep8==2.3.1
 backoff==2.2.1
@ -33,11 +33,11 @@ python-dotenv==1.0.1
 PyYAML==6.0.1
 requests==2.32.3
 requests-toolbelt==1.0.0
-sentry-sdk==2.7.1
+sentry-sdk==2.9.0
 six==1.16.0
 toml==0.10.2
 tomli==2.0.1
-tomlkit==0.12.5
+tomlkit==0.13.0
 urllib3==2.2.2
 virtualenv==20.26.3
 webex-bot==0.5.1
@ -45,3 +45,4 @@ webexteamssdk==1.6.1
 websockets==11.0.3
 wrapt==1.16.0
 xmltodict==0.13.0
+zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
Author	SHA1	Message	Date
Luke Tainton	50d8f81c63	Fix attestation	2024-07-13 11:48:27 +01:00
Luke Tainton	6985f4dbe8	Switch to new Docker driver	2024-07-13 11:39:59 +01:00
Luke Tainton	a314379091	Fix auto Docker tag creation	2024-07-13 11:36:49 +01:00
Luke Tainton	6e4d78cfcd	Fix auto Docker tag creation	2024-07-13 11:33:09 +01:00
Luke Tainton	6832c03f8d	Fix auto Docker tag creation	2024-07-13 11:29:24 +01:00
Luke Tainton	2cf102db5d	Fix create_docker	2024-07-13 11:22:33 +01:00
Luke Tainton	cfdc7311d2	Fix create_docker	2024-07-13 11:21:37 +01:00
Luke Tainton	b22363a87f	Trigger Docker flow from Release flow	2024-07-13 11:18:27 +01:00
Luke Tainton	6674fccb6a	Fix Docker deployment	2024-07-13 11:10:21 +01:00
Luke Tainton	eb4f19ee3f	Fix Docker attestation	2024-07-13 11:05:56 +01:00
Luke Tainton	014085f693	Fix publish workflow	2024-07-13 11:02:18 +01:00
Luke Tainton	3f318d6d70	Migrate Renovate from next to main	2024-07-13 10:53:24 +01:00
Luke Tainton	43696f16e1	Revamp GH Actions to eliminate next->main	2024-07-13 10:47:21 +01:00
Luke Tainton	3cf66ab503	Update build/deploy	2024-07-13 10:37:39 +01:00
Luke Tainton	a808a51c6d	Disable auto-deploy	2024-07-13 10:35:02 +01:00
dependabot[bot]	4ff8f90225	chore(pip-prod)(deps): bump astroid from 3.2.2 to 3.2.3 Bumps [astroid](https://github.com/pylint-dev/astroid) from 3.2.2 to 3.2.3. - [Release notes](https://github.com/pylint-dev/astroid/releases) - [Changelog](https://github.com/pylint-dev/astroid/blob/main/ChangeLog) - [Commits](https://github.com/pylint-dev/astroid/compare/v3.2.2...v3.2.3) --- updated-dependencies: - dependency-name: astroid dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-07-12 19:41:14 +01:00
dependabot[bot]	e8d8058278	chore(pip-prod)(deps): bump sentry-sdk from 2.7.1 to 2.9.0 Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 2.7.1 to 2.9.0. - [Release notes](https://github.com/getsentry/sentry-python/releases) - [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-python/compare/2.7.1...2.9.0) --- updated-dependencies: - dependency-name: sentry-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-07-12 19:37:51 +01:00
snyk-bot	9714080a5d	fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899	2024-07-12 19:32:19 +01:00
dependabot[bot]	0e70b9c959	chore(pip-prod)(deps): bump tomlkit from 0.12.5 to 0.13.0 Bumps [tomlkit](https://github.com/sdispater/tomlkit) from 0.12.5 to 0.13.0. - [Release notes](https://github.com/sdispater/tomlkit/releases) - [Changelog](https://github.com/python-poetry/tomlkit/blob/master/CHANGELOG.md) - [Commits](https://github.com/sdispater/tomlkit/compare/0.12.5...0.13.0) --- updated-dependencies: - dependency-name: tomlkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-07-11 07:18:48 +01:00