Skip to content

chore(deps): Bump actions/dependency-review-action from 3.1.4 to 3.1.… #72

chore(deps): Bump actions/dependency-review-action from 3.1.4 to 3.1.…

chore(deps): Bump actions/dependency-review-action from 3.1.4 to 3.1.… #72

Workflow file for this run

name: pre-release
on:
push:
branches:
- main
permissions:
contents: write
packages: write
id-token: write
jobs:
pre-release:
runs-on: ubuntu-latest
timeout-minutes: 360
steps:
- uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Login to GHCR
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
id: build-and-push
with:
push: true
tags: ghcr.io/sozercan/aikit:dev
cache-from: type=gha,scope=aikit
cache-to: type=gha,scope=aikit,mode=max
sbom: true
provenance: true
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: cosign sign --yes "ghcr.io/sozercan/aikit@${DIGEST}"
- name: Verify image signature
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign verify ghcr.io/sozercan/aikit@${DIGEST} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/sozercan/aikit/.github/workflows/pre-release.yaml@refs/heads/main