Publish CUE Module #20
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish CUE Module | |
| on: | |
| push: | |
| tags: | |
| - "tomei-cue-v*" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # Required for cosign keyless signing (Fulcio OIDC) | |
| jobs: | |
| publish: | |
| name: Publish Module | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Determine version | |
| id: version | |
| uses: ./.github/actions/determine-version | |
| with: | |
| tag-prefix: "tomei-cue-" | |
| - name: Verify git tag exists | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: ./.github/actions/verify-tag | |
| with: | |
| version: ${{ steps.version.outputs.version }} | |
| tag-prefix: "tomei-cue-" | |
| - name: Validate CUE module | |
| uses: ./.github/actions/cue-validate | |
| - name: Log in to ghcr.io | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish module | |
| if: github.event_name == 'workflow_dispatch' | |
| working-directory: cuemodule | |
| env: | |
| CUE_REGISTRY: tomei.terassyi.net=ghcr.io/terassyi | |
| run: | | |
| echo "Publishing tomei.terassyi.net@v0 version ${{ steps.version.outputs.version }}" | |
| cue mod publish ${{ steps.version.outputs.version }} | |
| - name: Install cosign | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: sigstore/cosign-installer@v4.0.0 | |
| with: | |
| cosign-release: 'v2.4.1' | |
| - name: Install crane | |
| if: github.event_name == 'workflow_dispatch' | |
| uses: imjasonh/setup-crane@v0.5 | |
| - name: Sign published module | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| # Sign the published OCI artifact using cosign keyless signing | |
| # (GitHub Actions OIDC + Fulcio + Rekor). | |
| # Use digest (not tag) to ensure we sign the exact artifact we published. | |
| REF="ghcr.io/terassyi/tomei.terassyi.net" | |
| TAG="${{ steps.version.outputs.version }}" | |
| DIGEST=$(crane digest "${REF}:${TAG}") | |
| echo "Signing ${REF}@${DIGEST}" | |
| cosign sign --yes "${REF}@${DIGEST}" | |
| - name: Verify signature | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| REF="ghcr.io/terassyi/tomei.terassyi.net" | |
| TAG="${{ steps.version.outputs.version }}" | |
| cosign verify \ | |
| --certificate-identity-regexp '^https://github\.com/terassyi/tomei/' \ | |
| --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ | |
| "${REF}:${TAG}" | head -5 | |
| - name: Dry run summary | |
| if: github.event_name == 'push' | |
| run: echo "Dry run complete. Validated version ${{ steps.version.outputs.version }}" |