Build and sign #785

Workflow file for this run

	name: Build and sign
	on:
	schedule:
	- cron: "0 14 * * *"
	workflow_dispatch:

	jobs:
	build-and-sign:
	name: "Build and sign kubectl"
	runs-on: ubuntu-latest
	permissions:
	packages: write
	id-token: write
	steps:
	- name: Find latest kubectl version
	run: \|
	KUBECTL_VER="$(curl https://storage.googleapis.com/kubernetes-release/release/stable-1.30.txt)"
	echo "kubectl_ver=${KUBECTL_VER}" >> $GITHUB_ENV
	- run: echo "kubectl binary is at version ${{ env.kubectl_ver }}"
	- name: Stop if ${{ github.repository_owner }}/kubectl:${{ env.kubectl_ver }} in repo already
	id: check-in-repo
	run: \|
	# fake no-op token, image is public
	TOKEN=$(curl https://ghcr.io/token\?scope\="repository:${{ github.repository_owner }}/kubectl:pull" \| jq .token \| tr -d \")
	if curl -H "Authorization: Bearer $TOKEN" https://ghcr.io/v2/${{ github.repository_owner }}/kubectl/tags/list \
	\| grep \"${{ env.kubectl_ver }}\";
	then
	echo "${{ github.repository_owner }}/kubectl:${{ env.kubectl_ver }} is in repo already"
	echo "image-exists=true" >> $GITHUB_ENV
	fi
	- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
	if: env.image-exists != 'true'
	- name: Checkout code
	if: env.image-exists != 'true'
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
	- name: Download and verify kubectl
	if: env.image-exists != 'true'
	run: ./download-kubectl.sh ${{ env.kubectl_ver }}
	- name: Set up QEMU
	if: env.image-exists != 'true'
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
	with:
	platforms: "arm64"
	- name: Set up Docker Buildx
	if: env.image-exists != 'true'
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
	- name: Login to GitHub Container Registry
	if: env.image-exists != 'true'
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Build and push tagged container image
	id: build-image
	if: env.image-exists != 'true'
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	with:
	context: .
	platforms: linux/amd64, linux/arm64
	push: true
	tags: \|
	ghcr.io/${{ github.repository_owner }}/kubectl:${{ env.kubectl_ver }}
	- name: Sign the image
	if: env.image-exists != 'true'
	run: \|
	cosign sign --yes \
	ghcr.io/${{ github.repository_owner }}/kubectl@${{ steps.build-image.outputs.digest }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and sign #785

Workflow file

Build and sign #785

Jobs

Run details

Workflow file for this run