name: Build and upload KeyService image env: REGISTRY: ghcr.io on: workflow_dispatch: push: branches: - main - "release/**" paths: - "keyservice/**" - "internal/**" - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops - ".github/workflows/build-keyservice-image.yml" jobs: build-keyservice: runs-on: ubuntu-22.04 permissions: contents: read packages: write steps: - name: Check out repository id: checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Setup Go environment uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: "1.20.1" - name: Set up ko uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - name: Build and upload KeyService container image id: build-and-upload uses: ./.github/actions/build_micro_service_ko with: name: key-service koConfig: .ko.yaml koTarget: ./keyservice/cmd githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}