-
Notifications
You must be signed in to change notification settings - Fork 14
126 lines (111 loc) · 4.76 KB
/
confbatstest-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Build confbatstest
on:
push:
paths:
- .github/workflows/confbatstest-build.yaml
- confbatstest/**
# Declare default permissions as read only.
permissions: read-all
jobs:
build-confbatstest:
permissions:
packages: write
env:
context: confbatstest
image_name: confbatstest
branch_name: ${{ github.head_ref || github.ref_name }}
ref_type: ${{ github.ref_type }}
owner: ${{ github.repository_owner }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Get image tags
id: image_tags
uses: redhat-cop/github-actions/get-image-version@0c6e3b63690cfa917a0ddc162efdfda3da82d66c # v4.4
with:
IMAGE_CONTEXT_DIR: ${{ env.context }}
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
with:
dockerfile: confbatstest/Dockerfile_build
ignore: DL3041 # https://github.com/hadolint/hadolint/wiki/DL3041
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
with:
context: ${{ env.context }}
dockerfiles: |
./${{ env.context }}/Dockerfile_build
image: ${{ env.image_name }}
oci: true
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"
- name: Push to ghcr.io
if: ${{ env.ref_type == 'tag' || env.owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
id: push_image
with:
image: ${{ steps.build_image.outputs.image }}
registry: ghcr.io/${{ github.repository }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
tags: ${{ steps.build_image.outputs.tags }}
outputs:
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
image_digest: "${{ steps.push_image.outputs.digest }}"
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
sign-confbatstest:
needs: [build-confbatstest]
permissions:
id-token: write
packages: write
if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token
env:
image_uri: ${{ needs.build-confbatstest.outputs.image_uri }}
runs-on: ubuntu-latest
steps:
- name: Setup cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3
- name: Cosign login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io
- name: Sign Image
run: |
cosign sign --yes ${image_uri}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "cosign-vuln"
output: "cosign-vuln.json"
- name: Run Trivy SBOM generator
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "spdx-json"
output: "spdx-json.json"
- name: Attach attestations
run: |
cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri}
cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri}
provenance:
needs: [build-confbatstest,sign-confbatstest]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
with:
image: ${{ needs.build-confbatstest.outputs.image_repo }}
digest: ${{ needs.build-confbatstest.outputs.image_digest }}
registry-username: ${{ github.repository_owner }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}