This repository contains a terraform module to facilitate building an image with ko using a verified base image and signing the supply chain metadata with ambient credentials (e.g. github actions workload identity).
Currently the following supply chain metadata is surfaced:
- The images are signed by the workload,
No requirements.
| Name | Version |
|---|---|
| cosign | n/a |
| ko | n/a |
No modules.
| Name | Type |
|---|---|
| cosign_sign.signature | resource |
| ko_build.this | resource |
| cosign_verify.base | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| base_image | The base image to build on top of. | string |
"cgr.dev/chainguard/static:latest-glibc" |
no |
| base_image_policy | The policy to verify the base image with. | string |
"apiVersion: policy.sigstore.dev/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: base-policy\nspec:\n images:\n - glob: \"**\"\n authorities:\n - keyless:\n url: https://fulcio.sigstore.devn identities:\n - issuer: https://token.actions.githubusercontent.comn subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/mainn ctlog:\n url: https://rekor.sigstore.devn" |
no |
| importpath | The go import path to ko build. | string |
n/a | yes |
| working_dir | The working directory to build from. | string |
n/a | yes |
| Name | Description |
|---|---|
| image_ref | n/a |