-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
107 lines (107 loc) · 3.46 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: "RC Docker Build"
description: "Build Docker for RedCarbon"
inputs:
docker-registry:
description: "Docker Registry"
required: true
docker-base-image-path:
description: "Docker Base Image Path"
required: true
docker-target:
description: "Docker Target"
required: true
docker-context:
description: "Docker Context Path"
required: true
default: "."
google-credentials:
description: "Google Credentials"
required: true
branch:
description: "Git Branch"
required: true
ts:
description: "Build Timestamp"
required: true
sha:
description: "Git SHA"
required: true
push:
type: boolean
description: "Push to registry"
required: false
default: false
build-args:
description: "List of build-time variables"
required: false
file:
description: "Path to the Dockerfile."
required: false
outputs:
digest:
description: "Docker Digest"
value: ${{ steps.docker_build.outputs.digest }}
runs:
using: "composite"
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: |
${{ inputs.docker-registry }}/${{ inputs.docker-base-image-path }}/${{ github.repository }}/${{ inputs.docker-target }}
tags: |
type=sha
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=${{ inputs.branch }}-${{ inputs.sha }}-${{ inputs.ts }}
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2"
with:
credentials_json: "${{ inputs.google-credentials }}"
token_format: "access_token"
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: "${{ inputs.docker-registry }}"
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: Build and push
id: docker_build
uses: docker/build-push-action@v5
with:
push: ${{ inputs.push }}
network: host
tags: ${{ steps.docker_meta.outputs.tags }}
target: ${{ inputs.docker-target }}
context: ${{ inputs.docker-context }}
build-args: ${{ inputs.build-args }}
file: ${{ inputs.file }}
- name: Get Image Var
id: image-var
run: |
echo "image=${{ inputs.docker-registry }}/${{ inputs.docker-base-image-path }}/${{ github.repository }}/${{ inputs.docker-target }}@${{ steps.docker_build.outputs.digest }}" >> "$GITHUB_OUTPUT"
shell: bash
- name: Generate SBOM
id: sbom
uses: anchore/sbom-action@v0
with:
image: ${{ steps.image-var.outputs.image }}
artifact-name: sbom.spdx
output-file: ./sbom.spdx
- name: Sign image with a key
id: sign
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes --key gcpkms://projects/redcarbon-bb8b2/locations/global/keyRings/sbom-slsa-keyring/cryptoKeys/sbom-slsa-key-feaf3d5 ${images} --tlog-upload=false
cosign attest --predicate sbom.spdx --key gcpkms://projects/redcarbon-bb8b2/locations/global/keyRings/sbom-slsa-keyring/cryptoKeys/sbom-slsa-key-feaf3d5 ${images} --tlog-upload=false
shell: bash
env:
TAGS: ${{ steps.docker_meta.outputs.tags }}
DIGEST: ${{ steps.docker_build.outputs.digest }}