mirror of
https://github.com/kubescape/kubescape.git
synced 2026-02-14 18:09:55 +00:00
65a557db90
* fixed test Signed-off-by: David Wertenteil <dwertent@armosec.io> * update cosign-release version Signed-off-by: David Wertenteil <dwertent@armosec.io> * fixed filepath related tests Signed-off-by: David Wertenteil <dwertent@armosec.io> * failed windows tests Signed-off-by: David Wertenteil <dwertent@armosec.io> * fixed cosign version Signed-off-by: David Wertenteil <dwertent@armosec.io> * update go version Signed-off-by: David Wertenteil <dwertent@armosec.io> * fixed test Signed-off-by: David Wertenteil <dwertent@armosec.io> * change actor Signed-off-by: David Wertenteil <dwertent@armosec.io> * Cosign use secret Signed-off-by: David Wertenteil <dwertent@armosec.io> * update cosign Signed-off-by: David Wertenteil <dwertent@armosec.io> * update cosign Signed-off-by: David Wertenteil <dwertent@armosec.io> --------- Signed-off-by: David Wertenteil <dwertent@armosec.io>
97 lines
4.1 KiB
YAML
97 lines
4.1 KiB
YAML
name: d-publish-image
|
|
permissions: read-all
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
client:
|
|
description: 'client name'
|
|
required: true
|
|
type: string
|
|
image_tag:
|
|
description: 'image tag'
|
|
required: true
|
|
type: string
|
|
image_name:
|
|
description: 'image registry and name'
|
|
required: true
|
|
type: string
|
|
cosign:
|
|
required: false
|
|
default: false
|
|
type: boolean
|
|
description: 'run cosign on released image'
|
|
support_platforms:
|
|
required: false
|
|
default: true
|
|
type: boolean
|
|
description: 'support amd64/arm64'
|
|
jobs:
|
|
check-secret:
|
|
name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
|
|
steps:
|
|
- name: check if QUAYIO_REGISTRY_USERNAME & QUAYIO_REGISTRY_PASSWORD is set in github secrets
|
|
id: check-secret-set
|
|
env:
|
|
QUAYIO_REGISTRY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
|
|
QUAYIO_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
|
|
run: |
|
|
echo "is-secret-set=${{ env.QUAYIO_REGISTRY_USERNAME != '' && env.QUAYIO_REGISTRY_PASSWORD != '' }}" >> $GITHUB_OUTPUT
|
|
|
|
build-cli-image:
|
|
needs: [check-secret]
|
|
if: needs.check-secret.outputs.is-secret-set == 'true'
|
|
name: Build image and upload to registry
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
|
|
with:
|
|
submodules: recursive
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # ratchet:docker/setup-buildx-action@v2
|
|
- name: Login to Quay.io
|
|
env:
|
|
QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
|
|
QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
|
|
run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
|
|
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
|
|
id: download-artifact
|
|
with:
|
|
path: .
|
|
- name: mv kubescape amd64 binary
|
|
run: mv kubescape-ubuntu-latest/kubescape-ubuntu-latest kubescape-amd64-ubuntu-latest
|
|
- name: mv kubescape arm64 binary
|
|
run: mv kubescape-ubuntu-latest/kubescape-arm64-ubuntu-latest kubescape-arm64-ubuntu-latest
|
|
- name: chmod +x
|
|
run: chmod +x -v kubescape-a*
|
|
- name: Build and push images
|
|
run: docker buildx build . --file build/kubescape-cli.Dockerfile --tag ${{ inputs.image_name }}:${{ inputs.image_tag }} --tag ${{ inputs.image_name }}:latest --build-arg image_version=${{ inputs.image_tag }} --build-arg client=${{ inputs.client }} --push --platform linux/amd64,linux/arm64
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@main
|
|
with:
|
|
cosign-release: 'v2.2.2'
|
|
- name: sign kubescape container image
|
|
if: ${{ inputs.cosign }}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY_V1 }}
|
|
COSIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }}
|
|
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY_V1 }}
|
|
run: |
|
|
# Sign the image with keyless mode
|
|
cosign sign -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
|
|
|
|
# Sign the image with key for verifier clients without keyless support
|
|
# Put the key from environment variable to a file
|
|
echo "$COSIGN_PRIVATE_KEY" > cosign.key
|
|
printf "$COSIGN_PRIVATE_KEY_PASSWORD" | cosign sign -key cosign.key -y ${{ inputs.image_name }}:${{ inputs.image_tag }}
|
|
rm cosign.key
|
|
# Verify the image
|
|
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
|
cosign verify -key cosign.pub ${{ inputs.image_name }}:${{ inputs.image_tag }}
|
|
|