github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-06 16:36:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

sign and attest

Browse Source
This commit is contained in:
J-K. Solbakken
2023-03-17 13:52:48 +01:00
parent 31961cf96f
commit 57f3fa0b7d
1 changed files with 26 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.github/workflows/deploy.yml vendored
View File

@@ -1,19 +1,16 @@
name: Build wonderwall
on: [push]
env:
GOOGLE_REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images
GITHUB_REGISTRY: ghcr.io
jobs:
test:
runs-on: ubuntu-20.04
steps:
- name: Checkout latest code
uses: actions/checkout@v3
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
with:
go-version: ">=1.20.2"
- name: Test Go
@@ -30,34 +27,34 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v1"
uses: "google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d" # ratchet:google-github-actions/auth@v1
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "gh-wonderwall@nais-io.iam.gserviceaccount.com"
token_format: "access_token"
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # ratchet:docker/setup-buildx-action@v2
- name: Login to Google Artifact Registry
uses: docker/login-action@v2
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
with:
registry: ${{ env.GOOGLE_REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
with:
registry: ${{ env.GITHUB_REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: metadata
uses: docker/metadata-action@v4
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # ratchet:docker/metadata-action@v4
with:
images: |
${{ env.GOOGLE_REGISTRY }}/wonderwall
@@ -74,7 +71,8 @@ jobs:
type=semver,pattern=v{{major}}
type=sha,prefix={{date 'YYYY-MM-DD'}}-
- name: Build and push
uses: docker/build-push-action@v4
id: build-push
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # ratchet:docker/build-push-action@v4
with:
context: .
file: Dockerfile
@@ -85,3 +83,18 @@ jobs:
labels: ${{ steps.metadata.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Install cosign
uses: sigstore/cosign-installer@ca922a571676e06d3299cce5d520e178ba89a276 # ratchet:sigstore/cosign-installer@main
with:
cosign-release: 'v2.0.0'
- name: Sign the container image for GAR
run: cosign sign --yes ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}
- name: Create SBOM
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # ratchet:aquasecurity/trivy-action@master
with:
scan-type: 'image'
format: 'cyclonedx'
output: 'cyclone.sbom.json'
image-ref: ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}
- name: Attest
run: cosign attest --yes --predicate cyclone.sbom.json --type cyclonedx cosign sign --yes ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}