constellation/.github/actions/build_apko/action.yml

100 lines
3.0 KiB
YAML
Raw Normal View History

name: Build container base images using apko
description: Build one or multiple apko base images based on supplied .yaml files
inputs:
apkoConfig:
description: "Path to the apko .yaml config file. If left empty, all images will be built."
required: false
apkoTag:
description: "Use this image tag"
required: false
default: latest
apkoArch:
description: "Use this image architecture"
required: false
default: amd64
registry:
description: "Container registry to use"
default: "ghcr.io"
required: true
githubToken:
description: "GitHub authorization token"
required: true
cosignPublicKey:
description: "Cosign public key"
required: false
default: ""
cosignPrivateKey:
description: "Cosign private key"
required: false
default: ""
cosignPassword:
description: "Password for Cosign private key"
required: false
default: ""
# Linux runner only (docker required)
runs:
using: "composite"
steps:
- name: Install deps
shell: bash
run: |
echo "::group::Install dependencies"
sudo apt-get update
sudo apt-get install -y zip
echo "::endgroup::"
- name: Log in to the Container registry
id: docker-login
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
with:
registry: ${{ inputs.registry }}
username: ${{ github.actor }}
password: ${{ inputs.githubToken }}
- name: Install Cosign
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- name: Build apko images and sign them
shell: bash
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
APKO_CONFIG: ${{ inputs.apkoConfig }}
APKO_TAG: ${{ inputs.apkoTag }}
APKO_ARCH: ${{ inputs.apkoArch }}
REGISTRY: ${{ inputs.registry }}
run: .github/actions/build_apko/build_and_sign.sh
- name: Sign sboms
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
shell: bash
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
for dir in sboms/*; do
for file in $dir/*; do
cosign sign-blob \
--key env://COSIGN_PRIVATE_KEY \
$file \
-y \
> $file.sig
done
done
zip -r sboms.zip sboms
- name: Upload SBOMs
if: always()
continue-on-error: true
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: sboms
path: sboms.zip