mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-07-26 00:35:19 -04:00
ci: move apko building into separate script
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer
parent
9b4dc9b478
commit
a6d35c6fd1
2 changed files with 61 additions and 73 deletions
78
.github/actions/build_apko/action.yml
vendored
78
.github/actions/build_apko/action.yml
vendored
|
|
@ -64,79 +64,11 @@ runs:
|
||||||
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
||||||
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
||||||
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
||||||
run: |
|
APKO_CONFIG: ${{ inputs.apkoConfig }}
|
||||||
if [[ -z "${{ inputs.apkoConfig }}" ]]; then
|
APKO_TAG: ${{ inputs.apkoTag }}
|
||||||
echo "Building all images in image"
|
APKO_ARCH: ${{ inputs.apkoArch }}
|
||||||
mkdir sboms
|
REGISTRY: ${{ inputs.registry }}
|
||||||
for imageConfig in apko/*.yaml; do
|
run: .github/actions/build_apko/build_and_sign.sh
|
||||||
echo "Building image for $imageConfig"
|
|
||||||
|
|
||||||
imageName=$(basename $imageConfig | cut -d. -f1 )
|
|
||||||
registry="${{ inputs.registry }}/edgelesssys/apko-${imageName}"
|
|
||||||
outTar="${imageName}.tar"
|
|
||||||
|
|
||||||
mkdir -p sboms/$imageName
|
|
||||||
|
|
||||||
# build the image
|
|
||||||
docker run \
|
|
||||||
-v "$PWD":/work \
|
|
||||||
cgr.dev/chainguard/apko:${{ inputs.apkoTag }} \
|
|
||||||
build \
|
|
||||||
"${imageConfig}" \
|
|
||||||
--build-arch ${{ inputs.apkoArch }} \
|
|
||||||
--sbom \
|
|
||||||
"${registry}" \
|
|
||||||
"${outTar}"
|
|
||||||
|
|
||||||
# push container
|
|
||||||
docker load < $outTar
|
|
||||||
docker push $registry
|
|
||||||
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' $registry)
|
|
||||||
echo "$imageDigest" >> "$GITHUB_STEP_SUMMARY"
|
|
||||||
|
|
||||||
# cosign the container and push to registry
|
|
||||||
cosign sign \
|
|
||||||
--key env://COSIGN_PRIVATE_KEY \
|
|
||||||
$imageDigest \
|
|
||||||
-y
|
|
||||||
|
|
||||||
# move sboms to folder
|
|
||||||
mv sbom-*.* sboms/$imageName/
|
|
||||||
done
|
|
||||||
else
|
|
||||||
echo "Building image for ${{ inputs.apkoConfig }}"
|
|
||||||
|
|
||||||
imageName=$(basename ${{ inputs.apkoConfig }} | cut -d. -f1 )
|
|
||||||
registry="${{ inputs.registry }}/edgelesssys/apko-${imageName}"
|
|
||||||
outTar="${imageName}.tar"
|
|
||||||
|
|
||||||
mkdir -p sboms/$imageName
|
|
||||||
|
|
||||||
# build the image
|
|
||||||
docker run \
|
|
||||||
-v "$PWD":/work \
|
|
||||||
cgr.dev/chainguard/apko:${{ inputs.apkoTag }} \
|
|
||||||
build \
|
|
||||||
"${imageConfig}" \
|
|
||||||
--build-arch ${{ inputs.apkoArch }} \
|
|
||||||
--sbom \
|
|
||||||
"${registry}" \
|
|
||||||
"${outTar}"
|
|
||||||
|
|
||||||
# push container
|
|
||||||
docker load < $outTar
|
|
||||||
docker push $registry
|
|
||||||
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' $registry)
|
|
||||||
echo "$imageDigest" >> "$GITHUB_STEP_SUMMARY"
|
|
||||||
|
|
||||||
# cosign the container and push to registry
|
|
||||||
cosign sign \
|
|
||||||
--key env://COSIGN_PRIVATE_KEY \
|
|
||||||
$imageDigest \
|
|
||||||
-y
|
|
||||||
|
|
||||||
mv sbom-*.* sboms/$imageName/
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Sign sboms
|
- name: Sign sboms
|
||||||
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
||||||
|
|
|
||||||
56
.github/actions/build_apko/build_and_sign.sh
vendored
Executable file
56
.github/actions/build_apko/build_and_sign.sh
vendored
Executable file
|
|
@ -0,0 +1,56 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
shopt -s inherit_errexit
|
||||||
|
|
||||||
|
# buildImage <apko_config_path>
|
||||||
|
function buildImage() {
|
||||||
|
local imageConfig=$1
|
||||||
|
|
||||||
|
echo "Building image for ${imageConfig}"
|
||||||
|
|
||||||
|
local imageName
|
||||||
|
imageName=$(basename "${imageConfig}" | cut -d. -f1)
|
||||||
|
registryPath="${REGISTRY}/edgelesssys/apko-${imageName}"
|
||||||
|
outTar="${imageName}.tar"
|
||||||
|
|
||||||
|
mkdir -p "sboms/${imageName}"
|
||||||
|
|
||||||
|
# build the image
|
||||||
|
docker run \
|
||||||
|
-v "${PWD}":/work \
|
||||||
|
cgr.dev/chainguard/apko:"${APKO_TAG}" \
|
||||||
|
build \
|
||||||
|
"${imageConfig}" \
|
||||||
|
--build-arch "${APKO_ARCH}" \
|
||||||
|
--sbom \
|
||||||
|
"${registryPath}" \
|
||||||
|
"${outTar}"
|
||||||
|
|
||||||
|
# push container
|
||||||
|
docker load < "${outTar}"
|
||||||
|
docker push "${registryPath}"
|
||||||
|
imageDigest=$(docker inspect --format='{{index .RepoDigests 0}}' "${registryPath}")
|
||||||
|
echo "${imageDigest}" >> "${GITHUB_STEP_SUMMARY}"
|
||||||
|
|
||||||
|
# cosign the container and push to registry
|
||||||
|
cosign sign \
|
||||||
|
--key env://COSIGN_PRIVATE_KEY \
|
||||||
|
"${imageDigest}" \
|
||||||
|
-y
|
||||||
|
|
||||||
|
# move sboms to folder
|
||||||
|
mv sbom-*.* "sboms/${imageName}/"
|
||||||
|
}
|
||||||
|
|
||||||
|
mkdir "sboms"
|
||||||
|
|
||||||
|
if [[ -n ${APKO_CONFIG} ]]; then
|
||||||
|
buildImage "${APKO_CONFIG}"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Building all images in image"
|
||||||
|
for imageConfig in apko/*.yaml; do
|
||||||
|
buildImage "${imageConfig}"
|
||||||
|
done
|
||||||
Loading…
Add table
Add a link
Reference in a new issue