name: Build container base images using apko description: Build one or multiple apko base images based on supplied .yaml files inputs: apkoConfig: description: "Path to the apko .yaml config file. If left empty, all images will be built." required: false apkoArch: description: "Use this image architecture" required: false default: amd64 containerTags: description: "Tags for the resulting container image, space separated" required: true registry: description: "Container registry to use" default: "ghcr.io" required: true githubToken: description: "GitHub authorization token" required: true cosignPublicKey: description: "Cosign public key" required: false default: "" cosignPrivateKey: description: "Cosign private key" required: false default: "" cosignPassword: description: "Password for Cosign private key" required: false default: "" # Linux runner only (docker required) runs: using: composite steps: - name: Install deps shell: bash run: | echo "::group::Install dependencies" sudo apt-get update sudo apt-get install -y zip echo "::endgroup::" - name: Log in to the Container registry id: docker-login uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 with: registry: ${{ inputs.registry }} username: ${{ github.actor }} password: ${{ inputs.githubToken }} - name: Install Cosign if: | inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - name: Build apko images and sign them shell: bash env: COSIGN_EXPERIMENTAL: "true" COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }} APKO_CONFIG: ${{ inputs.apkoConfig }} APKO_ARCH: ${{ inputs.apkoArch }} CONTAINER_TAGS: ${{ inputs.containerTags }} REGISTRY: ${{ inputs.registry }} run: .github/actions/build_apko/build_and_sign.sh - name: Sign sboms if: | inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' shell: bash env: COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }} run: | for dir in sboms/*; do for file in $dir/*; do cosign sign-blob \ --key env://COSIGN_PRIVATE_KEY \ $file \ -y \ > $file.sig done done zip -r sboms.zip sboms - name: Upload SBOMs uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: sboms path: sboms.zip