constellation/.github/actions/build_apko/action.yml

name: Build container base images using apko
description: Build one or multiple apko base images based on supplied .yaml files

inputs:
  apkoConfig:
    description: "Path to the apko .yaml config file. If left empty, all images will be built."
    required: false
  apkoTag:
    description: "Use this image tag"
    required: false
    default: latest
  apkoArch:
    description: "Use this image architecture"
    required: false
    default: amd64
  registry:
    description: "Container registry to use"
    default: "ghcr.io"
    required: true
  githubToken:
    description: "GitHub authorization token"
    required: true
  cosignPublicKey:
    description: "Cosign public key"
    required: false
    default: ""
  cosignPrivateKey:
    description: "Cosign private key"
    required: false
    default: ""
  cosignPassword:
    description: "Password for Cosign private key"
    required: false
    default: ""

# Linux runner only (docker required)
runs:
  using: "composite"
  steps:
    - name: Install deps
      shell: bash
      run: |
        echo "::group::Install dependencies"
        sudo apt-get update
        sudo apt-get install -y zip
        echo "::endgroup::"        

    - name: Log in to the Container registry
      id: docker-login
      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ github.actor }}
        password: ${{ inputs.githubToken }}

    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1

    - name: Build apko images and sign them
      shell: bash
      env:
        COSIGN_EXPERIMENTAL: "true"
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
        APKO_CONFIG: ${{ inputs.apkoConfig }}
        APKO_TAG: ${{ inputs.apkoTag }}
        APKO_ARCH: ${{ inputs.apkoArch }}
        REGISTRY: ${{ inputs.registry }}
      run: .github/actions/build_apko/build_and_sign.sh

    - name: Sign sboms
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
      shell: bash
      env:
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
      run: |
        for dir in sboms/*; do
          for file in $dir/*; do
            cosign sign-blob \
              --key env://COSIGN_PRIVATE_KEY \
              $file \
              -y \
              > $file.sig
          done
        done

        zip -r sboms.zip sboms        

    - name: Upload SBOMs
      if: always()
      continue-on-error: true
      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
      with:
        name: sboms
        path: sboms.zip