constellation/.github/actions/build_apko/action.yml
Paul Meyer d095f08cd4 apko: build base image with pinned packages
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-30 16:05:00 +01:00

110 lines
3.2 KiB
YAML

name: Build container base images using apko
description: Build one or multiple apko base images based on supplied .yaml files
inputs:
apkoConfig:
description: "Path to the apko .yaml config file. If left empty, all images will be built."
required: false
apkoArch:
description: "Use this image architecture"
required: false
default: amd64
containerTags:
description: "Tags for the resulting container image, space separated"
required: true
registry:
description: "Container registry to use"
default: "ghcr.io"
required: true
githubToken:
description: "GitHub authorization token"
required: true
cosignPublicKey:
description: "Cosign public key"
required: false
default: ""
cosignPrivateKey:
description: "Cosign private key"
required: false
default: ""
cosignPassword:
description: "Password for Cosign private key"
required: false
default: ""
# Linux runner only (docker required)
runs:
using: composite
steps:
- name: Install deps
shell: bash
run: |
echo "::group::Install dependencies"
sudo apt-get update
sudo apt-get install -y zip
echo "::endgroup::"
- name: Log in to the Container registry
id: docker-login
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
with:
registry: ${{ inputs.registry }}
username: ${{ github.actor }}
password: ${{ inputs.githubToken }}
- name: Install Cosign
if: |
inputs.cosignPublicKey != '' &&
inputs.cosignPrivateKey != '' &&
inputs.cosignPassword != ''
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- name: Download apk repository
shell: bash
env:
DOCKER_BUILDKIT: "1"
run: |
docker build -o . -f hack/package-hasher/Containerfile.apk.downloader .
- name: Build apko images and sign them
shell: bash
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
APKO_CONFIG: ${{ inputs.apkoConfig }}
APKO_ARCH: ${{ inputs.apkoArch }}
CONTAINER_TAGS: ${{ inputs.containerTags }}
REGISTRY: ${{ inputs.registry }}
run: .github/actions/build_apko/build_and_sign.sh
- name: Sign sboms
if: |
inputs.cosignPublicKey != '' &&
inputs.cosignPrivateKey != '' &&
inputs.cosignPassword != ''
shell: bash
env:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
run: |
for dir in sboms/*; do
for file in $dir/*; do
cosign sign-blob \
--key env://COSIGN_PRIVATE_KEY \
$file \
-y \
> $file.sig
done
done
zip -r sboms.zip sboms
- name: Upload SBOMs
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: sboms
path: sboms.zip