mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-11 08:54:21 -05:00
278031b066
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
112 lines
3.3 KiB
YAML
112 lines
3.3 KiB
YAML
name: Build container base images using apko
|
|
description: Build one or multiple apko base images based on supplied .yaml files
|
|
|
|
inputs:
|
|
apkoConfig:
|
|
description: "Path to the apko .yaml config file. If left empty, all images will be built."
|
|
required: false
|
|
apkoArch:
|
|
description: "Use this image architecture"
|
|
required: false
|
|
default: amd64
|
|
containerTags:
|
|
description: "Tags for the resulting container image, space separated"
|
|
required: true
|
|
registry:
|
|
description: "Container registry to use"
|
|
default: "ghcr.io"
|
|
required: true
|
|
githubToken:
|
|
description: "GitHub authorization token"
|
|
required: true
|
|
cosignPublicKey:
|
|
description: "Cosign public key"
|
|
required: false
|
|
default: ""
|
|
cosignPrivateKey:
|
|
description: "Cosign private key"
|
|
required: false
|
|
default: ""
|
|
cosignPassword:
|
|
description: "Password for Cosign private key"
|
|
required: false
|
|
default: ""
|
|
|
|
# Linux runner only (docker required)
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Install deps
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Install dependencies"
|
|
sudo apt-get update
|
|
sudo apt-get install -y zip
|
|
echo "::endgroup::"
|
|
|
|
- name: Log in to the Container registry
|
|
id: docker-login
|
|
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
|
|
with:
|
|
registry: ${{ inputs.registry }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ inputs.githubToken }}
|
|
|
|
- name: Install Cosign
|
|
if: |
|
|
inputs.cosignPublicKey != '' &&
|
|
inputs.cosignPrivateKey != '' &&
|
|
inputs.cosignPassword != ''
|
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
|
|
|
|
- name: Download apk repository
|
|
shell: bash
|
|
env:
|
|
DOCKER_BUILDKIT: "1"
|
|
run: |
|
|
docker build -o ./apko -f hack/package-hasher/Containerfile.apk.downloader ./apko
|
|
|
|
- name: Build apko images and sign them
|
|
shell: bash
|
|
working-directory: apko
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
|
APKO_CONFIG: ${{ inputs.apkoConfig }}
|
|
APKO_ARCH: ${{ inputs.apkoArch }}
|
|
CONTAINER_TAGS: ${{ inputs.containerTags }}
|
|
REGISTRY: ${{ inputs.registry }}
|
|
run: ../.github/actions/build_apko/build_and_sign.sh
|
|
|
|
- name: Sign sboms
|
|
if: |
|
|
inputs.cosignPublicKey != '' &&
|
|
inputs.cosignPrivateKey != '' &&
|
|
inputs.cosignPassword != ''
|
|
shell: bash
|
|
working-directory: apko
|
|
env:
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
|
run: |
|
|
for dir in sboms/*; do
|
|
for file in $dir/*; do
|
|
cosign sign-blob \
|
|
--key env://COSIGN_PRIVATE_KEY \
|
|
$file \
|
|
-y \
|
|
> $file.sig
|
|
done
|
|
done
|
|
|
|
zip -r sboms.zip sboms
|
|
|
|
- name: Upload SBOMs
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: sboms
|
|
path: apko/sboms.zip
|