branch cosign-slsa triggers cicd #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Using Kaniko: refer to the following documentations: | ||
# * https://github.com/marketplace/actions/kaniko-action | ||
# * https://github.com/int128/kaniko-action#inputs | ||
name: "Build a container that ship with goreleaser, cosign, ko-build, trivy, syft and push to GitHub Container Registry (GHCR)" | ||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
- release/* | ||
push: | ||
branches: | ||
- main | ||
- containerfiles # TODO: remove after testing | ||
- cosign-slsa # TODO: remove after testing | ||
# Global KANIKO Variables: | ||
# See: https://github.com/int128/kaniko-action | ||
# - KANIKO_BUILD_CONTEXT is the path to the location of the Containerfile. | ||
# - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint. | ||
# - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ] | ||
env: | ||
KANIKO_BUILD_CONTEXT: "${{ github.workspace }}" | ||
BASE_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr.base" | ||
GOREL_ENTRYP_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr" | ||
jobs: | ||
# Kaniko job to build a container image "goreleaser-glibc-image-base" has a /bin/bash entrypoint | ||
build-base-image: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout source code | ||
uses: actions/checkout@v4 | ||
- name: Extract Tools Versions from Containerfile as we use this in tags names | ||
id: extract | ||
run: | | ||
# Extract values from the Containerfile | ||
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT | ||
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT | ||
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT | ||
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT | ||
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT | ||
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT | ||
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT | ||
- name: Container metadata and tags | ||
uses: docker/metadata-action@v5 | ||
id: metadata | ||
with: | ||
images: ghcr.io/${{ github.repository }}-base | ||
tags: | | ||
type=ref,event=branch | ||
# use tools version as tags | ||
type=raw,value=golang-${{ steps.extract.outputs.golang_version }} | ||
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }} | ||
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }} | ||
type=raw,value=ko-${{ steps.extract.outputs.ko_version }} | ||
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }} | ||
type=raw,value=syft-${{ steps.extract.outputs.syft_version }} | ||
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}} | ||
# minimal (short sha) | ||
type=sha | ||
# full length sha | ||
type=sha,format=long | ||
- uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Build the OCI image (base image entrytoint /bin/bash) | ||
id: kaniko | ||
uses: int128/kaniko-action@v1 | ||
with: | ||
push: true | ||
tags: ${{ steps.metadata.outputs.tags }} | ||
labels: ${{ steps.metadata.outputs.labels }} | ||
cache: true | ||
cache-repository: ghcr.io/${{ github.repository }}/cache | ||
file: ${{ env.BASE_CONTAINERFILE_NAME }} | ||
context: ${{ env.KANIKO_BUILD_CONTEXT }} | ||
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity | ||
outputs: | ||
oci-image-digest: ${{ steps.kaniko.outputs.digest }} | ||
# Job to build a SLSA provenance attestation | ||
base-image-provenance: | ||
name: Generate SLSA provenance attestation for OCI | ||
needs: build-base-image # Ensure this job runs after build-base-image | ||
permissions: | ||
actions: read # for detecting the Github Actions environment. | ||
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign | ||
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | ||
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2 | ||
Check failure on line 119 in .github/workflows/base-container-build.yaml GitHub Actions / .github/workflows/base-container-build.yamlInvalid workflow file
|
||
with: | ||
image: ghcr.io/${{ github.repository }}-base | ||
digest: ${{ needs.build-base-image.outputs.oci-image-digest }} | ||
secrets: | ||
registry-username: ${{ github.actor }} | ||
registry-password: ${{ secrets.GITHUB_TOKEN }} | ||
# Kaniko job to build a container image "goreleaser-glibc-image" that has a goreleaser entrypoint | ||
build-goreleaser-entryp-image: | ||
needs: build-base-image # Ensure this job runs after build-base-image | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout source code | ||
uses: actions/checkout@v4 | ||
- name: Extract Tools Versions from Containerfile as we use this in tags names | ||
id: extract | ||
run: | | ||
# Extract values from the Containerfile | ||
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT | ||
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT | ||
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT | ||
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT | ||
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT | ||
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT | ||
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2) | ||
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT | ||
- name: Container metadata and tags | ||
uses: docker/metadata-action@v5 | ||
id: metadata | ||
with: | ||
images: ghcr.io/${{ github.repository }} | ||
tags: | | ||
type=ref,event=branch | ||
# use tools version as tags | ||
type=raw,value=golang-${{ steps.extract.outputs.golang_version }} | ||
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }} | ||
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }} | ||
type=raw,value=ko-${{ steps.extract.outputs.ko_version }} | ||
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }} | ||
type=raw,value=syft-${{ steps.extract.outputs.syft_version }} | ||
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}} | ||
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}} | ||
# minimal (short sha) | ||
type=sha | ||
# full length sha | ||
type=sha,format=long | ||
- uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Build the OCI image | ||
uses: int128/kaniko-action@v1 | ||
id: kaniko | ||
with: | ||
push: true | ||
tags: ${{ steps.metadata.outputs.tags }} | ||
labels: ${{ steps.metadata.outputs.labels }} | ||
cache: true | ||
cache-repository: ghcr.io/${{ github.repository }}/cache | ||
file: ${{ env.GOREL_ENTRYP_CONTAINERFILE_NAME }} | ||
context: ${{ env.KANIKO_BUILD_CONTEXT }} | ||
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity | ||
outputs: | ||
oci-image-digest: ${{ steps.kaniko.outputs.digest }} | ||
goreleaser-entryp-image-provenance: | ||
name: Generate SLSA provenance attestation for OCI | ||
needs: build-goreleaser-entryp-image # Ensure this job runs after build-base-image | ||
permissions: | ||
actions: read # for detecting the Github Actions environment. | ||
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign | ||
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues) | ||
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2 | ||
with: | ||
image: ghcr.io/${{ github.repository }} | ||
digest: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-digest }} | ||
secrets: | ||
registry-username: ${{ github.actor }} | ||
registry-password: ${{ secrets.GITHUB_TOKEN }} |