add checkout for build step

saisatishkarra · saisatishkarra · commit 8bcef3805ab4 · 2024-04-24T23:20:30.000-05:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -16,15 +16,16 @@ on:
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
-  IMAGE_NAME: ${{ github.repository }}
+  # Format as <account>/<repo>
+  # Must be lower case for container tools to parse correctly
+  IMAGE_NAME: kong/insomnia-mockbin
   HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.repository_owner == 'Kong' }}
   # Local docker OCI archive name until the image is pushed to registry
   DOCKER_OCI_ARCHIVE: "docker-archive"
   # Always use Docker Hub for publishing image signatures
   ## docker.io/kong/notary - Use Public Notary repository for release image signatures
   ## docker.io/kong/notary-internal - Use Private Notary repository for internal image signatures 
-  NOTARY_REPOSITORY: format('{0}/{1}', 'docker.io', ${{ github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal' }})
+  NOTARY_REPOSITORY: ${{ github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal' }}
 
 jobs:
   check:
@@ -56,6 +57,9 @@ jobs:
       image_tags: ${{ steps.meta.outputs.tags }}
       image_tag_version: ${{ steps.meta.outputs.version }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
       # Set up BuildKit Docker container builder to be able to build
       # multi-platform images and export cache
       # https://github.com/docker/setup-buildx-action
@@ -102,7 +106,6 @@ jobs:
           retention-days: 1
 
   scan-images:
-    name: Scan Images
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -111,78 +114,54 @@ jobs:
     if: >
       github.repository_owner == 'Kong'
       && needs.build-images.result == 'success'
-    outputs:
-      image_name: ${{ env.IMAGE_NAME }}
-      image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.sha }}
-      notary_repository: ${{ env.NOTARY_REPOSITORY }}
     steps:
 
       - name: Download OCI docker TAR artifact
         uses: actions/download-artifact@v3
         with:
           name: ${{ env.DOCKER_OCI_ARCHIVE }}
-          path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}
-
+          path: ${{ github.workspace }}
       - name: Load OCI docker TAR artifact
         run: |
-          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
+          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
           docker image ls
 
-      # Setup regctl to parse platform specific image digest from image manifest
-      - name: Install regctl
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Parse architecture specific digest from image manifest
-        id: image_manifest_metadata
-        run: |
-          IMAGE=${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }}
-          sha="$(regctl image digest "${IMAGE})"
-          echo "sha=${sha}" >> $GITHUB_OUTPUT
-          archs=${{ env.PLATFORMS }}
-          for arch in $(echo "$archs" | sed -e 's/,/ /g'); do
-            arch=${arch#*/}
-            echo "Fetching digest for ${arch}..."
-            sha="$(regctl image digest "${IMAGE}" --platform linux/${arch})"
-            echo "${arch}_image_sha=${IMAGE}@${sha}"
-            echo "${arch}_image_sha=${IMAGE}@${sha}" >> $GITHUB_OUTPUT
-          done
-        env:
-          PLATFORMS: "linux/amd64" # Comma separated list of any platforms built
-
-      - name: Scan AMD64 Image digest
-        if: ${{ steps.image_manifest_metadata.outputs.amd64_image_sha != '' }}
+      - name: Scan the docker OCI Tar ball
         id: sbom_action_amd64
         uses: Kong/public-shared-actions/security-actions/scan-docker-image@556e4d9756442828427007a7171683a99adf9a6a
         with:
           asset_prefix: image-${{ env.IMAGE_NAME }}-amd64
-          image: ${{steps.image_manifest_metadata.outputs.image}}:${{ steps.image_manifest_metadata.outputs.amd64_image_sha }}
+          image: ${{ env.DOCKER_OCI_ARCHIVE }}.tar
           upload-sbom-release-assets: true
 
   release-images:
-    name: Publish Images
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      packages: write # needed for signing the images
+      packages: write # needed for publishing the images
+      id-token: write # needed for keyless signing of the images
     needs: [check, build-images, scan-images]
     if: >
       github.repository_owner == 'Kong'
       && github.event_name != 'pull_request'
       && needs.scan-images.result == 'success'
     env:
       IMAGE_TAGS: ${{ needs.build-images.outputs.image_tags }}
-      IMAGE_MANIFEST_SHA: ${{ needs.scan-images.outputs.image_manifest_sha }}
+    outputs:
+      image_name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.image_manifest_sha }}
+      notary_repository: ${{ env.NOTARY_REPOSITORY }}
     steps:
 
       - name: Download OCI docker TAR artifact
         uses: actions/download-artifact@v3
         with:
           name: ${{ env.DOCKER_OCI_ARCHIVE }}
-          path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}
+          path: ${{ github.workspace }}
 
       - name: Load OCI docker TAR artifact
         run: |
-          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
+          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
           docker image ls
 
       # Login against a Docker registry except on PR
@@ -198,18 +177,34 @@ jobs:
         id: publish_images
         run: |
           for tag in ${IMAGE_TAGS//,/ }; do \
-            docker push $tag \
+            docker push $tag; \
           done
 
+      # Setup regctl to parse platform specific image digest from image manifest
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
+
+      # The image manifest digest/sha is generated only after the image is published to registry
+      - name: Parse architecture specific digest from image manifest
+        id: image_manifest_metadata
+        run: |
+          IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }}
+          sha="$(regctl image digest "${IMAGE}")"
+          echo "sha=${sha}" >> $GITHUB_OUTPUT
+
+      # Signing images requires image manifest digest
       - name: Sign images
         id: sign_images
-        if: ${{ env.IMAGE_MANIFEST_SHA != '' }}
-        uses: Kong/public-shared-actions/security-actions/sign-docker-image@556e4d9756442828427007a7171683a99adf9a6a # v2.2.1
+        if: ${{ steps.image_manifest_metadata.outputs.sha != '' }}
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@fix/image-sig-registry-opts # v2.2.1
         with:
-          image_digest: ${{ env.IMAGE_MANIFEST_SHA }}
+          image_digest: ${{ steps.image_manifest_metadata.outputs.sha }}
           tags: ${{ env.IMAGE_TAGS }}
+          image_registry_domain: ghcr.io
           registry_username: ${{ github.actor }}
           registry_password: ${{ secrets.GITHUB_TOKEN }}
+          # Optional: Central notary repository for image signatures
+          signature_registry_domain: docker.io
           signature_registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
           signature_registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
           signature_registry: ${{ env.NOTARY_REPOSITORY }}
@@ -224,9 +219,9 @@ jobs:
       actions: read # For getting workflow run info to build provenance
       packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
     with:
-      image: ${{ needs.scan-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins
-      digest: ${{ needs.scan-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR
-      provenance-repository: ${{ needs.scan-images.outputs.notary_repository }}
+      image: ${{ needs.release-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins
+      digest: ${{ needs.release-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR
+      provenance-repository: ${{ needs.release-images.outputs.notary_repository }}
     secrets:
       registry-username: ${{ github.actor }}
       registry-password: ${{ secrets.GITHUB_TOKEN }}
