diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 61989e4..4676e6d 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -13,6 +13,7 @@ on: env: + RUN_ID: ${{ github.run_id }} CONTAINER_REGISTRY: ghcr.io CONTAINER_IMAGE_NAME: ${{ github.repository }} CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }} @@ -129,3 +130,50 @@ jobs: if: ${{ failure() && github.ref == 'refs/heads/main' }} with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + + push-frontend-image-to-registry: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} + needs: + - frontend-jobs + - frontend-build-image-and-scan + permissions: + contents: read + id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. + packages: write + outputs: + version: ${{ steps.set-version.outputs.version }} + steps: + - uses: actions/cache@v4 + with: + path: /tmp/images + key: docker-frontend-images-cache-${{ env.RUN_ID }} + restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }} + - name: load image + shell: bash + run: docker load -i /tmp/images/frontend-image.tar + - name: Log into container registry + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0 + with: + registry: ${{ env.CONTAINER_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Publish backend container image + run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} + - name: Install cosign + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59 + - name: Sign the published Docker image + run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} + - id: set-version + run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" + - name: Send status to Slack + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 + if: ${{ failure() }} + with: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.talismanrc b/.talismanrc index a1eb27d..99d4f45 100644 --- a/.talismanrc +++ b/.talismanrc @@ -21,12 +21,15 @@ allowed_patterns: - "uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb" - "uses: sonarsource/sonarqube-quality-gate-action@424137db1fae80e9eb279829995166f2f44bc8df" - "uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0" + - "uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0" + - "uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59" - "dsn: 'https://7c56d29d5dd2c9bd48fc72a8edaffe57@o1248831.ingest.us.sentry.io/4508482613084160'" # allow these specific patterns with the term "secret" - secrets-scan-with-talisman - "secrets: inherit" - "SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}" - "# scan for secrets that were published by mistake" + - "password: \\$\\{\\{ secrets.GITHUB_TOKEN \\}\\}" # allow these specific patterns with the term "key" - "key: modules-" - "key:.+runner.os"