-
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: SLSA verifier fix for new build-image.yaml filename (#46)
Signed-off-by: John McBride <[email protected]>
- Loading branch information
Showing
1 changed file
with
26 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,7 +12,7 @@ permissions: | |
|
|
||
| jobs: | ||
| build: | ||
| name: Build and publish image | ||
| name: "📥 Build and publish image" | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| IMAGE_URI: ghcr.io/${{ github.repository }} | ||
|
|
@@ -21,7 +21,7 @@ jobs: | |
| image: ${{ env.IMAGE_URI }} | ||
| digest: ${{ steps.image_digest.outputs.IMAGE_DIGEST }} | ||
| steps: | ||
| - name: Checkout code | ||
| - name: "☁️ Checkout code" | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # tag=v3 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v1 | ||
|
|
@@ -32,7 +32,7 @@ jobs: | |
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Cross build | ||
| - name: "🔀 Cross build" | ||
| run: | | ||
| #!/usr/bin/env bash | ||
|
|
@@ -43,37 +43,41 @@ jobs: | |
| --push \ | ||
| cross | ||
| - name: Install crane | ||
| - name: "🏗️ Install crane" | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 | ||
| - name: Output image digest | ||
|
|
||
| - name: "📸 Output image digest" | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| id: image_digest | ||
| run: echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI_TAG})" >> $GITHUB_OUTPUT | ||
|
|
||
| sign: | ||
| name: Sign image and generate sbom | ||
| name: "📝 Sign image and generate sbom" | ||
| runs-on: ubuntu-latest | ||
| needs: [build] | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| steps: | ||
| - name: Checkout code | ||
| - name: "☁️ Checkout code" | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # tag=v3 | ||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Run Trivy in fs mode to generate SBOM | ||
|
|
||
| - name: "👀 Run Trivy in fs mode to generate SBOM" | ||
| uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # master | ||
| with: | ||
| scan-type: 'fs' | ||
| format: 'spdx-json' | ||
| output: 'spdx.sbom.json' | ||
| - name: Install cosign | ||
|
|
||
| - name: "🤝 Install cosign" | ||
| uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # main | ||
| - name: Sign image and sbom | ||
|
|
||
| - name: "📝 Sign image and sbom" | ||
| run: | | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
|
|
@@ -85,6 +89,7 @@ jobs: | |
| IMAGE_URI_DIGEST: ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }} | ||
|
|
||
| provenance: | ||
| name: "🚨 SLSA provenance" | ||
| needs: [build] | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
|
|
@@ -96,32 +101,35 @@ jobs: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| verify: | ||
| name: Verify image and provenance | ||
| name: "🔨 Verify image and provenance" | ||
| runs-on: ubuntu-latest | ||
| needs: [build, sign, provenance] | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| steps: | ||
| - name: Login to GitHub Container Registry | ||
| - name: "📦 Login to GitHub Container Registry" | ||
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Install cosign | ||
|
|
||
| - name: "🦙 Install cosign" | ||
| uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # main | ||
| - name: Install slsa-verifier | ||
|
|
||
| - name: "💃 Install slsa-verifier" | ||
| uses: slsa-framework/slsa-verifier/actions/installer@c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc # v2.3.0 | ||
| - name: Verify image and provenance | ||
|
|
||
| - name: "👷 Verify image and provenance" | ||
| run: | | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
| cosign verify ${IMAGE_URI_DIGEST} \ | ||
| --certificate-oidc-issuer ${GITHUB_ACITONS_OIDC_ISSUER} \ | ||
| --certificate-oidc-issuer ${GITHUB_ACTIONS_OIDC_ISSUER} \ | ||
| --certificate-identity ${COSIGN_KEYLESS_SIGNING_CERT_SUBJECT} | ||
| slsa-verifier verify-image \ | ||
| --source-uri github.com/${{ github.repository }} ${IMAGE_URI_DIGEST} | ||
| shell: bash | ||
| env: | ||
| IMAGE_URI_DIGEST: ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }} | ||
| GITHUB_ACITONS_OIDC_ISSUER: https://token.actions.githubusercontent.com | ||
| COSIGN_KEYLESS_SIGNING_CERT_SUBJECT: https://github.com/${{ github.repository }}/.github/workflows/release.yaml@${{ github.ref }} | ||
| GITHUB_ACTIONS_OIDC_ISSUER: https://token.actions.githubusercontent.com | ||
| COSIGN_KEYLESS_SIGNING_CERT_SUBJECT: https://github.com/${{ github.repository }}/.github/workflows/build-image.yaml@${{ github.ref }} | ||