Skip to content
Build release image

Merge pull request #144 from wallarm/DE-11 #17

Sign in to view logs

Merge pull request #144 from wallarm/DE-11

Merge pull request #144 from wallarm/DE-11 #17

Workflow file for this run

.github/workflows/build.yaml at 33c2e77
name: Build release image
on:
push:
branches:
- 'main'
paths:
- 'TAG'
permissions:
contents: read
jobs:
build:
name: Build and push images
runs-on: self-hosted-amd64-1cpu
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.0.2
- name: Import secrets
uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e # v2.5.0
id: secrets
with:
exportEnv: true
url: ${{ secrets.VAULT_URL }}
role: ${{ secrets.VAULT_ROLE }}
method: kubernetes
path: kubernetes-ci
secrets: |
kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ;
kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ;
- name: Build and push image
run: |
echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
make build
- name: Sign image
id: sign
run: |
TAG=$(cat TAG)
IMAGE_NAME="wallarm/sidecar-controller:${TAG}"
docker pull -q ${IMAGE_NAME}
IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME})
IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/')
SBOM_SPDX="sidecar-controller_${TAG}_spdx.json"
syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX}
cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST}
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom"
cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
- name: Upload SBOM
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
with:
retention-days: 30
name: ${{ steps.sign.outputs.sbom }}
path: ${{ steps.sign.outputs.sbom }}