1
- name : Build container image, sign it, and generate SBOMs
1
+ name : Build container image and sign it
2
2
3
3
on :
4
- workflow_call :
5
- outputs :
6
- digest :
7
- description : " Container image digest"
8
- value : ${{jobs.build.outputs.digest}}
9
-
10
4
push :
11
5
branches :
12
6
- " main"
@@ -17,17 +11,59 @@ permissions:
17
11
18
12
jobs :
19
13
build :
20
- uses : ./.github/workflows/ container- image.yml
14
+ name : Build container image
21
15
permissions :
22
16
packages : write
23
17
id-token : write
18
+ runs-on : ubuntu-latest
19
+ steps :
20
+ - name : Checkout code
21
+ uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
24
22
25
- sbom :
26
- needs :
27
- - build
28
- uses : ./.github/workflows/attestation.yml
29
- permissions :
30
- packages : write
31
- id-token : write
32
- with :
33
- image-digest : ${{ needs.build.outputs.digest }}
23
+ - name : Install cosign
24
+ uses : sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
25
+
26
+ - name : Set up QEMU
27
+ uses : docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
28
+
29
+ - name : Set up Docker Buildx
30
+ uses : docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
31
+
32
+ - name : Login to GitHub Container Registry
33
+ uses : docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
34
+ with :
35
+ registry : ghcr.io
36
+ username : ${{ github.repository_owner }}
37
+ password : ${{ secrets.GITHUB_TOKEN }}
38
+
39
+ - name : Retrieve tag name (main branch)
40
+ if : ${{ startsWith(github.ref, 'refs/heads/main') }}
41
+ run : |
42
+ echo TAG_NAME=latest >> $GITHUB_ENV
43
+
44
+ - name : Retrieve tag name (feat branch)
45
+ if : ${{ startsWith(github.ref, 'refs/heads/feat') }}
46
+ run : |
47
+ echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
48
+
49
+ - name : Push and push container image
50
+ id : build-image
51
+ uses : docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
52
+ with :
53
+ context : .
54
+ file : ./Dockerfile
55
+ platforms : linux/amd64, linux/arm64
56
+ push : true
57
+ sbom : false # SBOM for feature and main branches is not generated
58
+ provenance : false # Provenance for feature and main branches is not generated
59
+ tags : |
60
+ ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }}
61
+
62
+ - name : Sign container image
63
+ run : |
64
+ cosign sign --yes ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
65
+
66
+ cosign verify \
67
+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
68
+ --certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/container-build.yml@${{ github.ref }}" \
69
+ ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
0 commit comments