Skip to content

Commit c5c6189

Browse files
authored
Merge pull request #984 from jvanz/main
chore(ci): allow slsactl verification.
2 parents 5368105 + ca10f3c commit c5c6189

File tree

4 files changed

+205
-208
lines changed

4 files changed

+205
-208
lines changed

.github/workflows/attestation.yml

-102
This file was deleted.

.github/workflows/container-build.yml

+53-17
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,6 @@
1-
name: Build container image, sign it, and generate SBOMs
1+
name: Build container image and sign it
22

33
on:
4-
workflow_call:
5-
outputs:
6-
digest:
7-
description: "Container image digest"
8-
value: ${{jobs.build.outputs.digest}}
9-
104
push:
115
branches:
126
- "main"
@@ -17,17 +11,59 @@ permissions:
1711

1812
jobs:
1913
build:
20-
uses: ./.github/workflows/container-image.yml
14+
name: Build container image
2115
permissions:
2216
packages: write
2317
id-token: write
18+
runs-on: ubuntu-latest
19+
steps:
20+
- name: Checkout code
21+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2422

25-
sbom:
26-
needs:
27-
- build
28-
uses: ./.github/workflows/attestation.yml
29-
permissions:
30-
packages: write
31-
id-token: write
32-
with:
33-
image-digest: ${{ needs.build.outputs.digest }}
23+
- name: Install cosign
24+
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
25+
26+
- name: Set up QEMU
27+
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
28+
29+
- name: Set up Docker Buildx
30+
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
31+
32+
- name: Login to GitHub Container Registry
33+
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
34+
with:
35+
registry: ghcr.io
36+
username: ${{ github.repository_owner }}
37+
password: ${{ secrets.GITHUB_TOKEN }}
38+
39+
- name: Retrieve tag name (main branch)
40+
if: ${{ startsWith(github.ref, 'refs/heads/main') }}
41+
run: |
42+
echo TAG_NAME=latest >> $GITHUB_ENV
43+
44+
- name: Retrieve tag name (feat branch)
45+
if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
46+
run: |
47+
echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
48+
49+
- name: Push and push container image
50+
id: build-image
51+
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
52+
with:
53+
context: .
54+
file: ./Dockerfile
55+
platforms: linux/amd64, linux/arm64
56+
push: true
57+
sbom: false # SBOM for feature and main branches is not generated
58+
provenance: false # Provenance for feature and main branches is not generated
59+
tags: |
60+
ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }}
61+
62+
- name: Sign container image
63+
run: |
64+
cosign sign --yes ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
65+
66+
cosign verify \
67+
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
68+
--certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/container-build.yml@${{ github.ref }}" \
69+
ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}

.github/workflows/container-image.yml

-82
This file was deleted.

0 commit comments

Comments
 (0)