-
Notifications
You must be signed in to change notification settings - Fork 72
118 lines (99 loc) · 4.1 KB
/
build-terminal-images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Build all terminal images
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
jobs:
build-image:
runs-on: ubuntu-latest
if: github.repository == 'chainguard-dev/edu'
permissions:
id-token: write # Federate with GCP and sign images
strategy:
matrix:
image:
- apko
- cosign
- policy-controller-base
- policy-controller-install
- rekor
- vexctl
container:
image: ghcr.io/wolfi-dev/sdk:latest@sha256:a96b9173cb5dd9d6050ecb11b6ec326f47a32d93537838845be5e558f9103148
# TODO: Deprivilege
options: |
--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
steps:
- name: 'Github Actions Runner'
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: melange keygen
shell: bash
working-directory: terminal-images/${{ matrix.image }}
run: |
melange keygen
- name: melange build
shell: bash
working-directory: terminal-images/${{ matrix.image }}
run: |
melange build melange.yaml --arch x86_64 --signing-key melange.rsa
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
token_format: 'access_token'
- name: Setup G Cloud SDK
uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a' # v2.0.11
- name: Configure GCR auth
shell: bash
run: gcloud auth configure-docker "${{ secrets.TERMINAL_REGISTRY_URL }}"
- name: apko login
shell: bash
run: |
apko login \
"${{ secrets.TERMINAL_REGISTRY_URL }}" \
--password=${{ steps.auth.outputs.access_token }} \
--username="oauth2accesstoken"
- name: apko publish
shell: bash
# working-directory: terminal-images/${{ matrix.image }}
run: |
apko publish \
--arch x86_64 apko.yaml \
--image-refs image-refs.txt \
"${{ secrets.TERMINAL_REGISTRY_URL }}/${{ secrets.TERMINAL_REPOSITORY }}/${{ matrix.image }}:latest" \
-k melange.rsa.pub \
--sbom-path . \
-C terminal-images/${{ matrix.image }}
# - name: cosign login
# shell: bash
# run: |
# cosign login \
# -p ${{ steps.auth.outputs.access_token }} \
# -u oauth2accesstoken \
# ${{ env.REGISTRY_URL }}
# - name: cosign attest sbom
# working-directory: terminal-images/${{ matrix.image }}
# run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)"
# - name: cosign sign image
# working-directory: terminal-images/${{ matrix.image }}
# run: cosign sign -y "$(cat image-refs.txt)
- name: Post failure notice to Slack
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.3.2
if: ${{ failure() }}
env:
SLACK_ICON: http://github.com/chainguard-dev.png?size=48
SLACK_USERNAME: guardian
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_CHANNEL: 'alerts-edu'
SLACK_COLOR: '#8E1600'
MSG_MINIMAL: 'true'
SLACK_TITLE: 'Build Terminal Images failed - ${{ github.repository }}'
SLACK_MESSAGE: |
For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}