fix: Set master build pipeline to no use experimental cosign with env… #176
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # if changing this name, also update promotion.yaml | |
| name: release-master | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - build-fix-provenance | |
| tags: | |
| - v* | |
| jobs: | |
| vet: | |
| name: vet | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.19 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: make vet | |
| shell: bash | |
| test: | |
| name: go test | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.19 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: make test | |
| docker_build: | |
| name: docker_build | |
| runs-on: ubuntu-22.04 | |
| container: | |
| image: docker:23 | |
| options: -t | |
| # Setting up dind service container | |
| services: | |
| docker: | |
| image: docker:23-dind | |
| env: | |
| DOCKER_DRIVER: overlay | |
| DOCKER_HOST: tcp://localhost:2375 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Install Tools | |
| # Installing 'bash' because it's required by the 'cosign-installer' action | |
| # and 'coreutils' because the 'slsa-provenance-action' requires a version | |
| # of 'base64' that supports the -w flag. | |
| run: apk add --update make git jq rsync curl bash coreutils go | |
| - name: Adding github workspace as safe directory | |
| # See issue https://github.com/actions/checkout/issues/760 | |
| run: git config --global --add safe.directory $GITHUB_WORKSPACE | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Login to quay.io | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USER }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| run: | | |
| make push-docker-image | |
| make push-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent | |
| - name: Sign | |
| run: | | |
| make sign-docker-image | |
| make sign-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent | |
| - name: SBOM | |
| run: | | |
| make sbom-docker-image | |
| make sbom-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent | |
| # The slsa-provenance-action generates a full attestation from an artifact | |
| # as the subject. However, cosign only expects the predicate portion of | |
| # the attestation and figures out the subject itself from the image. | |
| # | |
| # So, we generate a fake artifact and then strip everything but the | |
| # predicate out from the generated attestation. | |
| - name: Create mock artifact | |
| run: echo "foobar" > mock | |
| - name: Generate provenance | |
| uses: philips-labs/[email protected] | |
| with: | |
| command: generate | |
| subcommand: files | |
| arguments: --artifact-path mock | |
| env: | |
| COSIGN_EXPERIMENTAL: 0 | |
| - name: Extract predicate | |
| run: jq '.predicate' provenance.json > predicate.json | |
| - name: Attest | |
| run: | | |
| make attest-docker-image | |
| make attest-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent |