forked from vszal/gcp-secure-cicd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudbuild-ci-only.yaml
49 lines (49 loc) · 1.71 KB
/
cloudbuild-ci-only.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Build/CI only, No push to GKE vis Cloud Deploy
# Add Kritis signing key variable in the substitutions section at bottom:
steps:
# Build and tag using commit sha
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '.', '-t', 'us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:ci-only', '-f', 'Dockerfile']
dir: 'app'
id: build
# Run api tests
- name: 'us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:ci-only'
entrypoint: python
args: ["api_tests.py"]
dir: 'app'
id: apitest
# Push the container image to Artifact Registry, get sha256 of the image
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
args:
- -c
- |
docker push us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:ci-only &&
docker image inspect us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:ci-only --format '{{index .RepoDigests 0}}' > image-digest.txt &&
cat image-digest.txt
id: push
# Test against my vulnerability policy
- name: gcr.io/$PROJECT_ID/kritis-signer
entrypoint: /bin/bash
args:
- -c
- |
/kritis/signer \
-v=10 \
-alsologtostderr \
-image=$(/bin/cat image-digest.txt) \
-policy=./policy/kritis/vulnz-signing-policy.yaml \
-kms_key_name=${_KMS_KEY_NAME} \
-kms_digest_alg=${_KMS_DIGEST_ALG} \
-note_name=${_NOTE_NAME}
waitFor: ['push']
id: vulnsign
images:
- us-central1-docker.pkg.dev/$PROJECT_ID/pop-stats/pop-stats:ci-only
options:
requestedVerifyOption: VERIFIED
# Update with your project, key info, and notes below
#substitutions:
# _KMS_KEY_NAME: MISSING_KMS_KEY_NAME
# _KMS_DIGEST_ALG: MISSING_KMS_DIGEST_ALG
# _NOTE_NAME: MISSING_NOTE_NAME