Skip to content

feat(SEC-1211): update semgrep version #256

feat(SEC-1211): update semgrep version

feat(SEC-1211): update semgrep version #256

name: Docker Sign Test
on:
pull_request:
branches:
- main
push:
branches:
- main
tags:
- '*'
workflow_dispatch: {}
jobs:
test-sign-docker-image:
permissions:
contents: read
packages: write # needed to upload to packages to registry
id-token: write # needed for signing the images with GitHub OIDC Token
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
name: Test Sign Docker Image
runs-on: ubuntu-22.04
env:
PRERELEASE_IMAGE: kongcloud/security-test-repo-pub:ubuntu_23_10 #particular reason for the choice of image: test multi arch image
TAGS: kongcloud/security-test-repo-pub:ubuntu_23_10,kongcloud/security-test-repo:ubuntu_23_10
steps:
- uses: actions/checkout@v3
- name: Install regctl
uses: regclient/actions/regctl-installer@main
- name: Parse Image Manifest Digest
id: image_manifest_metadata
run: |
manifest_list_exists="$(
if regctl manifest get "${PRERELEASE_IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
echo true
else
echo false
fi
)"
echo "manifest_list_exists=$manifest_list_exists"
echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
manifest_sha="$(regctl image digest "${PRERELEASE_IMAGE}")"
echo "manifest_sha=$manifest_sha"
echo "manifest_sha=$manifest_sha" >> $GITHUB_OUTPUT
- name: Sign Image digest
id: sign_image
if: steps.image_manifest_metadata.outputs.manifest_sha != ''
uses: ./security-actions/sign-docker-image
with:
cosign_output_prefix: ubuntu-23-10
signature_registry: kongcloud/security-test-repo-sig-pub
tags: ${{ env.TAGS }}
image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
local_save_cosign_assets: true
registry_username: ${{ secrets.DOCKERHUB_PUSH_USERNAME }}
registry_password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }}
- name: Push Images
env:
RELEASE_TAG: kongcloud/security-test-repo:v1
run: |
docker pull ${PRERELEASE_IMAGE}
for tag in $RELEASE_TAG; do
regctl -v debug image copy ${PRERELEASE_IMAGE} $tag
done
- name: Sign Image digest
id: sign_image_v1
if: steps.image_manifest_metadata.outputs.manifest_sha != ''
uses: ./security-actions/sign-docker-image
env:
RELEASE_TAG: kongcloud/security-test-repo:v1
with:
cosign_output_prefix: v1 # Optional
local_save_cosign_assets: true # Optional
signature_registry: kongcloud/security-test-repo-sig-pub
tags: ${{ env.RELEASE_TAG }}
image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
registry_username: ${{ secrets.DOCKERHUB_PUSH_USERNAME }}
registry_password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }}