Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding new github actions workflow for pushing containers #160

Merged
merged 14 commits into from
Apr 24, 2023
Merged

Adding new github actions workflow for pushing containers #160

merged 14 commits into from
Apr 24, 2023

Conversation

pputman-clabs
Copy link
Contributor

@pputman-clabs pputman-clabs commented Mar 2, 2023
edited
Loading

Description

Adding a new github actions workflow to deploy containers in a more secure manner (using workload identity federation). This will have two service accounts, one that only the main branch has permission to assume, which pushes to a production artifact registry repo in the devopsre gcp project, and one which any branch can push to, which will push to a dev-images artifact registry repository.

It will build an image with two tags: one for the latest sha (of the commit if its a PR, of the merge commit if it's committed tom main), and one for the tag specified. Currently setting "testing" in dev-images repo and using the github tag for the production repo, but these are configurable.

The authentication is handled via keyless OIDC which uses github JWT tokens to identify the repository and branch, which if allowed will map to above service accounts.

it will also use sigstore to sign the image with githubs OIDC token, and use trivy to scan the repository for security vulnerabilities.

Tested

I've tested this workflow before, using a reusable workflow.

Issues

Would fix:
#152

Backwards compatibility

This isn't entirely backwards compatible. Due to the way that reusable workflows work, we can't pass variables between jobs, so I can't exactly imitate the functionality in the shell script that exists, which sets the name and version of the package automatically based on values in json.package

Workaround is that we can use github tags as the version, which may be better anyways. It would require the developer to push a tag with commits, but that tag would automatically be set as the version.
https://stackoverflow.com/questions/18216991/create-a-tag-in-a-github-repository

@pputman-clabs pputman-clabs changed the title renaming new workflow so its obvious its me testing it Adding new github actions workflow for pushing containers Mar 2, 2023
pputman-clabs and others added 13 commits April 11, 2023 11:03
@nvtaveras nvtaveras merged commit fe3b63c into main Apr 24, 2023
@nvtaveras nvtaveras deleted the pputman/new-reusable-workflow branch April 24, 2023 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nvtaveras nvtaveras nvtaveras approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pputman-clabs @nvtaveras @ninabarbakadze