Skip to content
.github/workflows/dockerimagerelease.yaml

.github/workflows/dockerimagerelease.yaml #1

Sign in to view logs

.github/workflows/dockerimagerelease.yaml

.github/workflows/dockerimagerelease.yaml #1

Workflow file for this run

.github/workflows/dockerimagerelease.yaml at 1e22fa0
on:
workflow_dispatch:
inputs:
image:
description: 'Image to Release'
required: true
type: string
permissions:
id-token: write # This is required for aws oidc connection
contents: read # This is required for actions/checkout
jobs:
image-release:
runs-on: ubuntu-latest
defaults:
run:
shell: bash
working-directory: .
steps:
- name: Git checkout
uses: actions/checkout@v3
- name: Configure AWS credentials from AWS account
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_PUBLICECR_ROLE }}
aws-region: ${{ secrets.AWS_PUBLICECR_REGION }}
role-session-name: GitHub-OIDC-SECURE-IMAGES
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Build and push Docker image
run: |
docker build -t ${{ inputs.image }}:latest .
docker tag ${{ inputs.image }}:latest public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
docker push public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign the images
run: |
cosign sign \
--yes public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- name: Verify the pushed tags
run: |
cosign verify \
public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/release.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
- name: Attest SBOM
run: |
cosign attest \
--yes --predicate sbom-x86_64.spdx.json --type spdxjson public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest