Skip to content

.github/workflows/dockerimagerelease.yaml #101

.github/workflows/dockerimagerelease.yaml

.github/workflows/dockerimagerelease.yaml #101

on:
workflow_dispatch:
inputs:
image:
description: 'Image to Release'
required: true
type: string
permissions:
id-token: write # This is required for AWS OIDC connection
contents: read # This is required for actions/checkout
jobs:
image-release:
runs-on: ubuntu-latest
defaults:
run:
shell: bash
working-directory: .
steps:
- name: Git checkout
uses: actions/checkout@v3
- name: Configure AWS credentials from AWS account
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_PUBLICECR_ROLE }}
aws-region: ${{ secrets.AWS_PUBLICECR_REGION }}
role-session-name: GitHub-OIDC-SECURE-IMAGES
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Build image
run: |
docker build -t images/${{ inputs.image }}:latest -f images/${{ inputs.image }}/Dockerfile .
docker tag images/${{ inputs.image }}:latest public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- name: Tag, and push docker image to Amazon ECR Public
env:
REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
REGISTRY_ALIAS: t4s8c0c3
REPOSITORY: ${{ inputs.image }}
run: |
docker tag $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest
docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
format: spdx
artifact-name: sbom-x86_64.spdx.json
output-file: sbom-x86_64.spdx.json
id: anchore-sbom
- name: Upload SBOM
uses: actions/upload-artifact@v2
with:
name: sbom-x86_64
path: sbom-x86_64.spdx.json
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign the images
run: |
cosign sign \
--yes public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- name: Verify the pushed tags
run: |
cosign verify \
public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/dockerimagerelease.yaml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq