-
Notifications
You must be signed in to change notification settings - Fork 1
69 lines (61 loc) · 2.37 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
on:
workflow_dispatch:
inputs:
image:
description: 'Image to Release'
required: true
type: string
permissions:
id-token: write # This is required for aws oidc connection
contents: read # This is required for actions/checkout
jobs:
image-release:
runs-on: ubuntu-latest
defaults:
run:
shell: bash
working-directory: .
steps:
- name: Git checkout
uses: actions/checkout@v3
- name: Configure AWS credentials from AWS account
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_PUBLICECR_ROLE }}
aws-region: ${{ secrets.AWS_PUBLICECR_REGION }}
role-session-name: GitHub-OIDC-SECURE-IMAGES
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Create & Push Minimal Image using apko
id: apko
uses: distroless/actions/apko-build@main
with:
config: images/${{ inputs.image }}/apko.yaml
tag: public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- name: Tag, and push docker image to Amazon ECR Public
env:
REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
REGISTRY_ALIAS: t4s8c0c3
REPOSITORY: ${{ inputs.image }}
run: |
docker load < output.tar
docker tag $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest-amd64 $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest
docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign the images
run: |
cosign sign \
--yes public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest
- name: Verify the pushed tags
run: |
cosign verify \
public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest \
--certificate-identity https://github.com/initializ/secure-images/.github/workflows/release.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
- name: Attest SBOM
run: |
cosign attest \
--yes --predicate sbom-x86_64.spdx.json --type spdxjson public.ecr.aws/t4s8c0c3/${{ inputs.image }}:latest