Update Konflux Pipelines to use refs #249
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test github action with TUF | |
on: | |
pull_request: | |
branches: [ main ] | |
paths-ignore: | |
- 'terraform/**' | |
defaults: | |
run: | |
shell: bash | |
working-directory: ./ | |
concurrency: | |
group: test-github-action-with-tuf${{ github.head_ref }} | |
cancel-in-progress: true | |
jobs: | |
test-github-action: | |
name: Test github action with TUF | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false # Keep running if one leg fails. | |
matrix: | |
k8s-version: | |
- v1.27.x | |
- v1.28.x | |
- v1.29.x | |
release-version: | |
- "main" # Test explicitly with latest | |
go-version: | |
- 1.22.x | |
leg: | |
- test github action with TUF | |
env: | |
KO_DOCKER_REPO: registry.local:5000/knative | |
steps: | |
- name: Checkout the current action | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
- name: Test running the action | |
uses: ./actions/setup | |
with: | |
k8s-version: ${{ matrix.k8s-version }} | |
version: ${{ matrix.release-version }} | |
# Install cosign | |
- name: Install cosign | |
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
- name: Set up Go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
go-version: ${{ matrix.go-version }} | |
check-latest: true | |
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 | |
- name: Create sample image | |
run: | | |
pushd $(mktemp -d) | |
go mod init example.com/demo-action-with-tuf | |
cat <<EOF > main.go | |
package main | |
import "fmt" | |
func main() { | |
fmt.Println("hello world") | |
} | |
EOF | |
demoimage=$(ko publish -B example.com/demo-action-with-tuf) | |
echo "demoimage=$demoimage" >> $GITHUB_ENV | |
echo Created image $demoimage | |
popd | |
- name: Initialize cosign with TUF root | |
run: cosign initialize --mirror ${{ env.TUF_MIRROR }} --root ./root.json | |
- name: Sign with cosign from the action using k8s token | |
run: | | |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify with cosign from the action using k8s token | |
run: | | |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \ | |
--allow-insecure-registry "${{ env.demoimage }}" \ | |
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ | |
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
- name: Checkout TSA for testing. | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
with: | |
repository: sigstore/timestamp-authority | |
path: ./src/github.com/sigstore/timestamp-authority | |
- name: Build timestamp-cli | |
working-directory: ./src/github.com/sigstore/timestamp-authority | |
run: | | |
go build -o ./timestamp-cli ./cmd/timestamp-cli | |
- name: Exercise TSA | |
working-directory: ./src/github.com/sigstore/timestamp-authority | |
run: | | |
curl ${{ env.TSA_URL }}/api/v1/timestamp/certchain > ts_chain.pem | |
echo "myblob" > myblob | |
if ! ./timestamp-cli --timestamp_server ${{ env.TSA_URL }} timestamp --hash sha256 --artifact myblob --out response.tsr ; then | |
echo "failed to timestamp artifact" | |
exit -1 | |
fi | |
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then | |
echo "failed to verify timestamp" | |
exit -1 | |
fi | |
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then | |
echo "failed to inspect the timestamp" | |
exit -1 | |
fi | |
- name: Collect diagnostics | |
if: ${{ failure() }} | |
uses: chainguard-dev/actions/kind-diag@main |