-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Software supply chain security feature cosign added to cicd.yaml
- Loading branch information
1 parent
610c3d3
commit b607fb8
Showing
1 changed file
with
60 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -54,27 +54,67 @@ jobs: | |
|
|
||
| deploy: | ||
| runs-on: ubuntu-latest | ||
| needs: [build] | ||
| needs: [ build ] | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
| - name: Checkout code | ||
| uses: actions/[email protected] | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: 'Login to github packages' | ||
| uses: docker/login-action@v1 | ||
| with: | ||
| registry: ${{ env.GITHUB_REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Install Cosign | ||
| uses: sigstore/[email protected] | ||
|
|
||
| - name: Download build artifact | ||
| uses: actions/download-artifact@v2 | ||
| with: | ||
| name: valtimo-backend-build | ||
| - name: Set up QEMU | ||
| uses: docker/[email protected] | ||
|
|
||
| - name: Build and push Docker image | ||
| uses: docker/build-push-action@v2 | ||
| with: | ||
| file: Dockerfile | ||
| context: . | ||
| push: true | ||
| tags: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} | ||
| - name: Set up Docker Buildx | ||
| uses: docker/[email protected] | ||
|
|
||
| - name: Download dist artifact | ||
| uses: actions/download-artifact@v2 | ||
| with: | ||
| name: valtimo-backend-build | ||
|
|
||
| - name: 'Login to github packages' | ||
| uses: docker/login-action@v1 | ||
| with: | ||
| registry: ${{ env.GITHUB_REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - id: docker_meta | ||
| uses: docker/[email protected] | ||
| with: | ||
| images: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }} | ||
| tags: type=raw,value=${{ needs.build.outputs.tagToDeploy }} | ||
|
|
||
| - name: Build and push Docker image | ||
| uses: docker/[email protected] | ||
| id: build-and-push | ||
| with: | ||
| file: Dockerfile | ||
| context: . | ||
| push: true | ||
| tags: ${{ steps.docker_meta.outputs.tags }} | ||
|
|
||
| - name: Sign the images with GitHub OIDC Token | ||
| env: | ||
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
| TAGS: ${{ steps.docker_meta.outputs.tags }} | ||
| run: | | ||
| images="" | ||
| for tag in ${TAGS}; do | ||
| images+="${tag}@${DIGEST} " | ||
| done | ||
| cosign sign --yes ${images} | ||
| - name: Verify the images | ||
| run: | | ||
| branch=${GITHUB_REF##*/} | ||
| cosign verify ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} \ | ||
| --certificate-identity https://github.com/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}/.github/workflows/cicd.yaml@refs/heads/${branch} \ | ||
| --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq | ||