fix(CI): modify cert format issue for notation CLI #103
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: ci | |
| concurrency: | |
| cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }} | |
| group: ci-${{ github.ref_name }}-${{ github.event_name }} | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - v* | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| ANSIBLE_FORCE_COLOR: "1" | |
| PY_COLORS: "1" | |
| jobs: | |
| checkov: | |
| if: | | |
| contains(fromJson('["schedule", "pull_request", "push"]'), github.event_name) | |
| permissions: | |
| contents: read | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkov GitHub Action | |
| uses: bridgecrewio/checkov-action@v12 | |
| with: | |
| config_file: .checkov_config.yaml | |
| output_format: cli,sarif | |
| output_file_path: console,results.sarif | |
| trivy: | |
| if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| scan-type: | |
| - fs | |
| - config | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Cache trivy db | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/trivy | |
| ~/work/temp | |
| key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }} | |
| - name: Run Trivy vulnerability scanner in fs mode | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| format: sarif | |
| ignore-unfixed: true | |
| output: trivy-results.sarif | |
| scan-ref: . | |
| scan-type: ${{ matrix.scan-type }} | |
| severity: CRITICAL,HIGH | |
| trivy-config: trivy.yaml | |
| token-setup-trivy: ${{ secrets.GH_PAT }} | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| ansible-lint: | |
| if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run ansible-lint | |
| uses: ansible/ansible-lint@main | |
| release-edge: | |
| needs: | |
| - checkov | |
| - ansible-lint | |
| - trivy | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Cosign CLI | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Setup Notation CLI | |
| uses: notaryproject/notation-action/setup@v1 | |
| with: | |
| version: "1.1.0" | |
| - name: Setup Notation signing keys | |
| run: | | |
| mkdir -p ~/.config/notation/localkeys/ | |
| cp ./.notation/signingkeys.json ~/.config/notation/ | |
| cp ./.notation/notation.crt ~/.config/notation/localkeys/ | |
| echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key | |
| env: | |
| NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} | |
| - name: Setup Flux CLI | |
| uses: fluxcd/flux2/action@main | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Build source | |
| run: tar cvzf kustomizations.tar.gz $(find . -maxdepth 1 -type d ! -name '.*' | grep -v -f .buildignore) | |
| - id: push | |
| name: Push to ghcr OCI registry | |
| run: | | |
| digest_url=$(flux push artifact oci://ghcr.io/${{ github.repository }}:${{ github.run_id }} \ | |
| --path=kustomizations.tar.gz \ | |
| --source=${{ github.server_url }}/${{ github.repository }} \ | |
| --revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \ | |
| --annotations="org.opencontainers.image.description=OCI artifact containing Kustomizations" \ | |
| --annotations="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.licenses=Apache-2.0" \ | |
| --annotations="org.opencontainers.image.revision=$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.title=Kustomizations" \ | |
| --annotations="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.version=$(git tag --points-at HEAD)" \ | |
| --output json | jq -r '. | .repository + "@" + .digest') | |
| flux tag artifact oci://ghcr.io/${{ github.repository }}:${{ github.run_id }} --tag latest | |
| echo "digest-url=$digest_url" >> $GITHUB_OUTPUT | |
| - name: Sign artifacts with cosign | |
| run: | | |
| cosign sign --yes ${{ steps.push.outputs.digest-url }} | |
| - name: Sign artifacts with Notation | |
| run: | | |
| notation sign --signature-format cose ghcr.io/${{ github.repository }}:${{ github.run_id }} | |
| notation sign --signature-format cose ghcr.io/${{ github.repository }}:latest | |
| release-please: | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| outputs: | |
| releases_created: ${{ steps.release-please.outputs.releases_created }} | |
| tag_name: ${{ steps.release-please.outputs.tag_name }} | |
| steps: | |
| - id: release-please | |
| name: Release please | |
| uses: googleapis/release-please-action@v4 | |
| with: | |
| release-type: simple | |
| release-stable: | |
| needs: | |
| - release-please | |
| if: needs.release-please.outputs.releases_created == 'true' | |
| permissions: | |
| contents: write | |
| id-token: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Cosign CLI | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Setup Notation CLI | |
| uses: notaryproject/notation-action/setup@v1 | |
| with: | |
| version: "1.1.0" | |
| - name: Setup Flux CLI | |
| uses: fluxcd/flux2/action@main | |
| - name: Build source | |
| run: tar cvzf kustomizations.tar.gz $(find . -maxdepth 1 -type d ! -name '.*' | grep -v -f .buildignore) | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Push to ghcr OCI registry | |
| run: | | |
| flux push artifact oci://ghcr.io/${{ github.repository }}:${{ needs.release-please.outputs.tag_name }} \ | |
| --path=kustomizations.tar.gz \ | |
| --source=${{ github.server_url }}/${{ github.repository }} \ | |
| --revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \ | |
| --annotations="org.opencontainers.image.description=OCI artifact containing Kustomizations" \ | |
| --annotations="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.licenses=Apache-2.0" \ | |
| --annotations="org.opencontainers.image.revision=$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.title=Kustomizations" \ | |
| --annotations="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.version=$(git tag --points-at HEAD)" | |
| flux tag artifact oci://ghcr.io/${{ github.repository }}:${{ needs.release-please.outputs.tag_name }} --tag latest | |
| - name: Sign artifacts with cosign | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| run: | | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/${{ github.repository }}:${{ needs.release-please.outputs.tag_name }} |