From 6a9ee44df045b496083adf1d0f7abaee4f323f8c Mon Sep 17 00:00:00 2001 From: Steve Wagner Date: Tue, 9 May 2023 11:29:41 -0700 Subject: [PATCH] Build, publish, and scan image to GHCR --- .github/workflows/build-and-sign-image.yml | 50 ++++++++++++++-------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-and-sign-image.yml b/.github/workflows/build-and-sign-image.yml index a527ac5..ab32b5f 100644 --- a/.github/workflows/build-and-sign-image.yml +++ b/.github/workflows/build-and-sign-image.yml @@ -3,19 +3,19 @@ name: Build and sign image on: - # THIS BLOCK IS FOR TESTING - create: + pull_request: + types: + - closed + branches: + - "main" -# THIS BLOCK IS THE ACTUAL DESIRED EVENT TRIGGER -# pull_request: +# push: # branches: -# - "*" # Run on all branches -# types: -# - closed ## This needs to be uncommented after testing +# - "trigger-image-build-and-push-1" env: - REGISTRY: docker.io - IMAGE_NAME: "ciroque/nginx-k8s-loadbalancer" # ${{ github.repository }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} jobs: build_and_sign_image: @@ -24,6 +24,7 @@ jobs: contents: read packages: write id-token: write + security-events: write steps: - name: Checkout @@ -35,23 +36,34 @@ jobs: with: cosign-release: 'v1.13.1' - - name: Docker Buildx - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + - name: Log into registry ${{ env.REGISTRY }} for ${{ github.actor }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} -# - name: Log into registry ${{ env.REGISTRY }} for ${{ github.actor }} -# uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c -# with: -# registry: ${{ env.REGISTRY }} -# username: ${{ github.actor }} -# password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build Docker Image + id: docker-build-and-push uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 with: context: . file: ./Dockerfile - push: false - tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + push: true + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest,${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{github.run_number}} + + - name: Sign the published Docker images + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: cosign sign "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker-build-and-push.outputs.digest }}" # NOTE: This runs statically against the latest tag in Docker Hub which was not produced by this workflow # This should be updated once this workflow is fully implemented