Skip to content

Commit

Permalink
Update ci workflow for provenance on multi platform containers
Browse files Browse the repository at this point in the history
Signed-off-by: Marco Franssen <[email protected]>
  • Loading branch information
marcofranssen committed Feb 18, 2022
1 parent 42033d4 commit a5f4306
Showing 1 changed file with 19 additions and 9 deletions.
28 changes: 19 additions & 9 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,7 @@ jobs:
name: release
needs: [build]
outputs:
container_digest: ${{ steps.container_info.outputs.container_digest }}
container_tags: ${{ steps.container_info.outputs.container_tags }}
container_info: ${{ steps.container_info.outputs.container_info }}
container_repos: ${{ steps.container_info.outputs.container_repos }}

runs-on: ubuntu-20.04
Expand Down Expand Up @@ -135,10 +134,20 @@ jobs:
id: container_info
if: startsWith(github.ref, 'refs/tags/')
run: |
export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
echo "::set-output name=container_digest::$CONTAINER_DIGEST"
echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)"
echo "::set-output name=container_repos::$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)"
function digest_tags {
while IFS= read -r line ; do
jq -n "{digest: \"$line\", tags: \$ARGS.positional}" --args $(make container-tags CONTAINER_DIGEST=$line)
done <<< "$(make manifest-digest GITHUB_REF=${{ github.ref_name }})"
}
CONTAINER_INFO="$(digest_tags | jq --slurp . -c)"
CONTAINER_DIGEST="$(echo "$CONTAINER_INFO" | jq --raw-output '.[0].digest')"
CONTAINER_REPOS="$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)"
set | grep 'CONTAINER_'
echo "::set-output name=container_info::$CONTAINER_INFO"
echo "::set-output name=container_repos::$CONTAINER_REPOS"
- name: Logout from Container registries
if: ${{ always() }}
Expand Down Expand Up @@ -206,6 +215,7 @@ jobs:
strategy:
matrix:
repo: ${{ fromJSON(needs.release.outputs.container_repos) }}
container: ${{ fromJSON(needs.release.outputs.container_info) }}

steps:
- name: Install cosign
Expand All @@ -218,7 +228,7 @@ jobs:
with:
command: generate
subcommand: container
arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ matrix.container.digest }} --tags ${{ join(matrix.container.tags, ',') }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

Expand All @@ -235,14 +245,14 @@ jobs:
- name: Attach provenance to image
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ matrix.container.digest }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

- name: Verify attestation
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ matrix.container.digest }}
- name: Logout from Container registries
if: ${{ always() }}
Expand Down

0 comments on commit a5f4306

Please sign in to comment.