This repository has been archived by the owner on Jul 3, 2024. It is now read-only.

fix vars #10

Workflow file for this run

	name: Validate SecureSign Ansible
	on:
	workflow_dispatch:
	push:
	branches: ["main", "release*"]
	tags: ["*"]
	pull_request:
	branches: ["main", "release*"]

	env:
	GO_VERSION: 1.21
	AWS_REGION: us-east-1
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	BASE_HOSTNAME: ${{ secrets.BASE_DOMAIN }}
	FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }}
	TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }}
	KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }}
	KEYCLOAK_REALM: sigstore
	KEYCLOAK_OIDC_ISSUER: ${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}
	REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }}
	TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }}
	TF_VAR_vpc_id: ${{ secrets.VPC_ID }}
	TF_VAR_rh_username: ${{ secrets.RH_USERNAME }}
	TF_VAR_rh_password: ${{ secrets.RH_PASSWORD }}

	jobs:
	deploy-and-test:
	name: Deploy using terraform then tag, push, sign and verify
	runs-on: ubuntu-latest
	steps:
	- uses: hashicorp/setup-terraform@v3

	- name: Checkout code
	uses: actions/checkout@v2

	- name: sshkeygen for ansible
	run: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""

	- name: Terraform Init
	run: terraform init

	- name: Terraform Apply
	run: terraform apply -auto-approve

	- name: install cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.2' # optional

	- name: Grab the certificate and trust it
	run: export ESCAPED_URL=octo-emerging_redhataicoe_com && rm -rf ./.pem && openssl s_client -showcerts -verify 5 -connect rekor.$BASE_HOSTNAME:443 < /dev/null \| awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}' && for cert in .pem; do newname=$(openssl x509 -noout -subject -in $cert \| sed -nE 's/.CN ?= ?(.)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' \| tr '[:upper:]' '[:lower:]').pem; echo "${newname}"; mv "${cert}" "${newname}" ; done && sudo mv $ESCAPED_URL.pem /usr/local/share/ca-certificates/ && sudo update-ca-certificates && cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json

	- name: pull and tag alpine
	run: \|
	docker pull alpine:latest
	docker tag alpine:latest ttl.sh/alpine:10m

	- name: push and sign alpine
	run: \|
	docker push ttl.sh/alpine:10m
	TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" https://${{ env.KEYCLOAK_URL }}/auth/realms/${{ env.KEYCLOAK_OIDC_ISSUER}}/protocol/openid-connect/token \| sed -E 's/."access_token":"([^"]).*/\1/')
	cosign sign sign -y --fulcio-url=$FULCIO_URL --rekor-url=$REKOR_URL --oidc-issuer=$OIDC_ISSUER_URL --identity-token=$TOKEN ttl.sh/alpine:10m
	cosign verify --rekor-url=\$REKOR_URL --certificate-identity-regexp ".@redhat" --certificate-oidc-issuer-regexp ".keycloak.*" ttl.sh/alpine:10m

	- name: Terraform Destroy
	if: always()
	run: terraform destroy -auto-approve

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix vars #10

Workflow file

fix vars #10

Jobs

Run details

Workflow file for this run