From b83738b32a0f79ff5475a8cc22bb71be24dca35d Mon Sep 17 00:00:00 2001 From: Nic Cheneweth Date: Wed, 15 May 2024 17:52:23 -0500 Subject: [PATCH] [nc] test publish workflow Signed-off-by: Nic Cheneweth --- README.md | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 51a1255..c1c67c2 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,45 @@ -# gha-container-base-image +
+

+ Thoughtworks Logo +
+ DPS Title +

+

PSK Convenience Images

+

twdps/gha-container-base-image

+ +
+
+Within most teams or organizations, every job container image will require a certain amount of common configuration regardless of the purpose for which it is built. + +Packages that typically fall into this set of shared executor requirements include things like: +- tool for accessing secrets (such as Vault, chamber, 1password, teller) +- standard shell (bash, zsh) +- multi-language support (locales) +- common dependencies for installing packages (curl, wget, unzip, common build dependencies) + +The psk gha-container-base-image is an example of such a common base container. You will see the psk specific tools and configuration, but this can readily be adapted to any organizational requirements. + +Build job specific container images starting from the base image. + +See release notes for detailed version information. + +**signature**. Images are signed using `cosign`. You can verify an image using the twdps public key found [here](https://raw.githubusercontent.com/ThoughtWorks-DPS/static/master/cosign.pub). +```bash +cosign verify --key cosign.pub twdps/gha-container-base-image:0.1.0 +``` + +**software bill of materials**. For each published image, an SBOM is generated using [syft](https://github.com/anchore/syft) and uploaded to the container registry tagged using the manifest id and .spdx extension. You can pull the sbom using the oras tool as follows: + +fetch image manifest: +``` +docker image inspect --format='{{index .RepoDigests 0}}' twdps/gha-container-base-image:0.1.0 +``` +twdps/gha-container-base-image:0.1.0@sha256:9d8e8eef60900fcf207e3b258b4ce13b4cdb1765f0f7ca3022fd685cd53b8a14 + +download sbom: +``` +oras pull docker.io/twdps/gha-container-base-image:0.1.0:sha256-9d8e8eef60900fcf207e3b258b4ce13b4cdb1765f0f7ca3022fd685cd53b8a14.spdx +``` + +Review `.snyk` for current vulnerability status.