This repository has been archived by the owner on Jun 23, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
129 lines (120 loc) · 4.22 KB
/
build-cosign-container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: build-cosign-container
on:
pull_request:
branches:
- main
push:
branches:
- main
workflow_dispatch:
env:
IMAGE_NAME: cosign-generate-keypair
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
push-ghcr:
name: Build and push image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
include:
- is_latest: true
is_stable: true
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v3
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v4
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bazzite-arch/main/README.md
- name: Generate tags
id: generate-tags
shell: bash
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
alias_tags=()
# Only perform the follow code when the action is spawned from a Pull Request
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
alias_tags+=("pr-${{ github.event.number }}")
else
# The following is run when the timer is triggered or a merge/push to main
echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT
if [[ "${{ matrix.is_latest }}" == "true" ]]; then
alias_tags+=("latest")
fi
if [[ "${{ matrix.is_stable }}" == "true" ]]; then
alias_tags+=("stable")
fi
fi
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./cosign/Containerfile
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
${{ steps.generate-tags.outputs.date }}
${{ steps.generate-tags.outputs.sha_short }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v5
with:
string: ${{ env.IMAGE_REGISTRY }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Sign container
- uses: sigstore/[email protected]
if: github.event_name != 'pull_request'
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key
wc -c cosign.key
cosign sign -y --key cosign.key ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"