Skip to content

Build all terminal images #602

Build all terminal images

Build all terminal images #602

name: Build all terminal images
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
jobs:
build-image:
runs-on: ubuntu-latest
if: github.repository == 'chainguard-dev/edu'
permissions:
id-token: write # Federate with GCP and sign images
strategy:
matrix:
image:
- apko
- cosign
- policy-controller-base
- policy-controller-install
- rekor
- vexctl
container:
image: ghcr.io/wolfi-dev/sdk:latest@sha256:a96b9173cb5dd9d6050ecb11b6ec326f47a32d93537838845be5e558f9103148
# TODO: Deprivilege
options: |
--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
steps:
- name: 'Github Actions Runner'
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: melange keygen
shell: bash
working-directory: terminal-images/${{ matrix.image }}
run: |
melange keygen
- name: melange build
shell: bash
working-directory: terminal-images/${{ matrix.image }}
run: |
melange build melange.yaml --arch x86_64 --signing-key melange.rsa
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
with:
service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
token_format: 'access_token'
- name: Setup G Cloud SDK
uses: 'google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7' # v2.0.11
- name: Configure GCR auth
shell: bash
run: gcloud auth configure-docker "${{ secrets.TERMINAL_REGISTRY_URL }}"
- name: apko login
shell: bash
run: |
apko login \
"${{ secrets.TERMINAL_REGISTRY_URL }}" \
--password=${{ steps.auth.outputs.access_token }} \
--username="oauth2accesstoken"
- name: apko publish
shell: bash
# working-directory: terminal-images/${{ matrix.image }}
run: |
apko publish \
--arch x86_64 apko.yaml \
--image-refs image-refs.txt \
"${{ secrets.TERMINAL_REGISTRY_URL }}/${{ secrets.TERMINAL_REPOSITORY }}/${{ matrix.image }}:latest" \
-k melange.rsa.pub \
--sbom-path . \
-C terminal-images/${{ matrix.image }}
# - name: cosign login
# shell: bash
# run: |
# cosign login \
# -p ${{ steps.auth.outputs.access_token }} \
# -u oauth2accesstoken \
# ${{ env.REGISTRY_URL }}
# - name: cosign attest sbom
# working-directory: terminal-images/${{ matrix.image }}
# run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)"
# - name: cosign sign image
# working-directory: terminal-images/${{ matrix.image }}
# run: cosign sign -y "$(cat image-refs.txt)
- name: Post failure notice to Slack
uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0
if: ${{ failure() }}
env:
SLACK_ICON: http://github.com/chainguard-dev.png?size=48
SLACK_USERNAME: guardian
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_CHANNEL: 'alerts-edu'
SLACK_COLOR: '#8E1600'
MSG_MINIMAL: 'true'
SLACK_TITLE: 'Build Terminal Images failed - ${{ github.repository }}'
SLACK_MESSAGE: |
For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}