Build all terminal images #170
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build all terminal images | |
on: | |
schedule: | |
- cron: "0 0 * * *" | |
workflow_dispatch: | |
env: | |
PROJECT_ID: "${{ secrets.TERMINAL_PROJECT_ID}}" | |
WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.TERMINAL_WORKLOAD_IDENTITY_PROVIDER }}" | |
SERVICE_ACCOUNT: "${{ secrets.TERMINAL_SERVICE_ACCOUNT }}" | |
GH_TOKEN: ${{ github.token }} | |
REGISTRY_URL: "${{ secrets.TERMINAL_REGISTRY_URL}}" | |
REPOSITORY: "${{ secrets.TERMINAL_REPOSITORY}}" | |
jobs: | |
build-image: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
id-token: write | |
strategy: | |
matrix: | |
image: | |
- apko | |
- cosign | |
- policy-controller-base | |
- policy-controller-install | |
- rekor | |
- vexctl | |
steps: | |
- uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1 | |
- name: 'Checkout default branch to $GITHUB_WORKSPACE dir' | |
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3 | |
- name: Authenticate to Google Cloud | |
id: auth | |
uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0 | |
with: | |
token_format: 'access_token' | |
project_id: "${{ env.PROJECT_ID }}" | |
workload_identity_provider: "${{ env.WORKLOAD_IDENTITY_PROVIDER }}" | |
service_account: "${{ env.SERVICE_ACCOUNT }}" | |
- name: melange keygen | |
shell: bash | |
working-directory: terminal-images/${{ matrix.image }} | |
run: | | |
docker run -v ${PWD}:/work ghcr.io/wolfi-dev/melange keygen | |
- name: melange build | |
shell: bash | |
working-directory: terminal-images/${{ matrix.image }} | |
run: | | |
docker run --privileged -v ${PWD}:/work ghcr.io/wolfi-dev/melange build \ | |
melange.yaml --arch x86_64 --signing-key melange.rsa | |
- name: apko login | |
shell: bash | |
working-directory: /tmp/ | |
run: | | |
docker run --rm -v ${PWD}/:/root/ ghcr.io/wolfi-dev/apko login \ | |
-p ${{ steps.auth.outputs.access_token }} \ | |
-u oauth2accesstoken \ | |
${{ env.REGISTRY_URL }} | |
- name: apko publish | |
shell: bash | |
working-directory: terminal-images/${{ matrix.image }} | |
run: | | |
docker run --rm \ | |
-v /tmp/.docker/config.json:/root/.docker/config.json -v ${PWD}/:/work/ \ | |
ghcr.io/wolfi-dev/apko publish \ | |
--arch x86_64 apko.yaml \ | |
--image-refs /work/image-refs.txt \ | |
"${{ env.REGISTRY_URL}}/${{ env.REPOSITORY }}/${{ matrix.image }}:latest" \ | |
-k melange.rsa.pub \ | |
--sbom-path . | |
- name: cosign login | |
shell: bash | |
run: | | |
cosign login \ | |
-p ${{ steps.auth.outputs.access_token }} \ | |
-u oauth2accesstoken \ | |
${{ env.REGISTRY_URL }} | |
- name: cosign attest sbom | |
working-directory: terminal-images/${{ matrix.image }} | |
run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)" | |
- name: cosign sign image | |
working-directory: terminal-images/${{ matrix.image }} | |
run: cosign sign -y "$(cat image-refs.txt)" |