Skip to content

Build all terminal images #430

Build all terminal images

Build all terminal images #430

name: Build all terminal images
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
jobs:
build-image:
runs-on: ubuntu-latest
permissions:
id-token: write # Federate with GCP and sign images
strategy:
matrix:
image:
- apko
- cosign
- policy-controller-base
- policy-controller-install
- rekor
- vexctl
steps:
- name: 'Github Actions Runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
- name: melange keygen
shell: bash
working-directory: terminal-images/${{ matrix.image }}
run: |
docker run -v ${PWD}:/work ghcr.io/wolfi-dev/melange keygen
- name: melange build
shell: bash
working-directory: terminal-images/${{ matrix.image }}
run: |
docker run --privileged -v ${PWD}:/work ghcr.io/wolfi-dev/melange build \
melange.yaml --arch x86_64 --signing-key melange.rsa
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0
with:
token_format: 'access_token'
project_id: "${{ secrets.TERMINAL_PROJECT_ID }}"
workload_identity_provider: "${{ secrets.TERMINAL_WORKLOAD_IDENTITY_PROVIDER }}"
service_account: "${{ secrets.TERMINAL_SERVICE_ACCOUNT }}"
- name: apko login
shell: bash
working-directory: /tmp/
run: |
docker run --rm -v ${PWD}/:/root/ ghcr.io/wolfi-dev/apko login \
-p ${{ steps.auth.outputs.access_token }} \
-u oauth2accesstoken \
${{ secrets.TERMINAL_REGISTRY_URL }}
- name: apko publish
shell: bash
working-directory: terminal-images/${{ matrix.image }}
run: |
docker run --rm \
-v /tmp/.docker/config.json:/root/.docker/config.json -v ${PWD}/:/work/ \
ghcr.io/wolfi-dev/apko publish \
--arch x86_64 apko.yaml \
--image-refs /work/image-refs.txt \
"${{ secrets.TERMINAL_REGISTRY_URL }}/${{ secrets.TERMINAL_REPOSITORY }}/${{ matrix.image }}:latest" \
-k melange.rsa.pub \
--sbom-path .
# - name: cosign login
# shell: bash
# run: |
# cosign login \
# -p ${{ steps.auth.outputs.access_token }} \
# -u oauth2accesstoken \
# ${{ env.REGISTRY_URL }}
# - name: cosign attest sbom
# working-directory: terminal-images/${{ matrix.image }}
# run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)"
# - name: cosign sign image
# working-directory: terminal-images/${{ matrix.image }}
# run: cosign sign -y "$(cat image-refs.txt)"