Build all terminal images #442
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build all terminal images | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| build-image: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # Federate with GCP and sign images | |
| strategy: | |
| matrix: | |
| image: | |
| - apko | |
| - cosign | |
| - policy-controller-base | |
| - policy-controller-install | |
| - rekor | |
| - vexctl | |
| steps: | |
| - name: 'Github Actions Runner' | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
| - name: 'Checkout default branch to $GITHUB_WORKSPACE dir' | |
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3 | |
| - name: melange keygen | |
| shell: bash | |
| working-directory: terminal-images/${{ matrix.image }} | |
| run: | | |
| docker run -v ${PWD}:/work ghcr.io/wolfi-dev/melange keygen | |
| - name: melange build | |
| shell: bash | |
| working-directory: terminal-images/${{ matrix.image }} | |
| run: | | |
| docker run --privileged -v ${PWD}:/work ghcr.io/wolfi-dev/melange build \ | |
| melange.yaml --arch x86_64 --signing-key melange.rsa | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0 | |
| with: | |
| token_format: 'access_token' | |
| project_id: "${{ secrets.TERMINAL_PROJECT_ID }}" | |
| workload_identity_provider: "${{ secrets.TERMINAL_WORKLOAD_IDENTITY_PROVIDER }}" | |
| service_account: "${{ secrets.TERMINAL_SERVICE_ACCOUNT }}" | |
| - name: apko login | |
| shell: bash | |
| working-directory: /tmp/ | |
| run: | | |
| docker run --rm -v ${PWD}/:/root/ ghcr.io/wolfi-dev/apko login \ | |
| -p ${{ steps.auth.outputs.access_token }} \ | |
| -u oauth2accesstoken \ | |
| ${{ secrets.TERMINAL_REGISTRY_URL }} | |
| - name: apko publish | |
| shell: bash | |
| working-directory: terminal-images/${{ matrix.image }} | |
| run: | | |
| docker run --rm \ | |
| -v /tmp/.docker/config.json:/root/.docker/config.json -v ${PWD}/:/work/ \ | |
| ghcr.io/wolfi-dev/apko publish \ | |
| --arch x86_64 apko.yaml \ | |
| --image-refs /work/image-refs.txt \ | |
| "${{ secrets.TERMINAL_REGISTRY_URL }}/${{ secrets.TERMINAL_REPOSITORY }}/${{ matrix.image }}:latest" \ | |
| -k melange.rsa.pub \ | |
| --sbom-path . | |
| # - name: cosign login | |
| # shell: bash | |
| # run: | | |
| # cosign login \ | |
| # -p ${{ steps.auth.outputs.access_token }} \ | |
| # -u oauth2accesstoken \ | |
| # ${{ env.REGISTRY_URL }} | |
| # - name: cosign attest sbom | |
| # working-directory: terminal-images/${{ matrix.image }} | |
| # run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)" | |
| # - name: cosign sign image | |
| # working-directory: terminal-images/${{ matrix.image }} | |
| # run: cosign sign -y "$(cat image-refs.txt)" |