Build all terminal images #475

Workflow file for this run

.github/workflows/build-terminal-images.yaml at d83fb0d

	name: Build all terminal images
	on:
	schedule:
	- cron: "0 0 * * *"
	workflow_dispatch:

	jobs:
	build-image:
	runs-on: ubuntu-latest

	permissions:
	id-token: write # Federate with GCP and sign images

	strategy:
	matrix:
	image:
	- apko
	- cosign
	- policy-controller-base
	- policy-controller-install
	- rekor
	- vexctl

	steps:
	- name: 'Github Actions Runner'
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit

	- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2

	- name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
	uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

	- name: melange keygen
	shell: bash
	working-directory: terminal-images/${{ matrix.image }}
	run: \|
	docker run -v ${PWD}:/work ghcr.io/chainguard-dev/melange:latest keygen

	- name: melange build
	shell: bash
	working-directory: terminal-images/${{ matrix.image }}
	run: \|
	docker run --privileged -v ${PWD}:/work ghcr.io/chainguard-dev/melange:latest build \
	melange.yaml --arch x86_64 --signing-key melange.rsa

	- name: Authenticate to Google Cloud
	id: auth
	uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
	with:
	service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
	workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"

	- name: apko login
	shell: bash
	working-directory: /tmp/
	run: \|
	docker run --rm -v ${PWD}/:/root/ ghcr.io/wolfi-dev/apko login \
	-p ${{ steps.auth.outputs.access_token }} \
	-u oauth2accesstoken \
	${{ secrets.TERMINAL_REGISTRY_URL }}

	- name: apko publish
	shell: bash
	working-directory: terminal-images/${{ matrix.image }}
	run: \|
	docker run --rm \
	-v /tmp/.docker/config.json:/root/.docker/config.json -v ${PWD}/:/work/ \
	ghcr.io/wolfi-dev/apko publish \
	--arch x86_64 apko.yaml \
	--image-refs /work/image-refs.txt \
	"${{ secrets.TERMINAL_REGISTRY_URL }}/${{ secrets.TERMINAL_REPOSITORY }}/${{ matrix.image }}:latest" \
	-k melange.rsa.pub \
	--sbom-path .

	# - name: cosign login
	# shell: bash
	# run: \|
	# cosign login \
	# -p ${{ steps.auth.outputs.access_token }} \
	# -u oauth2accesstoken \
	# ${{ env.REGISTRY_URL }}

	# - name: cosign attest sbom
	# working-directory: terminal-images/${{ matrix.image }}
	# run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)"

	# - name: cosign sign image
	# working-directory: terminal-images/${{ matrix.image }}
	# run: cosign sign -y "$(cat image-refs.txt)"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build all terminal images #475

Workflow file

Build all terminal images #475

Jobs

Run details

Workflow file for this run