Build all terminal images #484
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build all terminal images | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| build-image: | |
| runs-on: ubuntu-latest | |
| if: github.repository == 'chainguard-dev/edu' | |
| permissions: | |
| id-token: write # Federate with GCP and sign images | |
| strategy: | |
| matrix: | |
| image: | |
| - apko | |
| - cosign | |
| - policy-controller-base | |
| - policy-controller-install | |
| - rekor | |
| - vexctl | |
| steps: | |
| - name: 'Github Actions Runner' | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
| - name: 'Checkout default branch to $GITHUB_WORKSPACE dir' | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| - name: melange keygen | |
| shell: bash | |
| working-directory: terminal-images/${{ matrix.image }} | |
| run: | | |
| docker run -v ${PWD}:/work cgr.dev/chainguard/melange keygen | |
| - name: melange build | |
| shell: bash | |
| working-directory: terminal-images/${{ matrix.image }} | |
| run: | | |
| docker run --privileged -v ${PWD}:/work cgr.dev/chainguard/melange build \ | |
| melange.yaml --arch x86_64 --signing-key melange.rsa | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 | |
| with: | |
| service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com" | |
| workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu" | |
| - name: configure docker | |
| run: | | |
| gcloud auth configure-docker "${{ secrets.TERMINAL_REGISTRY_URL }}" | |
| # - name: apko login | |
| # shell: bash | |
| # working-directory: /tmp/ | |
| # run: | | |
| # docker run --rm -v ${PWD}/:/root/ cgr.dev/chainguard/apko login \ | |
| # "${{ secrets.TERMINAL_REGISTRY_URL }}" \ | |
| # --password=${{ steps.auth.outputs.access_token }} \ | |
| # --username="oauth2accesstoken" | |
| - name: apko publish | |
| shell: bash | |
| working-directory: terminal-images/${{ matrix.image }} | |
| run: | | |
| docker run --rm \ | |
| -v /home/runner/.docker/config.json:/root/.docker/config.json \ | |
| -v ${PWD}/:/work \ | |
| cgr.dev/chainguard/apko publish \ | |
| --arch x86_64 apko.yaml \ | |
| --image-refs /work/image-refs.txt \ | |
| "${{ secrets.TERMINAL_REGISTRY_URL }}/${{ secrets.TERMINAL_REPOSITORY }}/${{ matrix.image }}:latest" \ | |
| -k melange.rsa.pub \ | |
| --sbom-path . \ | |
| -C /work | |
| # - name: cosign login | |
| # shell: bash | |
| # run: | | |
| # cosign login \ | |
| # -p ${{ steps.auth.outputs.access_token }} \ | |
| # -u oauth2accesstoken \ | |
| # ${{ env.REGISTRY_URL }} | |
| # - name: cosign attest sbom | |
| # working-directory: terminal-images/${{ matrix.image }} | |
| # run: cosign attest -y --predicate sbom-x86_64.spdx.json --type spdxjson "$(cat image-refs.txt)" | |
| # - name: cosign sign image | |
| # working-directory: terminal-images/${{ matrix.image }} | |
| # run: cosign sign -y "$(cat image-refs.txt) |