Inline image singing job #42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and sign docker image | |
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
jobs: | |
generate_version_number: | |
name: Generate version number | |
runs-on: ubuntu-latest | |
outputs: | |
image_version: ${{ steps.generate_version_number_step.outputs.image_version }} | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Generate version number | |
id: generate_version_number_step | |
run: | | |
tag_number=$(git describe --abbrev=0 --tags) | |
short_hash=$(git rev-parse --short ${{ github.sha }}) | |
image_version="$tag_number-$short_hash-ni" | |
echo "::set-output name=image_version::$(echo $image_version)" | |
# image_version will look like "8.3.6-8a2963c-ni" | |
build_docker_image: | |
name: Build Docker Image | |
needs: [generate_version_number] | |
runs-on: ubuntu-latest | |
environment: jfrog-ci | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Login to Artifactory | |
uses: docker/login-action@v1 | |
with: | |
registry: niartifacts.jfrog.io | |
username: ${{ vars.JFROG_USERNAME }} | |
password: ${{ secrets.JFROG_ACCESS_TOKEN }} | |
- name: Docker build and push | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
push: true | |
tags: | | |
niartifacts.jfrog.io/rnd-docker-ci/ni/systemlink/ni-grafana:latest | |
niartifacts.jfrog.io/rnd-docker-ci/ni/systemlink/ni-grafana:${{ needs.generate_version_number.outputs.image_version }} | |
sign_docker_image: | |
runs-on: ubuntu-latest | |
environment: jfrog-ci | |
steps: | |
- name: Log into registry | |
uses: redhat-actions/podman-login@v1 | |
with: | |
username: ${{ vars.JFROG_USERNAME }} | |
password: ${{ secrets.JFROG_ACCESS_TOKEN }} | |
registry: niartifacts.jfrog.io | |
- name: Create signature staging directory | |
run: mkdir ${{ runner.temp }}/sigstore | |
- name: Create gnupghome directory | |
run: mkdir ${{ runner.temp }}/gpg && chmod 700 ${{ runner.temp }}/gpg | |
- name: Import private key | |
run: echo "${{ secrets.NI_PGP_RELEASE_SECRING }}" | base64 --decode | gpg --import | |
env: | |
GNUPGHOME: ${{ runner.temp }}/gpg | |
- name: Sign image | |
run: podman image sign --sign-by security@ni.com -d ${{ runner.temp }}/sigstore docker://niartifacts.jfrog.io/rnd-docker-ci/ni/systemlink/ni-grafana:${{ needs.generate_version_number.outputs.image_version }} | |
env: | |
GNUPGHOME: ${{ runner.temp }}/gpg | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_VERIFY_DEV }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_VERIFY_DEV }} | |
aws-region: us-east-1 | |
- name: Sync signatures to S3 | |
run: aws s3 sync ${{ runner.temp }}/sigstore s3://signing-web-demo-bucket-1neyh347t53dt |