extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-06-19 17:38:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added attest to Windows

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-05-30 20:36:54 +09:00
parent 4218042772
commit 4077cf034c
3 changed files with 73 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
.github/workflows/images_build.yml vendored
View File

@ -30,6 +30,7 @@ env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }} LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk" TRUNK_GIT_BRANCH: "refs/heads/trunk"
@ -171,6 +172,7 @@ jobs:
contents: read contents: read
id-token: write id-token: write
packages: write packages: write
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -310,7 +312,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -407,6 +409,15 @@ jobs:
cosign sign --yes ${images} cosign sign --yes ${images}
echo "::endgroup::" echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image metadata - name: Image metadata
env: env:
CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
@ -441,6 +452,7 @@ jobs:
contents: read contents: read
id-token: write id-token: write
packages: write packages: write
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -520,7 +532,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -570,7 +582,7 @@ jobs:
cosign verify \ cosign verify \
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
--certificate-identity-regexp "$IDENTITY_REGEX" \ --certificate-identity-regexp "$IDENTITY_REGEX" \
"$BASE_IMAGE" "$BASE_IMAGE" | jq
echo "::endgroup::" echo "::endgroup::"
- name: Prepare cache data - name: Prepare cache data
@ -659,6 +671,15 @@ jobs:
cosign sign --yes ${images} cosign sign --yes ${images}
echo "::endgroup::" echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image metadata - name: Image metadata
env: env:
CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
@ -694,6 +715,7 @@ jobs:
contents: read contents: read
id-token: write id-token: write
packages: write packages: write
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -894,7 +916,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -946,7 +968,7 @@ jobs:
cosign verify \ cosign verify \
--certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
--certificate-identity-regexp "${IDENTITY_REGEX}" \ --certificate-identity-regexp "${IDENTITY_REGEX}" \
"${BASE_IMAGE}" "${BASE_IMAGE}" | jq
echo "::endgroup::" echo "::endgroup::"
- name: Prepare cache data - name: Prepare cache data
@ -1013,6 +1035,15 @@ jobs:
cosign sign --yes ${images} cosign sign --yes ${images}
echo "::endgroup::" echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image metadata - name: Image metadata
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: env:

1
.github/workflows/images_build_rhel.yml vendored
View File

@ -12,6 +12,7 @@ on:
- 'Dockerfiles/*/rhel/*' - 'Dockerfiles/*/rhel/*'
- 'build.json' - 'build.json'
- '!**/README.md' - '!**/README.md'
- '!**/README.html'
- '.github/workflows/images_build_rhel.yml' - '.github/workflows/images_build_rhel.yml'
workflow_dispatch: workflow_dispatch:
inputs: inputs:

41
.github/workflows/images_build_windows.yml vendored
View File

@ -27,6 +27,7 @@ env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }}
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }} LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk" TRUNK_GIT_BRANCH: "refs/heads/trunk"
@ -148,6 +149,7 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
attestations: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -192,7 +194,7 @@ jobs:
id: meta id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with: with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
@ -307,6 +309,15 @@ jobs:
cosign sign --yes $tag_list cosign sign --yes $tag_list
echo "::endgroup::" echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image digest - name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }} if: ${{ env.AUTO_PUSH_IMAGES }}
env: env:
@ -337,6 +348,7 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
attestations: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -381,7 +393,7 @@ jobs:
id: meta id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with: with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}-
@ -430,7 +442,7 @@ jobs:
cosign verify ` cosign verify `
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
--certificate-identity-regexp "$Env:IDENITY_REGEX" ` --certificate-identity-regexp "$Env:IDENITY_REGEX" `
"$Env:BASE_IMAGE" "$Env:BASE_IMAGE" | jq
- name: Build and push image - name: Build and push image
id: docker_build id: docker_build
@ -534,6 +546,15 @@ jobs:
cosign sign --yes $tag_list cosign sign --yes $tag_list
echo "::endgroup::" echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image digest - name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }} if: ${{ env.AUTO_PUSH_IMAGES }}
env: env:
@ -564,6 +585,7 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
attestations: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -608,7 +630,7 @@ jobs:
id: meta id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with: with:
images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}-
@ -657,7 +679,7 @@ jobs:
cosign verify ` cosign verify `
--certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" `
--certificate-identity-regexp "$Env:IDENITY_REGEX" ` --certificate-identity-regexp "$Env:IDENITY_REGEX" `
"$Env:BASE_IMAGE" "$Env:BASE_IMAGE" | jq
- name: Build and push image - name: Build and push image
id: docker_build id: docker_build
@ -774,6 +796,15 @@ jobs:
cosign sign --yes $tag_list cosign sign --yes $tag_list
echo "::endgroup::" echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image digest - name: Image digest
if: ${{ env.AUTO_PUSH_IMAGES }} if: ${{ env.AUTO_PUSH_IMAGES }}
env: env: