extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-02-25 06:10:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Test attestation

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-05-30 15:33:19 +09:00
parent e092997fec
commit 732296a888
1 changed files with 33 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
.github/workflows/images_build.yml vendored
View File

@ -30,6 +30,7 @@ env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk"
@ -170,7 +171,8 @@ jobs:
permissions:
contents: read
id-token: write
packages: write
packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
attestations: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -268,16 +270,6 @@ jobs:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
- name: Install cosign
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
run: cosign version
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
@ -310,7 +302,7 @@ jobs:
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -387,25 +379,14 @@ jobs:
cache-from: ${{ steps.cache_data.outputs.cache_from }}
cache-to: ${{ steps.cache_data.outputs.cache_to }}
- name: Sign the images with GitHub OIDC Token
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image metadata
env:
@ -440,7 +421,8 @@ jobs:
permissions:
contents: read
id-token: write
packages: write
packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
attestations: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -520,7 +502,7 @@ jobs:
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -570,7 +552,7 @@ jobs:
cosign verify \
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
--certificate-identity-regexp "$IDENTITY_REGEX" \
"$BASE_IMAGE"
"$BASE_IMAGE" | jq
echo "::endgroup::"
- name: Prepare cache data
@ -639,25 +621,14 @@ jobs:
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image metadata
env:
@ -693,7 +664,8 @@ jobs:
permissions:
contents: read
id-token: write
packages: write
packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
attestations: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -894,7 +866,7 @@ jobs:
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -946,7 +918,7 @@ jobs:
cosign verify \
--certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
--certificate-identity-regexp "${IDENTITY_REGEX}" \
"${BASE_IMAGE}"
"${BASE_IMAGE}" | jq
echo "::endgroup::"
- name: Prepare cache data
@ -993,25 +965,14 @@ jobs:
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env:
DIGEST: ${{ steps.docker_build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true
- name: Image metadata
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}