extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-06-20 01:47:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

Test attestation

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-05-30 15:33:19 +09:00
parent e092997fec
commit 732296a888
1 changed files with 33 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
.github/workflows/images_build.yml vendored
View File

@ -30,6 +30,7 @@ env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }} LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk" TRUNK_GIT_BRANCH: "refs/heads/trunk"
@ -170,7 +171,8 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
packages: write packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -268,16 +270,6 @@ jobs:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1 fetch-depth: 1
- name: Install cosign
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.2.3'
- name: Check cosign version
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
run: cosign version
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with: with:
@ -310,7 +302,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -387,25 +379,14 @@ jobs:
cache-from: ${{ steps.cache_data.outputs.cache_from }} cache-from: ${{ steps.cache_data.outputs.cache_from }}
cache-to: ${{ steps.cache_data.outputs.cache_to }} cache-to: ${{ steps.cache_data.outputs.cache_to }}
- name: Sign the images with GitHub OIDC Token - name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: id: attest
DIGEST: ${{ steps.docker_build.outputs.digest }} uses: actions/attest-build-provenance@v1
TAGS: ${{ steps.meta.outputs.tags }} with:
run: | subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
images="" subject-digest: ${{ steps.docker_build.outputs.digest }}
for tag in ${TAGS}; do push-to-registry: true
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image metadata - name: Image metadata
env: env:
@ -440,7 +421,8 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
packages: write packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -520,7 +502,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -570,7 +552,7 @@ jobs:
cosign verify \ cosign verify \
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
--certificate-identity-regexp "$IDENTITY_REGEX" \ --certificate-identity-regexp "$IDENTITY_REGEX" \
"$BASE_IMAGE" "$BASE_IMAGE" | jq
echo "::endgroup::" echo "::endgroup::"
- name: Prepare cache data - name: Prepare cache data
@ -639,25 +621,14 @@ jobs:
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token - name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: id: attest
DIGEST: ${{ steps.docker_build.outputs.digest }} uses: actions/attest-build-provenance@v1
TAGS: ${{ steps.meta.outputs.tags }} with:
run: | subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
images="" subject-digest: ${{ steps.docker_build.outputs.digest }}
for tag in ${TAGS}; do push-to-registry: true
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image metadata - name: Image metadata
env: env:
@ -693,7 +664,8 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
packages: write packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -894,7 +866,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -946,7 +918,7 @@ jobs:
cosign verify \ cosign verify \
--certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
--certificate-identity-regexp "${IDENTITY_REGEX}" \ --certificate-identity-regexp "${IDENTITY_REGEX}" \
"${BASE_IMAGE}" "${BASE_IMAGE}" | jq
echo "::endgroup::" echo "::endgroup::"
- name: Prepare cache data - name: Prepare cache data
@ -993,25 +965,14 @@ jobs:
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token - name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: id: attest
DIGEST: ${{ steps.docker_build.outputs.digest }} uses: actions/attest-build-provenance@v1
TAGS: ${{ steps.meta.outputs.tags }} with:
run: | subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
images="" subject-digest: ${{ steps.docker_build.outputs.digest }}
for tag in ${TAGS}; do push-to-registry: true
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image metadata - name: Image metadata
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}