mirror of
https://github.com/zabbix/zabbix-docker.git
synced 2024-11-28 18:53:10 +01:00
Revert GH attestation workflow
This commit is contained in:
parent
65ba54429d
commit
e092997fec
155
.github/workflows/images_build.yml
vendored
155
.github/workflows/images_build.yml
vendored
@ -30,7 +30,6 @@ env:
|
||||
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
|
||||
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
|
||||
|
||||
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
|
||||
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
|
||||
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
TRUNK_GIT_BRANCH: "refs/heads/trunk"
|
||||
@ -172,7 +171,6 @@ jobs:
|
||||
contents: read
|
||||
id-token: write
|
||||
packages: write
|
||||
attestations: write
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
@ -270,6 +268,16 @@ jobs:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
run: cosign version
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
|
||||
with:
|
||||
@ -302,7 +310,7 @@ jobs:
|
||||
with:
|
||||
images: |
|
||||
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
|
||||
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
|
||||
@ -379,14 +387,25 @@ jobs:
|
||||
cache-from: ${{ steps.cache_data.outputs.cache_from }}
|
||||
cache-to: ${{ steps.cache_data.outputs.cache_to }}
|
||||
|
||||
- name: Attest images
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
id: attest
|
||||
uses: actions/attest-build-provenance@v1
|
||||
with:
|
||||
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
|
||||
subject-digest: ${{ steps.docker_build.outputs.digest }}
|
||||
push-to-registry: true
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
images=""
|
||||
for tag in ${TAGS}; do
|
||||
images+="${tag}@${DIGEST} "
|
||||
done
|
||||
|
||||
echo "::group::Images to sign"
|
||||
echo "$images"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $images"
|
||||
cosign sign --yes ${images}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image metadata
|
||||
env:
|
||||
@ -422,7 +441,6 @@ jobs:
|
||||
contents: read
|
||||
id-token: write
|
||||
packages: write
|
||||
attestations: write
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
@ -460,6 +478,16 @@ jobs:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
run: cosign version
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
|
||||
with:
|
||||
@ -492,7 +520,7 @@ jobs:
|
||||
with:
|
||||
images: |
|
||||
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
|
||||
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
|
||||
@ -525,20 +553,24 @@ jobs:
|
||||
|
||||
echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} attestation
|
||||
- name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
env:
|
||||
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
REPOSITORY: ${{ github.repository }}
|
||||
DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
|
||||
IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
|
||||
run: |
|
||||
echo "::group::Image sign data"
|
||||
echo "OIDC issuer=$OIDC_ISSUER"
|
||||
echo "Identity=$IDENTITY_REGEX"
|
||||
echo "Image to verify=$BASE_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Verify signature"
|
||||
gh attestation verify oci://$DOCKER_REGISTRY/$BASE_IMAGE -R $REPOSITORY
|
||||
cosign verify \
|
||||
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
|
||||
--certificate-identity-regexp "$IDENTITY_REGEX" \
|
||||
"$BASE_IMAGE"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Prepare cache data
|
||||
@ -607,14 +639,25 @@ jobs:
|
||||
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
|
||||
- name: Attest images
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
id: attest
|
||||
uses: actions/attest-build-provenance@v1
|
||||
with:
|
||||
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
|
||||
subject-digest: ${{ steps.docker_build.outputs.digest }}
|
||||
push-to-registry: true
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
images=""
|
||||
for tag in ${TAGS}; do
|
||||
images+="${tag}@${DIGEST} "
|
||||
done
|
||||
|
||||
echo "::group::Images to sign"
|
||||
echo "$images"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $images"
|
||||
cosign sign --yes ${images}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image metadata
|
||||
env:
|
||||
@ -651,7 +694,6 @@ jobs:
|
||||
contents: read
|
||||
id-token: write
|
||||
packages: write
|
||||
attestations: write
|
||||
steps:
|
||||
- name: Block egress traffic
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
@ -781,6 +823,22 @@ jobs:
|
||||
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install cosign
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
|
||||
with:
|
||||
cosign-release: 'v2.2.3'
|
||||
|
||||
- name: Check cosign version
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
run: cosign version
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
|
||||
with:
|
||||
image: tonistiigi/binfmt:latest
|
||||
platforms: all
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
||||
with:
|
||||
@ -836,7 +894,7 @@ jobs:
|
||||
with:
|
||||
images: |
|
||||
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
|
||||
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
|
||||
tags: |
|
||||
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
|
||||
@ -871,6 +929,26 @@ jobs:
|
||||
|
||||
echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
|
||||
if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
env:
|
||||
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
|
||||
OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
|
||||
IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
|
||||
run: |
|
||||
echo "::group::Image sign data"
|
||||
echo "OIDC issuer=${OIDC_ISSUER}"
|
||||
echo "Identity=${IDENTITY_REGEX}"
|
||||
echo "Image to verify=${BASE_IMAGE}"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Verify signature"
|
||||
cosign verify \
|
||||
--certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
|
||||
--certificate-identity-regexp "${IDENTITY_REGEX}" \
|
||||
"${BASE_IMAGE}"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Prepare cache data
|
||||
if: ${{ matrix.build != 'snmptraps' }}
|
||||
id: cache_data
|
||||
@ -915,14 +993,25 @@ jobs:
|
||||
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
||||
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
||||
|
||||
- name: Attest images
|
||||
- name: Sign the images with GitHub OIDC Token
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
id: attest
|
||||
uses: actions/attest-build-provenance@v1
|
||||
with:
|
||||
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
|
||||
subject-digest: ${{ steps.docker_build.outputs.digest }}
|
||||
push-to-registry: true
|
||||
env:
|
||||
DIGEST: ${{ steps.docker_build.outputs.digest }}
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
run: |
|
||||
images=""
|
||||
for tag in ${TAGS}; do
|
||||
images+="${tag}@${DIGEST} "
|
||||
done
|
||||
|
||||
echo "::group::Images to sign"
|
||||
echo "$images"
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Signing"
|
||||
echo "cosign sign --yes $images"
|
||||
cosign sign --yes ${images}
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Image metadata
|
||||
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
|
||||
|
Loading…
Reference in New Issue
Block a user