extern/zabbix-docker
1
0
Fork 0
mirror of https://github.com/zabbix/zabbix-docker.git synced 2025-02-03 11:29:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Test attestation

Browse Source
This commit is contained in:
Alexey Pustovalov 2024-05-30 14:02:03 +09:00
parent bb6d265593
commit e70218e85f
1 changed files with 28 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
.github/workflows/images_build.yml vendored
View File

@ -30,6 +30,7 @@ env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }} LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk" TRUNK_GIT_BRANCH: "refs/heads/trunk"
@ -171,6 +172,7 @@ jobs:
contents: read contents: read
id-token: write id-token: write
packages: write packages: write
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -310,7 +312,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -387,25 +389,13 @@ jobs:
cache-from: ${{ steps.cache_data.outputs.cache_from }} cache-from: ${{ steps.cache_data.outputs.cache_from }}
cache-to: ${{ steps.cache_data.outputs.cache_to }} cache-to: ${{ steps.cache_data.outputs.cache_to }}
- name: Sign the images with GitHub OIDC Token - name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: id: attest
DIGEST: ${{ steps.docker_build.outputs.digest }} with:
TAGS: ${{ steps.meta.outputs.tags }} subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
run: | subject-digest: ${{ steps.docker_build.outputs.digest }}
images="" push-to-registry: true
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image metadata - name: Image metadata
env: env:
@ -441,6 +431,7 @@ jobs:
contents: read contents: read
id-token: write id-token: write
packages: write packages: write
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -520,7 +511,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -557,20 +548,15 @@ jobs:
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: env:
BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
OIDC_ISSUER: ${{ env.OIDC_ISSUER }} REPOSITORY: ${{ github.repository }}
IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}
run: | run: |
echo "::group::Image sign data" echo "::group::Image sign data"
echo "OIDC issuer=$OIDC_ISSUER"
echo "Identity=$IDENTITY_REGEX"
echo "Image to verify=$BASE_IMAGE" echo "Image to verify=$BASE_IMAGE"
echo "::endgroup::" echo "::endgroup::"
echo "::group::Verify signature" echo "::group::Verify signature"
cosign verify \ gh attestation verify oci://$DOCKER_REGISTRY/$BASE_IMAGE -R $REPOSITORY
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
--certificate-identity-regexp "$IDENTITY_REGEX" \
"$BASE_IMAGE"
echo "::endgroup::" echo "::endgroup::"
- name: Prepare cache data - name: Prepare cache data
@ -639,25 +625,13 @@ jobs:
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token - name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: id: attest
DIGEST: ${{ steps.docker_build.outputs.digest }} with:
TAGS: ${{ steps.meta.outputs.tags }} subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
run: | subject-digest: ${{ steps.docker_build.outputs.digest }}
images="" push-to-registry: true
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image metadata - name: Image metadata
env: env:
@ -694,6 +668,7 @@ jobs:
contents: read contents: read
id-token: write id-token: write
packages: write packages: write
attestations: write
steps: steps:
- name: Block egress traffic - name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -894,7 +869,7 @@ jobs:
with: with:
images: | images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: | tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@ -993,25 +968,13 @@ jobs:
org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
- name: Sign the images with GitHub OIDC Token - name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env: id: attest
DIGEST: ${{ steps.docker_build.outputs.digest }} with:
TAGS: ${{ steps.meta.outputs.tags }} subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
run: | subject-digest: ${{ steps.docker_build.outputs.digest }}
images="" push-to-registry: true
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
echo "::group::Images to sign"
echo "$images"
echo "::endgroup::"
echo "::group::Signing"
echo "cosign sign --yes $images"
cosign sign --yes ${images}
echo "::endgroup::"
- name: Image metadata - name: Image metadata
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}