-
Notifications
You must be signed in to change notification settings - Fork 0
126 lines (112 loc) · 3.75 KB
/
build-container.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Build Container
on:
repository_dispatch:
types:
- rebuild
push:
jobs:
build-container:
name: Build Container Image
runs-on: self-hosted
environment: prod
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@v1.3.1
with:
# this might remove tools that are actually needed,
# if set to "true" but frees about 6 GB
tool-cache: false
# all of these default to true, but feel free to set to
# "false" if necessary for your workflow
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern=v{{version}}
type=semver,pattern=v{{major}}.{{minor}}
type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Auth with Vault
env:
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
run: |
vault write \
-field=token \
auth/approle/login \
role_id=$(cat /home/runner/.vault-role) \
secret_id=${{ secrets.VAULT_SECRET }} > .vault-token
- name: Run scripts
env:
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
VAULT_PATH: ${{ secrets.VAULT_PATH }}
PREFIX: ${{ secrets.PREFIX }}
DOMAIN: ${{ secrets.DOMAIN }}
GHCR_AUTH: "${{ github.actor }}:${{ secrets.READ_PACKAGES }}"
ROLE_ID: ${{ secrets.ROLE_ID }}
run: |
export VAULT_TOKEN=$(cat .vault-token)
for script in set_perms update_files
do
chmod +x scripts/${script}/${script}.sh
./scripts/${script}/${script}.sh
done
- name: Buildah Build
id: build-image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: Containerfile
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Push image
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Install Cosign
uses: sigstore/cosign-installer@v3.5.0
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign the images
env:
TAGS: ${{ steps.build-image.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
images=""
digest=""
for tag in ${TAGS}; do
if [[ -z "${digest}" ]]
then
digest=$(cat $(echo ${tag} | tr '/:' '--')_digest.txt)
fi
images+="${tag}@${digest} "
done
cosign sign --key env://COSIGN_PRIVATE_KEY --yes ${images}