update config #57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: python-base | |
| on: | |
| push: | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Prepare Action | |
| uses: buildsafedev/multiarch-build--action/prepare-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/python-base | |
| ociBlock: python-dev | |
| tag: v0.1.0 | |
| build: | |
| needs: prepare | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: [ubuntu-latest, linux-arm64] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Build Action | |
| uses: buildsafedev/multiarch-build--action/build-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| ociBlocks: python-dev | |
| directory: 'python' | |
| merge: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Merge Action | |
| uses: buildsafedev/multiarch-build--action/merge-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/python-base | |
| ociBlock: python-dev | |
| tag: v0.1.0 | |
| hermetic_builds: | |
| needs: merge | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name : Replace base image in Dockerfile | |
| run: | | |
| # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also | |
| sed -i "s|FROM .* AS base|FROM holiodin01/python-base:v0.1.0 AS base|g" python/Dockerfile | |
| cat python/Dockerfile | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name : Build hermetic image | |
| working-directory: python | |
| run: | | |
| docker buildx create --name mybuilder --use --driver docker-container | |
| docker buildx build \ | |
| --no-cache \ | |
| --tag holiodin01/python-final:latest \ | |
| --network=none \ | |
| --attest type=provenance,mode=min \ | |
| --platform=linux/amd64 \ | |
| --push \ | |
| --output type=oci \ | |
| . | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@main | |
| # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url | |
| - name: Setup Nix development environment | |
| uses: nicknovitski/nix-develop@v1 | |
| with: | |
| arguments: ./python/bsf/.#devShell | |
| - name: Is hermetic build | |
| run: | | |
| docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json | |
| cat slsa.json | |
| if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then | |
| echo "Hermetic build" | |
| else | |
| echo "Not hermetic build" | |
| fi | |
| # Check for vulnerabilities :) | |
| - name: Check for vulnerabilities | |
| run: grype holiodin01/python-final:latest | |
| # Sign and push the image | |
| - name: Sign and push image | |
| run: | | |
| export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} | |
| echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key | |
| echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub | |
| cosign sign --yes --key cosign.key holiodin01/python-final:latest | |
| cosign verify --key cosign.pub holiodin01/python-final:latest | |
| cosign triangulate holiodin01/python-final:latest |