update config #89
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: python-base | |
| on: | |
| push: | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Prepare Action | |
| uses: buildsafedev/multiarch-build--action/prepare-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/python-base | |
| ociBlock: python-dev | |
| tag: v0.1.0 | |
| build: | |
| needs: prepare | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: [ubuntu-latest, linux-arm64] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Build Action | |
| uses: buildsafedev/multiarch-build--action/build-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| ociBlocks: python-dev | |
| directory: 'python' | |
| merge: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Merge Action | |
| uses: buildsafedev/multiarch-build--action/merge-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/python-base | |
| ociBlock: python-dev | |
| tag: v0.1.0 | |
| hermetic_builds: | |
| needs: merge | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name : Build hermetic image | |
| working-directory: python | |
| run: | | |
| docker buildx create --name mybuilder --use --driver docker-container | |
| docker buildx build \ | |
| --build-arg BASE_IMAGE=holiodin01/python-base:v0.1.0 \ | |
| --no-cache \ | |
| --tag holiodin01/python-final:latest \ | |
| --network=none \ | |
| --attest type=provenance,mode=min \ | |
| --platform=linux/amd64 \ | |
| --push \ | |
| --output type=oci \ | |
| https://github.com/buildsafedev/examples.git\#multiarch-builds:python | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@main | |
| # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url | |
| - name: Setup Nix development environment | |
| uses: nicknovitski/nix-develop@v1 | |
| with: | |
| arguments: ./python/bsf/.#devShell | |
| - name: Is hermetic build | |
| run: | | |
| docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json | |
| cat slsa.json | |
| if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then | |
| echo "Hermetic build" | |
| else | |
| echo "Not a hermetic build" | |
| fi | |
| # Check for vulnerabilities :) | |
| - name: Check for vulnerabilities | |
| run: | | |
| grype holiodin01/python-final:latest --only-fixed --fail-on high | |
| sign-the-image: | |
| needs: hermetic_builds | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.7.0 | |
| with: | |
| cosign-release: 'v2.4.1' | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Sign and push image | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: | | |
| cosign sign --yes holiodin01/python-final:latest | |
| cosign verify \ | |
| --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-base.yaml@refs/heads/multiarch-builds" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| holiodin01/python-final:latest | |
| cosign triangulate holiodin01/python-final:latest |