update config #99
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: go-base | |
| env : | |
| image_tag: v1 | |
| on: | |
| push: | |
| jobs: | |
| prepare-go-dev: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Prepare Action | |
| uses: buildsafedev/multiarch-build--action/prepare-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/go-base-dev | |
| ociBlock: go-dev | |
| tag: ${{ env.image_tag }} | |
| prepare-go-runtime: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Prepare Action | |
| uses: buildsafedev/multiarch-build--action/prepare-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/go-base-runtime | |
| ociBlock: go-runtime | |
| tag: ${{ env.image_tag }} | |
| # Build the oci images for dev and runtime | |
| build: | |
| needs : [prepare-go-dev, prepare-go-runtime] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: [ubuntu-latest, linux-arm64] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Build Action | |
| uses: buildsafedev/multiarch-build--action/build-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| ociBlocks: go-dev go-runtime | |
| directory: 'go-server-example' | |
| # This pirticular job is used to merge the development image of arm64 and amd64 | |
| merge-dev: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Merge Action | |
| uses: buildsafedev/multiarch-build--action/merge-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/go-base-dev | |
| ociBlock: go-dev | |
| tag: ${{ env.image_tag }} | |
| merge-runtime: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Merge Action | |
| uses: buildsafedev/multiarch-build--action/merge-action@main | |
| with: | |
| oci_registry_username: ${{ secrets.DOCKER_USERNAME }} | |
| oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} | |
| image_name: holiodin01/go-base-runtime | |
| ociBlock: go-runtime | |
| tag: ${{ env.image_tag }} | |
| sign-the-image: | |
| needs: [merge-dev, merge-runtime] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.7.0 | |
| with: | |
| cosign-release: 'v2.4.1' | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Sign and push image | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: | | |
| base_img_digest=$(docker manifest inspect holiodin01/go-base-dev:${image_tag} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') | |
| runtime_img_digest=$(docker manifest inspect holiodin01/go-base-runtime:${image_tag} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') | |
| cosign sign --yes holiodin01/go-base-dev@${base_img_digest} | |
| cosign verify \ | |
| --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| holiodin01/go-base-dev@${base_img_digest} | |
| cosign triangulate holiodin01/go-base-dev@${base_img_digest} | |
| # Sign and verify the runtime image | |
| cosign sign --yes holiodin01/go-base-runtime@${runtime_img_digest} | |
| cosign verify \ | |
| --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| holiodin01/go-base-runtime@${runtime_img_digest} | |
| cosign triangulate holiodin01/go-base-runtime@${runtime_img_digest} | |
| hermetic_builds: | |
| needs: [merge-dev, merge-runtime] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name : Build hermetic image | |
| working-directory: go-server-example | |
| run: | | |
| # Use command substitution to assign the digests | |
| base_img_digest=$(docker manifest inspect holiodin01/go-base-dev:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') | |
| runtime_img_digest=$(docker manifest inspect holiodin01/go-base-runtime:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') | |
| docker buildx create --name mybuilder --use --driver docker-container | |
| docker buildx build \ | |
| --build-arg BASE_IMAGE=holiodin01/go-base-dev@${base_img_digest} \ | |
| --build-arg RUNTIME_IMAGE=holiodin01/go-base-runtime@${runtime_img_digest} \ | |
| --no-cache \ | |
| --tag holiodin01/go-final:${{ env.image_tag }} \ | |
| --network=none \ | |
| --attest type=provenance,mode=min \ | |
| --platform=linux/amd64 \ | |
| --push \ | |
| --output type=oci \ | |
| https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@main | |
| # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url | |
| - name: Setup Nix development environment | |
| uses: nicknovitski/nix-develop@v1 | |
| with: | |
| arguments: ./go-server-example/bsf/.#devShell | |
| - name: Is hermetic build | |
| run: | | |
| docker buildx imagetools inspect holiodin01/go-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json | |
| cat slsa.json | |
| if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then | |
| echo "Hermetic build" | |
| else | |
| echo "Not a hermetic build" | |
| fi | |
| # Check for vulnerabilities :) | |
| - name: Check for vulnerabilities | |
| run: grype holiodin01/go-final:${{ env.image_tag }} --only-fixed --fail-on high | |
| sign-final-image: | |
| needs: hermetic_builds | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.7.0 | |
| with: | |
| cosign-release: 'v2.4.1' | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Sign and push image | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: | | |
| cosign sign --yes holiodin01/go-final:${{ env.image_tag }} | |
| cosign verify \ | |
| --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| holiodin01/go-final:${{ env.image_tag }} | |
| cosign triangulate holiodin01/go-final:${{ env.image_tag }} |