-
Notifications
You must be signed in to change notification settings - Fork 3
141 lines (120 loc) · 4.33 KB
/
python-pip.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: python-pip-base
on:
push:
jobs:
prepare:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Prepare Action
uses: buildsafedev/multiarch-build--action/prepare-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-pip-base
ociBlock: python-dev
tag: v0.1.0
build:
needs: prepare
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, linux-arm64]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Build Action
uses: buildsafedev/multiarch-build--action/build-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
ociBlocks: python-dev
directory: 'python-pip'
merge:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Merge Action
uses: buildsafedev/multiarch-build--action/merge-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-pip-base
ociBlock: python-dev
tag: v0.1.0
hermetic_builds:
needs: merge
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name : Build hermetic image
working-directory: python-pip
run: |
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/python-pip-base:v0.1.0 \
--no-cache \
--tag holiodin01/python-pip-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
https://github.com/buildsafedev/examples.git\#multiarch-builds:python-pip
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
arguments: ./python-pip/bsf/.#devShell
- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/python-pip-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
else
echo "Not a hermetic build"
fi
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: |
grype holiodin01/python-pip-final:latest --only-fixed --fail-on high
sign-the-image:
needs: hermetic_builds
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Sign and push image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes holiodin01/python-pip-final:latest
cosign verify \
--certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-pip.yaml@refs/heads/multiarch-builds" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
holiodin01/python-pip-final:latest
cosign triangulate holiodin01/python-pip-final:latest