-
Notifications
You must be signed in to change notification settings - Fork 3
156 lines (135 loc) · 5.23 KB
/
go-base.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: go-base
on:
push:
jobs:
prepare-go-dev:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Prepare Action
uses: buildsafedev/multiarch-build--action/prepare-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-dev
ociBlock: go-dev
tag: v0.1.0
prepare-go-runtime:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Prepare Action
uses: buildsafedev/multiarch-build--action/prepare-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-runtime
ociBlock: go-runtime
tag: v0.1.0
# Build the oci images for dev and runtime
build:
needs : [prepare-go-dev, prepare-go-runtime]
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, linux-arm64]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Build Action
uses: buildsafedev/multiarch-build--action/build-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
ociBlocks: go-dev go-runtime
directory: 'go-server-example'
# This pirticular job is used to merge the development image of arm64 and amd64
merge-dev:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Merge Action
uses: buildsafedev/multiarch-build--action/merge-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-dev
ociBlock: go-dev
tag: v0.1.0
merge-runtime:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Merge Action
uses: buildsafedev/multiarch-build--action/merge-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-runtime
ociBlock: go-runtime
tag: v0.1.0
hermetic_builds:
needs: [merge-dev, merge-runtime]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/go-base-dev:v0.1.0 AS base|g" go-server-example/Dockerfile
sed -i "s|FROM .* AS final|FROM holiodin01/go-base-runtime:v0.1.0 AS final|g" go-server-example/Dockerfile
cat go-server-example/Dockerfile
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name : Build hermetic image
working-directory: go-server-example
run: |
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--no-cache \
--tag holiodin01/go-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
arguments: ./go-server-example/bsf/.#devShell
- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/go-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
echo "Hermetic build"
else
echo "Not hermetic build"
fi
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: grype holiodin01/go-final:latest
# Sign and push the image
- name: Sign and push image
run: |
export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
cosign sign --yes --key cosign.key holiodin01/go-final:latest
cosign verify --key cosign.pub holiodin01/go-final:latest
cosign triangulate holiodin01/go-final:latest