Skip to content

Commit

Permalink
update example
Browse files Browse the repository at this point in the history 
Signed-off-by: Horiodino <holiodin@gmail.com>
  • Loading branch information
@Horiodino
Horiodino committed Oct 7, 2024
1 parent 1c18a0f commit 9f9e314
Show file tree
Hide file tree
Showing 4 changed files with 187 additions and 46 deletions.
12 changes: 4 additions & 8 deletions .github/workflows/go-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ jobs:
tag: v0.1.0

hermetic_builds:
# needs: [merge-dev, merge-runtime]
needs: [merge-dev, merge-runtime]
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -94,9 +94,11 @@ jobs:
- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS build|FROM holiodin01/go-base-dev:v0.1.0 AS build|g" go-server-example/Dockerfile
sed -i "s|FROM .* AS base|FROM holiodin01/go-base-dev:v0.1.0 AS base|g" go-server-example/Dockerfile
sed -i "s|FROM .* AS final|FROM holiodin01/go-base-runtime:v0.1.0 AS final|g" go-server-example/Dockerfile
cat go-server-example/Dockerfile
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
Expand All @@ -120,12 +122,6 @@ jobs:
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main

- name: Check Nixpkgs inputs
uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true
flake-lock-path: go-server-example/bsf/flake.lock

# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
Expand Down
74 changes: 61 additions & 13 deletions .github/workflows/python-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,17 +60,65 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Hermetic Build Action
uses: buildsafedev/multiarch-build--action/hermetic-build@hermetic_builds

- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/python-base:v0.1.0 AS base|g" python/Dockerfile
cat python/Dockerfile
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
directory: 'python'
image_name: holiodin01/python-final
tag: v0.1.0
platform: linux/amd64
base_image: holiodin01/python-base:v0.1.0
cosign_password : ${{ secrets.COSIGN_PASSWORD }}
cosign_private_key : ${{ secrets.COSIGN_PRIVATE_KEY }}
cosign_public_key : ${{ secrets.COSIGN_PUBLIC_KEY }}

username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name : Build hermetic image
working-directory: python
run: |
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--no-cache \
--tag holiodin01/python-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
.
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main

# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
arguments: ./python/bsf/.#devShell

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
echo "Hermetic build"
else
echo "Not hermetic build"
fi
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: grype holiodin01/python-final:latest


# Sign and push the image
- name: Sign and push image
run: |
export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
cosign sign --yes --key cosign.key holiodin01/python-final:latest
cosign verify --key cosign.pub holiodin01/python-final:latest
cosign triangulate holiodin01/python-final:latest
72 changes: 60 additions & 12 deletions .github/workflows/python-pip.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,16 +59,64 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Hermetic Build Action
uses: buildsafedev/multiarch-build--action/hermetic-build@hermetic_builds

- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/python-pip-base:v0.1.0 AS base|g" python-pip/Dockerfile
cat python-pip/Dockerfile
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
directory: 'python-pip'
image_name: holiodin01/python-pip-final
tag: v0.1.0
platform: linux/amd64
base_image: holiodin01/python-pip-base:v0.1.0
cosign_password : ${{ secrets.COSIGN_PASSWORD }}
cosign_private_key : ${{ secrets.COSIGN_PRIVATE_KEY }}
cosign_public_key : ${{ secrets.COSIGN_PUBLIC_KEY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name : Build hermetic image
working-directory: python-pip
run: |
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--no-cache \
--tag holiodin01/python-pip-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
.
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
arguments: ./python-pip/bsf/.#devShell

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
echo "Hermetic build"
else
echo "Not hermetic build"
fi
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: grype holiodin01/python-pip-final:latest


# Sign and push the image
- name: Sign and push image
run: |
export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
cosign sign --yes --key cosign.key holiodin01/python-pip-final:latest
cosign verify --key cosign.pub holiodin01/python-pip-final:latest
cosign triangulate holiodin01/python-pip-final:latest
75 changes: 62 additions & 13 deletions .github/workflows/rust-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,17 +88,66 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Hermetic Build Action
uses: buildsafedev/multiarch-build--action/hermetic-build@hermetic_builds

- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/rust-base-dev:v0.1.0 AS base|g" rust/Dockerfile
sed -i "s|FROM .* AS final|FROM holiodin01/rust-base-runtime:v0.1.0 AS final|g" rust/Dockerfile
cat rust/Dockerfile
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
directory: 'rust'
image_name: holiodin01/rust-final
tag: v0.1.0
platform: linux/amd64
base_image: holiodin01/rust-base-dev:v0.1.0
runtime_image: holiodin01/rust-base-runtime:v0.1.0
cosign_password : ${{ secrets.COSIGN_PASSWORD }}
cosign_private_key : ${{ secrets.COSIGN_PRIVATE_KEY }}
cosign_public_key : ${{ secrets.COSIGN_PUBLIC_KEY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name : Build hermetic image
working-directory: rust
run: |
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--no-cache \
--tag holiodin01/rust-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
.
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
arguments: ./rust/bsf/.#devShell

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/go-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
echo "Hermetic build"
else
echo "Not hermetic build"
fi
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: grype holiodin01/go-final:latest


# Sign and push the image
- name: Sign and push image
run: |
export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
cosign sign --yes --key cosign.key holiodin01/go-final:latest
cosign verify --key cosign.pub holiodin01/go-final:latest
cosign triangulate holiodin01/go-final:latest

0 comments on commit 9f9e314

Please sign in to comment.