This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yml
136 lines (119 loc) · 3.71 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: "nais SLSA Provenance Action"
description: "Action to generate signed SLSA provenance"
branding:
icon: lock
color: red
inputs:
registry:
description: |-
Registry to push to
required: true
image_digest:
description: |-
The image digest of the container to be attested
required: true
image:
description: |-
The tag of the docker container to sign.
required: false
default: ""
repo_name:
description: |-
Name of the generated provenance. Used as an relative path under "github.workspace".
Defaults to "github.repository".
required: false
default: ${{ github.repository }}
build_started_on:
description: |-
Timestamp of when the build started. Defaults to head commit of workflow,
if provided as input, the timestamp is added to salsa cli flag --build-started-on.
Time format: YYYY-MM-DDTHH:MM:SSZ (RFC3339)
required: false
default: ""
key:
description: |-
The key used to sign the attestation. Cloud Provider KMS key path.
required: false
identity_token:
description: |-
Use keyless function for cosign with short lived secrets.
required: false
docker_user:
description: |-
Docker login user.
Defaults to "github.actor".
required: false
default: "${{ github.actor }}"
mvn_opts:
description: |-
A comma-delimited string with additional maven options.
required: false
default: ""
verify_attestation:
description: |-
A boolean for enabling or disabling the verify stage of the attestation.
required: false
default: "true"
github_token:
description: |-
Normal use is "GITHUB_TOKEN". To fetch from private repository use
PAT with at least packages:read scope to install packages associated with other private repositories
(which GITHUB_TOKEN can't access).
required: false
default: ${{ github.token }}
token_key_pattern:
description: |-
When input github_token is provided but the build tool configurations uses a key pattern
different from the default "GITHUB_TOKEN".
required: false
default: ""
registry_access_token:
description: |-
Access token for registry. Used to fetch packages from GAR
required: false
default: ""
repo_dir:
description: |-
Internal value (do not set): root of directory to search for build files.
Defaults to "github.workspace".
required: false
default: ${{ github.workspace }}
repo_sub_dir:
description: |-
Specify a subdirectory if build file not found in working root directory.
required: false
default: ""
github_context:
description: |-
Internal value (do not set): the "github" context object in json.
The context is used when generating provenance.
required: false
default: ${{ toJSON(github) }}
runner_context:
description: |-
Internal value (do not set): the "runner" context object in json.
The context is used when generating provenance.
required: false
default: ${{ toJSON(runner) }}
runs:
using: "docker"
image: "docker://ghcr.io/nais/salsa:v0.12"
args:
- ${{ inputs.repo_dir }}
- ${{ inputs.repo_name }}
- ${{ inputs.github_context }}
- ${{ inputs.runner_context }}
- ${{ inputs.image }}
- ${{ inputs.env_context }}
- ${{ inputs.repo_sub_dir }}
- ${{ inputs.key }}
- ${{ inputs.identity_token }}
- ${{ inputs.mvn_opts }}
- ${{ inputs.github_token }}
- ${{ inputs.docker_user }}
- ${{ inputs.token_key_pattern }}
- ${{ inputs.build_started_on }}
- ${{ inputs.registry_access_token }}
- ${{ inputs.registry }}
- ${{ inputs.image_digest }}
- ${{ inputs.verify_attestation }}