generated from ThalesGroup/template-project
-
Notifications
You must be signed in to change notification settings - Fork 1
259 lines (222 loc) · 13.3 KB
/
base-container-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
# Using Kaniko: refer to the following documentations:
# * https://github.com/marketplace/actions/kaniko-action
# * https://github.com/int128/kaniko-action#inputs
name: "Build a container that ship with goreleaser, cosign, ko-build, trivy, syft and push to GitHub Container Registry (GHCR)"
on:
pull_request:
branches:
- main
- release/*
push:
branches:
- main
- containerfiles # TODO: remove after testing
- cosign-slsa # TODO: remove after testing
# Global KANIKO Variables:
# See: https://github.com/int128/kaniko-action
# - KANIKO_BUILD_CONTEXT is the path to the location of the Containerfile.
# - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint.
# - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ]
env:
KANIKO_BUILD_CONTEXT: "${{ github.workspace }}"
BASE_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr.base"
GOREL_ENTRYP_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr"
OCI_REGISTRY: "ghcr.io" # must be lowercase
jobs:
set-lowercase-repository:
runs-on: ubuntu-latest
outputs:
lowercase-github-repository: ${{ steps.convert.outputs.lowercase }}
steps:
- name: Convert GitHub repository name to lowercase for OCI registry
id: convert
run: |
echo "lowercase=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
shell: bash
show-lowercase-repository:
needs: set-lowercase-repository
runs-on: ubuntu-latest
steps:
- name: Access lowercase GitHub repository name
run: |
echo "Original Repository: ${{ github.repository }}"
echo "Lowercase Repository: ${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}"
# Kaniko job to build a container image "goreleaser-glibc-image-base" has a /bin/bash entrypoint
build-base-image:
needs: set-lowercase-repository
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Extract Tools Versions from Containerfile as we use this in tags names
id: extract
run: |
# Extract values from the Containerfile
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
- uses: docker/login-action@v3
id: login
with:
registry: ${{ env.OCI_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set OCI container image URL to Github output
id: set-oci-image-url
run: echo "OCI_IMAGE_URL=${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}-base" >> $GITHUB_OUTPUT
- name: Container metadata and tags
id: metadata
uses: docker/metadata-action@v5
with:
# image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization
images: ${{ steps.set-oci-image-url.outputs.oci_image_url }}
tags: |
type=ref,event=branch
# use tools version as tags
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}}
# minimal (short sha)
type=sha
# full length sha
type=sha,format=long
- name: Build the OCI image (base image entrypoint /bin/bash)
id: kaniko
uses: int128/kaniko-action@v1
with:
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache: true
cache-repository: ${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}/cache
file: ${{ env.BASE_CONTAINERFILE_NAME }}
context: ${{ env.KANIKO_BUILD_CONTEXT }}
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
outputs:
oci-image-digest: ${{ steps.kaniko.outputs.digest }}
oci-image-url: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase
# Job to build a SLSA provenance attestation
base-image-provenance:
name: Generate SLSA provenance attestation for OCI (base image entrypoint /bin/bash)
needs: [build-base-image, set-lowercase-repository] # Ensure this job runs after build-base-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build-base-image.outputs.oci-image-url }} # needs to be lowercase
digest: ${{ needs.build-base-image.outputs.oci-image-digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
# Kaniko job to build a container image "goreleaser-glibc-image" that has a goreleaser entrypoint
build-goreleaser-entryp-image:
needs: [build-base-image, set-lowercase-repository] # Ensure this job runs after build-base-image
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Extract Tools Versions from Containerfile as we use this in tags names
id: extract
run: |
# Extract values from the Containerfile
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
- uses: docker/login-action@v3
id: login
with:
registry: ${{ env.OCI_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set OCI container image URL to Github output
id: set-oci-image-url
run: echo "OCI_IMAGE_URL=${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}" >> $GITHUB_OUTPUT
- name: Container metadata and tags
id: metadata
uses: docker/metadata-action@v5
with:
# image name may contain lowercase letters, digits and separators https://github.com/docker/metadata-action/tree/v5/?tab=readme-ov-file#image-name-and-tag-sanitization
images: ${{ steps.set-oci-image-url.outputs.oci_image_url }}
tags: |
type=ref,event=branch
# use tools version as tags
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}}
# minimal (short sha)
type=sha
# full length sha
type=sha,format=long
- name: Build the OCI image
id: kaniko
uses: int128/kaniko-action@v1
with:
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache: true
cache-repository: ${{ env.OCI_REGISTRY }}/${{ needs.set-lowercase-repository.outputs.lowercase-github-repository }}/cache
file: ${{ env.GOREL_ENTRYP_CONTAINERFILE_NAME }}
context: ${{ env.KANIKO_BUILD_CONTEXT }}
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
outputs:
oci-image-digest: ${{ steps.kaniko.outputs.digest }}
oci-image-url: ${{ steps.set-oci-image-url.outputs.oci_image_url }} # needs to be lowercase
goreleaser-entryp-image-provenance:
name: Generate SLSA provenance attestation for OCI (entrypoint goreleaser)
needs: [build-goreleaser-entryp-image] # Ensure this job runs after build-base-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-url }} # needs to be lowercase
digest: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}