Merge pull request #984 from jvanz/main

chore(ci): allow slsactl verification.
kubewarden · Nov 26, 2024 · c5c6189 · c5c6189
2 parents 5368105 + ca10f3c
commit c5c6189
Show file tree

Hide file tree

Showing 4 changed files with 205 additions and 208 deletions.
diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -1,12 +1,6 @@
-name: Build container image, sign it, and generate SBOMs
+name: Build container image and sign it
 
 on:
-  workflow_call:
-    outputs:
-      digest:
-        description: "Container image digest"
-        value: ${{jobs.build.outputs.digest}}
-
   push:
     branches:
       - "main"
@@ -17,17 +11,59 @@ permissions:
 
 jobs:
   build:
-    uses: ./.github/workflows/container-image.yml
+    name: Build container image
     permissions:
       packages: write
       id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-  sbom:
-    needs: 
-      - build
-    uses: ./.github/workflows/attestation.yml
-    permissions:
-      packages: write
-      id-token: write
-    with:
-      image-digest: ${{ needs.build.outputs.digest }}
+      - name: Install cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Retrieve tag name (main branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/main') }}
+        run: |
+          echo TAG_NAME=latest >> $GITHUB_ENV
+
+      - name: Retrieve tag name (feat branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
+        run: |
+          echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
+
+      - name: Push and push container image
+        id: build-image
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64, linux/arm64
+          push: true
+          sbom: false # SBOM for feature and main branches is not generated
+          provenance: false # Provenance for feature and main branches is not generated
+          tags: |
+            ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }}
+
+      - name: Sign container image
+        run: |
+          cosign sign --yes ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
+            
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/container-build.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml