-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathaction.yml
137 lines (134 loc) · 5.54 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: 'docker-sign'
description: 'Sign docker images'
inputs:
image-ref:
description: 'The Docker image ref, example: <imagename>:<tag>'
required: true
private-key-id:
description: 'The Docker private key id (hash)'
required: true
private-key:
description: 'The Docker private key'
required: true
private-key-passphrase:
description: 'The Docker private key passphrase'
required: true
private-key-name:
description: 'The Docker private key name'
required: false
sign-manifest:
description: 'Use docker notary and sign the manifest'
required: false
default: "false"
notary-server:
description: 'The URL to the notary server'
required: false
default: 'https://notary.docker.io'
notary-auth:
description: 'The credentials in auth basic format'
required: false
branding:
icon: "feather"
color: gray-dark
runs:
using: "composite"
steps:
- name: Create the trust keys folder
run: mkdir -p ~/.docker/trust/private/
shell: sh
- name: Write the trust key
run: echo "${{ inputs.private-key }}" > ~/.docker/trust/private/${{ inputs.private-key-id }}.key
shell: sh
- name: Chmod the trust key
run: chmod 600 ~/.docker/trust/private/${{ inputs.private-key-id }}.key
shell: sh
- name: Load the trust key
run: docker trust key load ~/.docker/trust/private/${{ inputs.private-key-id }}.key
shell: sh
env:
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: "${{ inputs.private-key-passphrase }}"
DOCKER_CONTENT_TRUST: "1"
DOCKER_CONTENT_TRUST_SERVER: "${{ inputs.notary-server }}"
#- name: Load the trust key
# run: notary -s "${{ inputs.notary-server }}" -d ~/.docker/trust/ key import ~/.docker/trust/private/${{ inputs.private-key-id }}.key --role targets/${{ inputs.private-key-name }}
# shell: sh
# env:
# NOTARY_DELEGATION_PASSPHRASE: "${{ inputs.private-key-passphrase }}"
- name: Setup go
uses: actions/setup-go@v5
with:
go-version: '^1.22'
- name: Setup the notary tool
run: |
go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary@latest
notary --help
shell: sh
env:
GO111MODULE: "on"
- name: List trust keys
run: notary key list -d ~/.docker/trust/
shell: sh
env:
DOCKER_CONTENT_TRUST: "1"
- name: Sign the local image (not a manifest)
run: docker trust sign --local "${IMAGE_REF}"
shell: sh
if: ${{ ! fromJSON(inputs.sign-manifest) }}
env:
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: "${{ inputs.private-key-passphrase }}"
DOCKER_CONTENT_TRUST: "1"
DOCKER_CONTENT_TRUST_SERVER: "${{ inputs.notary-server }}"
IMAGE_REF: "${{ inputs.image-ref }}"
# install jq if missing, should never happen
- name: Install jq if not found
run: jq --version > /dev/null || curl -sS https://webinstall.dev/jq | bash
shell: sh
if: ${{ fromJSON(inputs.sign-manifest) }}
- name: Sign the manifest
if: ${{ fromJSON(inputs.sign-manifest) }}
run: |
set -eu;
REPO="$(echo "${IMAGE_REF}" | cut -d ':' -f 1 | sed 's!docker.io/!!')";
REF="$(echo "${IMAGE_REF}" | cut -d ':' -f 1)";
TAG="$(echo "${IMAGE_REF}" | cut -d ':' -f 2)";
echo "Image-ref: ${REF}";
echo "Image-tag: ${TAG}";
echo "Repo-name: ${REPO}";
export NOTARY_AUTH="$(printf "${AUTH_BASIC}" | base64 -w0)";
unset AUTH_BASIC;
export DOCKER_TOKEN="$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${REPO}:pull" -H "Authorization: Basic ${NOTARY_AUTH}" | jq -r '.token')"
BYTES_SIZE="$(curl -H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' https://registry-1.docker.io/v2/$REPO/manifests/$TAG -H "Authorization: Bearer $DOCKER_TOKEN" -XGET | wc -c)"
SHA_256="$(curl -H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' https://registry-1.docker.io/v2/$REPO/manifests/$TAG -H "Authorization: Bearer $DOCKER_TOKEN" -XGET | sha256sum | cut -d ' ' -f 1)"
echo "Manifest SHA-256: ${SHA_256}";
echo "Manifest-inspect BYTES: ${BYTES_SIZE}";
ROLE_CLI='';
if [ ! -z "${{ inputs.private-key-name }}" ]; then
echo "Roles: targets/${{ inputs.private-key-name }}";
ROLE_CLI="--roles \"targets/${{ inputs.private-key-name }}\""
fi
echo "Sign ${SHA_256} with the notary"
notary -s "${{ inputs.notary-server }}" -d ~/.docker/trust/ addhash "${REF}" "${TAG}" "${BYTES_SIZE}" --sha256 "${SHA_256}" ${ROLE_CLI} --publish --verbose;
echo "Done !"
notary -s "${{ inputs.notary-server }}" list "${REF}";
unset NOTARY_AUTH;
unset DOCKER_TOKEN;
shell: sh
env:
AUTH_BASIC: "${{ inputs.notary-auth }}"
IMAGE_REF: "${{ inputs.image-ref }}"
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: "${{ inputs.private-key-passphrase }}"
NOTARY_DELEGATION_PASSPHRASE: "${{ inputs.private-key-passphrase }}"
DOCKER_CONTENT_TRUST: "1"
DOCKER_CLI_EXPERIMENTAL: enabled
- name: Inspect the trust
run: docker trust inspect --pretty "${{ inputs.image-ref }}"
shell: sh
env:
DOCKER_CONTENT_TRUST: "1"
DOCKER_CONTENT_TRUST_SERVER: "${{ inputs.notary-server }}"
- name: Cleanup the trust key
run: rm -v ~/.docker/trust/private/${{ inputs.private-key-id }}.key
shell: sh
- name: Cleanup the trust keys folder
run: rm -rvf ~/.docker/trust/private
shell: sh