-
Notifications
You must be signed in to change notification settings - Fork 0
129 lines (121 loc) · 4.78 KB
/
gitops-promotion.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# Generated from templates/gitops-template/gitops-promotion.yml.njk. Do not edit directly.
# 💁 The Promotion Pipeline will:
# - Checkout your repository
# - Compute Promoted Images to Validate
# - Perform Image EC Validations
# - Optionally update SBOMS
name: TSSC-Promotion-Pipeline
env:
CI_TYPE: github
# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY:
# Used to verify the image signature and attestation
COSIGN_PUBLIC_KEY:
# URL of the BOMbastic api host (e.g. https://sbom.trustification.dev)
TRUSTIFICATION_BOMBASTIC_API_URL:
# URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken)
TRUSTIFICATION_OIDC_ISSUER_URL:
TRUSTIFICATION_OIDC_CLIENT_ID:
TRUSTIFICATION_OIDC_CLIENT_SECRET:
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION:
# Set this to the user for your specific registry
IMAGE_REGISTRY_USER:
# Set this password for your specific registry
IMAGE_REGISTRY_PASSWORD:
# QUAY_IO_CREDS_USR:
# QUAY_IO_CREDS_PSW:
# ARTIFACTORY_IO_CREDS_USR:
# ARTIFACTORY_IO_CREDS_PSW:
# NEXUS_IO_CREDS_USR:
# NEXUS_IO_CREDS_PSW:
# 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below.
IMAGE_TAGS: ""
IMAGE_TAG: ""
DEFAULT_UPDATE_VIA_PUSH: "true"
# 🖊️ EDIT to set a name for your OpenShift app, or a default one will be generated below.
APP_NAME: ""
on: [pull_request, workflow_dispatch]
jobs:
tssc-ci-cd:
name: Build and send Image Update PR
# ubuntu-20.04 can also be used.
runs-on: ubuntu-24.04
container:
image: quay.io/redhat-appstudio/rhtap-task-runner:latest
options: --privileged
environment: production
steps:
- name: Check for required secrets
uses: actions/github-script@v7
with:
script: |
const secrets = {
IMAGE_REGISTRY: ``,
/* Used to verify the image signature and attestation */
COSIGN_PUBLIC_KEY: ``,
/* URL of the BOMbastic api host (e.g. https://sbom.trustification.dev) */
TRUSTIFICATION_BOMBASTIC_API_URL: ``,
/* URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken) */
TRUSTIFICATION_OIDC_ISSUER_URL: ``,
TRUSTIFICATION_OIDC_CLIENT_ID: ``,
TRUSTIFICATION_OIDC_CLIENT_SECRET: ``,
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: ``,
/* Set this to the user for your specific registry */
IMAGE_REGISTRY_USER: ``,
/* Set this password for your specific registry */
IMAGE_REGISTRY_PASSWORD: ``,
/*QUAY_IO_CREDS_USR: ``, */
/*QUAY_IO_CREDS_PSW: ``, */
/*ARTIFACTORY_IO_CREDS_USR: ``, */
/*ARTIFACTORY_IO_CREDS_PSW: ``, */
/*NEXUS_IO_CREDS_USR: ``, */
/*NEXUS_IO_CREDS_PSW: ``, */
};
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository
uses: actions/checkout@v4
with:
fetch-depth: '2'
- name: Pre-init
run: |
buildah --version
syft --version
cosign version
ec version
git config --global --add safe.directory $(pwd)
cat rhtap/env.sh
- name: Verify Ec
run: |
echo "• gather-deploy-images"
bash /work/rhtap/gather-deploy-images.sh
echo "• verify-enterprise-contract"
bash /work/rhtap/verify-enterprise-contract.sh
- name: Upload Sbom
run: |
echo "• gather-images-to-upload-sbom"
bash /work/rhtap/gather-images-to-upload-sbom.sh
echo "• download-sbom-from-url-in-attestation"
bash /work/rhtap/download-sbom-from-url-in-attestation.sh
echo "• upload-sbom-to-trustification"
bash /work/rhtap/upload-sbom-to-trustification.sh
- name: Done
run: |
echo "Done"