diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c98c24fc..e4b65fdb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,13 +1,11 @@ name: Create and publish a api image -on: - push: - tags: - - v** +on: push + env: REGISTRY: ghcr.io/metal-toolbox - API_IMAGE_NAME: audito-maldito/audito-maldito + APP_IMAGE_NAME: audito-maldito/audito-maldito jobs: auto-release: @@ -29,6 +27,7 @@ jobs: permissions: contents: read packages: write + id-token: write # needed for signing the images with GitHub OIDC Token steps: - name: Checkout repository @@ -41,6 +40,10 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - uses: sigstore/cosign-installer@v3.1.1 + with: + cosign-release: "v2.2.1" + - name: Get current date id: date run: echo "::set-output name=date::$(date -u +'%Y-%m-%dT%H:%M:%SZ')" @@ -49,21 +52,43 @@ jobs: id: meta-api uses: docker/metadata-action@62339db73c56dd749060f65a6ebb93a6e056b755 with: - images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }} + images: ${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }} - name: Build rsyslog and push Docker image - uses: docker/build-push-action@fdf7f43ecf7c1a5c7afe936410233728a8c2d9c2 + id: rsyslog-build-push + uses: docker/build-push-action@v5.1.0 with: context: "./contrib/rsyslog" push: true file: ./contrib/rsyslog/Dockerfile.ubuntu - tags: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:${{ github.ref_name }}-rsyslog + tags: ${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}:${{ github.ref_name }}-rsyslog labels: ${{ steps.meta-api.outputs.labels }} + - name: Get rsyslog container info + id: rsyslog-image-info + run: | + image_digest="$(docker inspect "${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}:${{ github.ref_name }}-rsyslog" --format '{{ index .RepoDigests 0 }}' | awk -F '@' '{ print $2 }')" + echo "::set-output name=image-digest::${image_digest}" + + - run: cosign version && cosign sign -y -r ${TARGET_IMAGE} + env: + TARGET_IMAGE: ${{ steps.rsyslog-image-info.outputs.image-digest }} + - name: Build and push Docker image - uses: docker/build-push-action@fdf7f43ecf7c1a5c7afe936410233728a8c2d9c2 + id: am-build-push + uses: docker/build-push-action@v5.1.0 with: push: true file: Dockerfile - tags: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:${{ github.ref_name }} - labels: ${{ steps.meta-api.outputs.labels }} \ No newline at end of file + tags: ${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}:${{ github.ref_name }} + labels: ${{ steps.meta-api.outputs.labels }} + + - name: Get am container info + id: am-image-info + run: | + image_digest="$(docker inspect "${{ env.REGISTRY }}/${{ env.APP_IMAGE_NAME }}:${{ github.ref_name }}" --format '{{ index .RepoDigests 0 }}' | awk -F '@' '{ print $2 }')" + echo "::set-output name=image-digest::${image_digest}" + + - run: cosign sign -y -r ${TARGET_IMAGE} + env: + TARGET_IMAGE: ${{ steps.am-image-info.outputs.image-digest }}