-
Notifications
You must be signed in to change notification settings - Fork 1
149 lines (126 loc) · 4.58 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Build
on:
push:
branches:
- 'main'
tags:
- 'v*'
pull_request:
branches:
- 'main'
jobs:
build:
runs-on: ubuntu-latest
permissions:
actions: none
checks: none
contents: none
deployments: none
issues: none
packages: write
pull-requests: none
repository-projects: none
security-events: none
statuses: none
id-token: none
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
- name: Login to GitHub
if: github.event_name != 'pull_request'
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- id: docker_meta
uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1
with:
images: ghcr.io/${{ github.repository }}
flavor: |
latest=true
tags: |
type=sha,format=long
type=edge,branch=$repo.default_branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2
- name: build+load
uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0
with:
context: .
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Create kind cluster
uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
timeout-minutes: 5
with:
kubectl_version: v1.22.2
cluster_name: kind
- name: Install kustomize
run: curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
- name: Load our docker image into kind cluster
run: kind load docker-image $(echo "${{ steps.docker_meta.outputs.tags }}" | head -1)
- name: Set imagetag with kustomize
run: kustomize edit set image ghcr.io/appvia/cosign-keyless-admission-webhook=$(echo "${{ steps.docker_meta.outputs.tags }}" | head -1)
- name: Install cert-manager
run: |
kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
kubectl wait --for=condition=available --timeout=600s -n cert-manager \
deployment/cert-manager \
deployment/cert-manager-cainjector \
deployment/cert-manager-webhook
- name: Install our validating webhook
run: |
kustomize build | kubectl apply -f -
kubectl wait --for=condition=available --timeout=600s deployment/cosign-keyless-admission-webhook -n cosign-keyless-admission-webhook
- name: Deploy known bad issuer pod
run: "! kubectl apply -f test/BadIssuer.yaml"
- name: Deploy known bad subject pod
run: "! kubectl apply -f test/BadSubject.yaml"
- name: Deploy known good pod
run: kubectl apply -f test/GoodMixed.yaml
- name: push
if: github.event_name != 'pull_request'
uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0
with:
context: .
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
cache-from: type=gha
push: true
cache-to: type=gha,mode=max
outputs:
tags: ${{ steps.docker_meta.outputs.tags }}
sign:
needs: build
runs-on: ubuntu-latest
if: github.event_name != 'pull_request'
permissions:
actions: none
checks: none
contents: none
deployments: none
issues: none
packages: write
pull-requests: none
repository-projects: none
security-events: none
statuses: none
id-token: write
steps:
- name: Login to GitHub
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 # tag=v2.4.1
- name: Sign the images
run: cosign sign ${TAGS}
env:
TAGS: ${{needs.build.outputs.tags}}
COSIGN_EXPERIMENTAL: 1