-
Notifications
You must be signed in to change notification settings - Fork 12
180 lines (158 loc) · 5.91 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
name: Build release images
on:
push:
branches:
- 'main'
paths:
- 'NGINX_BASE'
- 'TAG'
permissions:
contents: read
jobs:
changes:
name: Changes
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-latest
outputs:
base: ${{ steps.filter.outputs.base }}
controller: ${{ steps.filter.outputs.controller }}
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.2
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
id: filter
with:
token: ${{ secrets.GITHUB_TOKEN }}
filters: |
base:
- 'NGINX_BASE'
controller:
- 'TAG'
build:
name: Build and push images
runs-on: self-hosted-8cpu
if: |
(needs.changes.outputs.base == 'true' || needs.changes.outputs.controller == 'true')
needs:
- changes
outputs:
matrix: ${{ steps.items.outputs.matrix }}
steps:
- name: Import secrets
uses: hashicorp/vault-action@cb841f2c86fb6d07cff94fda240828c1abc5ba43 # v2.7.3
id: secrets
with:
exportEnv: false
url: ${{ secrets.VAULT_URL }}
role: ${{ secrets.VAULT_ROLE }}
method: kubernetes
secrets: |
kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
kv-gitlab-ci/data/github/shared/node-repo-key key | NODE_REPO_KEY ;
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.2
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.0.0
with:
version: latest
use: false
- name: Docker login
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
with:
username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Build and push base image
if: needs.changes.outputs.base == 'true'
run: |
eval $(ssh-agent -s)
echo "${{ steps.secrets.outputs.NODE_REPO_KEY }}" | tr -d '\r' | ssh-add -
make -C images/nginx push
- name: Build and push controller images
env:
ARCH: amd64
USER: runner
if: needs.changes.outputs.controller == 'true'
run: make release
- name: Prepare list of images to sign
id: items
run: |
cat <<EOF > matrix.json
{
"include": [
{
"item": "base",
"image": "$(cat NGINX_BASE)"
},
{
"item": "controller",
"image": "wallarm/ingress-controller:$(cat TAG)"
},
{
"item": "controller-chroot",
"image": "wallarm/ingress-controller-chroot:$(cat TAG)"
}
]
}
EOF
if [ ! ${{ needs.changes.outputs.controller }} = true ]; then
cat <<< $(jq 'del(.include[] | select (.item =="controller" or .item =="controller-chroot"))' matrix.json) > matrix.json
fi
if [ ! ${{ needs.changes.outputs.base }} = true ]; then
cat <<< $(jq 'del(.include[] | select (.item =="base"))' matrix.json) > matrix.json
fi
cat matrix.json
echo "matrix=$(cat matrix.json | jq -c '.')" >> $GITHUB_OUTPUT
sign:
name: Sign images
runs-on: self-hosted-1cpu
needs:
- changes
- build
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.build.outputs.matrix) }}
steps:
- name: Import secrets
uses: hashicorp/vault-action@cb841f2c86fb6d07cff94fda240828c1abc5ba43 # v2.7.3
id: secrets
with:
exportEnv: false
url: ${{ secrets.VAULT_URL }}
role: ${{ secrets.VAULT_ROLE }}
method: kubernetes
secrets: |
kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ;
kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ;
kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
- name: Docker login
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
with:
username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Sign image ${{ matrix.image }}
id: sign
env:
COSIGN_PRIVATE_KEY: ${{ steps.secrets.outputs.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ steps.secrets.outputs.COSIGN_PASSWORD }}
run: |
IMAGE_NAME="${{ matrix.image }}"
docker pull -q ${IMAGE_NAME}
IMAGE_TAG=$(echo ${IMAGE_NAME} | awk -F':' '{print $2}')
IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME})
IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/')
SBOM_SPDX="${{ matrix.item }}_${IMAGE_TAG}_spdx.json"
syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX}
cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST}
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom"
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
- name: Upload SBOM
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
with:
retention-days: 30
name: ${{ steps.sign.outputs.sbom }}
path: ${{ steps.sign.outputs.sbom }}