|
12 | 12 | - production
|
13 | 13 | default: testing
|
14 | 14 | description: "Choose the environment to bake the images for"
|
| 15 | + target: |
| 16 | + type: string |
| 17 | + default: "" |
| 18 | + description: "A comma separated list of targets to build. If empty, all targets will be built." |
15 | 19 |
|
16 | 20 | jobs:
|
17 | 21 | # Start by building images for testing. We want to run security checks before pushing those to production.
|
|
22 | 26 | contents: read
|
23 | 27 | packages: write
|
24 | 28 | security-events: write
|
| 29 | + # Required by the cosign step |
| 30 | + id-token: write |
25 | 31 | outputs:
|
26 | 32 | metadata: ${{ steps.build.outputs.metadata }}
|
27 | 33 | images: ${{ steps.images.outputs.images }}
|
@@ -55,13 +61,26 @@ jobs:
|
55 | 61 | revision: ${{ github.sha }}
|
56 | 62 | with:
|
57 | 63 | push: true
|
| 64 | + targets: ${{ github.event.inputs.target }} |
58 | 65 |
|
59 | 66 | # Get a list of the images that were built and pushed. We only care about a single tag for each image.
|
60 | 67 | - name: Generated images
|
61 | 68 | id: images
|
62 | 69 | run: |
|
63 | 70 | echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >> "$GITHUB_OUTPUT"
|
64 | 71 |
|
| 72 | + # Even if we're testing we sign the images, so we can push them to production later if that's required |
| 73 | + - name: Install cosign |
| 74 | + uses: sigstore/cosign-installer@v3 |
| 75 | + # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ |
| 76 | + # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on |
| 77 | + # how to use cosign. |
| 78 | + - name: Sign images |
| 79 | + run: | |
| 80 | + echo '${{ steps.build.outputs.metadata }}' | \ |
| 81 | + jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' | \ |
| 82 | + xargs cosign sign --yes |
| 83 | +
|
65 | 84 | security:
|
66 | 85 | name: Security checks
|
67 | 86 | runs-on: ubuntu-latest
|
@@ -144,3 +163,15 @@ jobs:
|
144 | 163 | revision: ${{ github.sha }}
|
145 | 164 | with:
|
146 | 165 | push: true
|
| 166 | + |
| 167 | + - name: Install cosign |
| 168 | + uses: sigstore/cosign-installer@v3 |
| 169 | + # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ |
| 170 | + # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on |
| 171 | + # how to use cosign. |
| 172 | + - name: Sign images |
| 173 | + run: | |
| 174 | + images=$(echo '${{ steps.build.outputs.metadata }}' | |
| 175 | + jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' |
| 176 | + ) |
| 177 | + cosign sign --yes ${images} |
0 commit comments