@@ -121,57 +121,69 @@ jobs:
121
121
with :
122
122
sarif_file : snyk.sarif
123
123
124
- # Build the image for production.
125
- #
126
- # TODO: no need to rebuild everything, just copy the testing images we have generated to the production registry
127
- # if we get here and we are building for production.
128
- prodbuild :
129
- if : github.event.inputs.environment == 'production' || github.event_name == 'schedule'
130
- name : Build for production
124
+ # Use the metadata generated in the `testbuild` step to find all the images
125
+ # that have been built. We copy them one by one to the production registry
126
+ # using skopeo. Then we sign the production images too.
127
+ copytoproduction :
128
+ name : Copy images to production
129
+ if : |
130
+ github.ref == 'refs/heads/main' &&
131
+ ( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
131
132
runs-on : ubuntu-latest
132
133
needs :
134
+ - testbuild
133
135
- security
134
136
permissions :
135
137
contents : read
136
138
packages : write
137
139
security-events : write
140
+ # Required by the cosign step
141
+ id-token : write
138
142
steps :
139
- - name : Checkout Code
140
- uses : actions/checkout@v4
141
-
142
143
- name : Log in to the GitHub Container registry
143
144
uses : docker/login-action@v3
144
145
with :
145
146
registry : ghcr.io
146
147
username : ${{ github.actor }}
147
148
password : ${{ secrets.GITHUB_TOKEN }}
148
149
149
- - name : Set up QEMU
150
- uses : docker/setup-qemu-action@v3
151
- with :
152
- platforms : ' arm64'
153
-
154
- - name : Set up Docker Buildx
155
- uses : docker/setup-buildx-action@v3
156
-
157
- - name : Build and push
158
- uses : docker/bake-action@v6
159
- id : build
160
- env :
161
- environment : production
162
- registry : ghcr.io/${{ github.repository_owner }}
163
- revision : ${{ github.sha }}
164
- with :
165
- push : true
150
+ - name : Copy images
151
+ run : |
152
+ images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
153
+ jq -r '
154
+ .[] as $items |
155
+ (
156
+ $items."image.name" |
157
+ split(",")[] +
158
+ "@" +
159
+ $items."containerimage.digest"
160
+ )
161
+ '
162
+ )
163
+ for image in $images
164
+ do
165
+ testimageshaonly="${image%:*@*}@${image#*@}"
166
+ testimagenosha="${image%@*}"
167
+ prodimage="${testimagenosha/-testing/}"
168
+ echo "Copying ${testimageshaonly} to ${prodimage}"
169
+ docker run --quiet quay.io/skopeo/stable:v1.17.0-immutable copy -q -a \
170
+ --dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
171
+ docker://${testimageshaonly} docker://${prodimage}
172
+ done
166
173
167
174
- name : Install cosign
168
175
uses : sigstore/cosign-installer@v3
169
- # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
170
- # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
171
- # how to use cosign.
176
+
172
177
- name : Sign images
173
178
run : |
174
- images=$(echo '${{ steps.build.outputs.metadata }}' |
175
- jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
179
+ images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
180
+ jq -r '.[] |
181
+ (
182
+ ."image.name" |
183
+ sub(",.*";"") |
184
+ sub("-testing:[^@]+";"")
185
+ ) + "@" + ."containerimage.digest"
186
+ '
176
187
)
188
+ echo "Signing ${images}"
177
189
cosign sign --yes ${images}
0 commit comments