@@ -121,57 +121,69 @@ jobs:
121121 with :
122122 sarif_file : snyk.sarif
123123
124- # Build the image for production.
125- #
126- # TODO: no need to rebuild everything, just copy the testing images we have generated to the production registry
127- # if we get here and we are building for production.
128- prodbuild :
129- if : github.event.inputs.environment == 'production' || github.event_name == 'schedule'
130- name : Build for production
124+ # Use the metadata generated in the `testbuild` step to find all the images
125+ # that have been built. We copy them one by one to the production registry
126+ # using skopeo. Then we sign the production images too.
127+ copytoproduction :
128+ name : Copy images to production
129+ if : |
130+ github.ref == 'refs/heads/main' &&
131+ ( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
131132runs-on : ubuntu-latest
132133 needs :
134+ - testbuild
133135 - security
134136 permissions :
135137 contents : read
136138 packages : write
137139 security-events : write
140+ # Required by the cosign step
141+ id-token : write
138142 steps :
139- - name : Checkout Code
140- uses : actions/checkout@v4
141-
142143 - name : Log in to the GitHub Container registry
143144 uses : docker/login-action@v3
144145 with :
145146 registry : ghcr.io
146147 username : ${{ github.actor }}
147148 password : ${{ secrets.GITHUB_TOKEN }}
148149
149- - name : Set up QEMU
150- uses : docker/setup-qemu-action@v3
151- with :
152- platforms : ' arm64'
153-
154- - name : Set up Docker Buildx
155- uses : docker/setup-buildx-action@v3
156-
157- - name : Build and push
158- uses : docker/bake-action@v6
159- id : build
160- env :
161- environment : production
162- registry : ghcr.io/${{ github.repository_owner }}
163- revision : ${{ github.sha }}
164- with :
165- push : true
150+ - name : Copy images
151+ run : |
152+ images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
153+ jq -r '
154+ .[] as $items |
155+ (
156+ $items."image.name" |
157+ split(",")[] +
158+ "@" +
159+ $items."containerimage.digest"
160+ )
161+ '
162+ )
163+ for image in $images
164+ do
165+ testimageshaonly="${image%:*@*}@${image#*@}"
166+ testimagenosha="${image%@*}"
167+ prodimage="${testimagenosha/-testing/}"
168+ echo "Copying ${testimageshaonly} to ${prodimage}"
169+ docker run --quiet quay.io/skopeo/stable:v1.17.0-immutable copy -q -a \
170+ --dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
171+ docker://${testimageshaonly} docker://${prodimage}
172+ done
166173
167174name : Install cosign
168175 uses : sigstore/cosign-installer@v3
169- # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
170- # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
171- # how to use cosign.
176+
172177 - name : Sign images
173178 run : |
174- images=$(echo '${{ steps.build.outputs.metadata }}' |
175- jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
179+ images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
180+ jq -r '.[] |
181+ (
182+ ."image.name" |
183+ sub(",.*";"") |
184+ sub("-testing:[^@]+";"")
185+ ) + "@" + ."containerimage.digest"
186+ '
176187 )
188+ echo "Signing ${images}"
177189 cosign sign --yes ${images}
0 commit comments