Skip to content

Commit fbff038

Browse files
fcanovaisxdNiccoloFei
authored
ci: copy and sign prod images (#143)
Use skopeo to copy testing images to the production registry when they pass the security tests, instead of rebuilding them. After that, we sign the production images too. Signed-off-by: Francesco Canovai <[email protected]> Signed-off-by: Jonathan Gonzalez V <[email protected]> Signed-off-by: Niccolò Fei <[email protected]> Co-authored-by: Jonathan Gonzalez V <[email protected]> Co-authored-by: Niccolò Fei <[email protected]>
1 parent fe4092a commit fbff038

File tree

1 file changed

+44
-32
lines changed

1 file changed

+44
-32
lines changed

.github/workflows/bake.yaml

+44-32
Original file line numberDiff line numberDiff line change
@@ -121,57 +121,69 @@ jobs:
121121
with:
122122
sarif_file: snyk.sarif
123123

124-
# Build the image for production.
125-
#
126-
# TODO: no need to rebuild everything, just copy the testing images we have generated to the production registry
127-
# if we get here and we are building for production.
128-
prodbuild:
129-
if: github.event.inputs.environment == 'production' || github.event_name == 'schedule'
130-
name: Build for production
124+
# Use the metadata generated in the `testbuild` step to find all the images
125+
# that have been built. We copy them one by one to the production registry
126+
# using skopeo. Then we sign the production images too.
127+
copytoproduction:
128+
name: Copy images to production
129+
if: |
130+
github.ref == 'refs/heads/main' &&
131+
( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
131132
runs-on: ubuntu-latest
132133
needs:
134+
- testbuild
133135
- security
134136
permissions:
135137
contents: read
136138
packages: write
137139
security-events: write
140+
# Required by the cosign step
141+
id-token: write
138142
steps:
139-
- name: Checkout Code
140-
uses: actions/checkout@v4
141-
142143
- name: Log in to the GitHub Container registry
143144
uses: docker/login-action@v3
144145
with:
145146
registry: ghcr.io
146147
username: ${{ github.actor }}
147148
password: ${{ secrets.GITHUB_TOKEN }}
148149

149-
- name: Set up QEMU
150-
uses: docker/setup-qemu-action@v3
151-
with:
152-
platforms: 'arm64'
153-
154-
- name: Set up Docker Buildx
155-
uses: docker/setup-buildx-action@v3
156-
157-
- name: Build and push
158-
uses: docker/bake-action@v6
159-
id: build
160-
env:
161-
environment: production
162-
registry: ghcr.io/${{ github.repository_owner }}
163-
revision: ${{ github.sha }}
164-
with:
165-
push: true
150+
- name: Copy images
151+
run: |
152+
images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
153+
jq -r '
154+
.[] as $items |
155+
(
156+
$items."image.name" |
157+
split(",")[] +
158+
"@" +
159+
$items."containerimage.digest"
160+
)
161+
'
162+
)
163+
for image in $images
164+
do
165+
testimageshaonly="${image%:*@*}@${image#*@}"
166+
testimagenosha="${image%@*}"
167+
prodimage="${testimagenosha/-testing/}"
168+
echo "Copying ${testimageshaonly} to ${prodimage}"
169+
docker run --quiet quay.io/skopeo/stable:v1.17.0-immutable copy -q -a \
170+
--dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
171+
docker://${testimageshaonly} docker://${prodimage}
172+
done
166173
167174
- name: Install cosign
168175
uses: sigstore/cosign-installer@v3
169-
# See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
170-
# and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
171-
# how to use cosign.
176+
172177
- name: Sign images
173178
run: |
174-
images=$(echo '${{ steps.build.outputs.metadata }}' |
175-
jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"'
179+
images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
180+
jq -r '.[] |
181+
(
182+
."image.name" |
183+
sub(",.*";"") |
184+
sub("-testing:[^@]+";"")
185+
) + "@" + ."containerimage.digest"
186+
'
176187
)
188+
echo "Signing ${images}"
177189
cosign sign --yes ${images}

0 commit comments

Comments
 (0)