marko/cnpg-postgres-containers
1
0
Fork 0
forked from repo-mirrors/cnpg-postgres-containers
Code Pull Requests Actions Activity

ci: copy and sign prod images (#143)

Browse Source 
Use skopeo to copy testing images to the production registry when they
pass the security tests, instead of rebuilding them. 
After that, we sign the production images too.

Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
This commit is contained in:
Francesco Canovai
2025-01-27 14:37:52 +01:00
committed by GitHub
parent fe4092a2b4
commit fbff03889c
1 changed files with 44 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
.github/workflows/bake.yaml vendored
View File

@@ -121,24 +121,25 @@ jobs:
with: with:
sarif_file: snyk.sarif sarif_file: snyk.sarif
# Build the image for production. # Use the metadata generated in the `testbuild` step to find all the images
# # that have been built. We copy them one by one to the production registry
# TODO: no need to rebuild everything, just copy the testing images we have generated to the production registry # using skopeo. Then we sign the production images too.
# if we get here and we are building for production. copytoproduction:
prodbuild: name: Copy images to production
if: github.event.inputs.environment == 'production' || github.event_name == 'schedule' if: |
name: Build for production github.ref == 'refs/heads/main' &&
( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: needs:
- testbuild
- security - security
permissions: permissions:
contents: read contents: read
packages: write packages: write
security-events: write security-events: write
# Required by the cosign step
id-token: write
steps: steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Log in to the GitHub Container registry - name: Log in to the GitHub Container registry
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
@@ -146,32 +147,43 @@ jobs:
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU - name: Copy images
uses: docker/setup-qemu-action@v3 run: |
with: images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
platforms: 'arm64' jq -r '
.[] as $items |
- name: Set up Docker Buildx (
uses: docker/setup-buildx-action@v3 $items."image.name" |
split(",")[] +
- name: Build and push "@" +
uses: docker/bake-action@v6 $items."containerimage.digest"
id: build )
env: '
environment: production )
registry: ghcr.io/${{ github.repository_owner }} for image in $images
revision: ${{ github.sha }} do
with: testimageshaonly="${image%:*@*}@${image#*@}"
push: true testimagenosha="${image%@*}"
prodimage="${testimagenosha/-testing/}"
echo "Copying ${testimageshaonly} to ${prodimage}"
docker run --quiet quay.io/skopeo/stable:v1.17.0-immutable copy -q -a \
--dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
docker://${testimageshaonly} docker://${prodimage}
done
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@v3 uses: sigstore/cosign-installer@v3
# See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
# and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
# how to use cosign.
- name: Sign images - name: Sign images
run: | run: |
images=$(echo '${{ steps.build.outputs.metadata }}' | images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' jq -r '.[] |
(
."image.name" |
sub(",.*";"") |
sub("-testing:[^@]+";"")
) + "@" + ."containerimage.digest"
'
) )
echo "Signing ${images}"
cosign sign --yes ${images} cosign sign --yes ${images}