You've already forked dcmerge
feat(ci): sign container image
All checks were successful
Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 11s
Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 6s
Lint Markdown files / Run markdown linter (push) Successful in 4s
Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 28s
Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 24s
Release / Release application (push) Successful in 5m56s
Release / Upload Images to docker.io (push) Successful in 1m4s
All checks were successful
Lint Golang files / Run golang CI linter (stable, ubuntu-latest-amd64) (push) Successful in 11s
Run Golang tests / Run unit tests (stable, ubuntu-latest-amd64) (push) Successful in 6s
Lint Markdown files / Run markdown linter (push) Successful in 4s
Lint Golang files / Run golang CI linter (stable, ubuntu-latest-arm64) (push) Successful in 28s
Run Golang tests / Run unit tests (stable, ubuntu-latest-arm64) (push) Successful in 24s
Release / Release application (push) Successful in 5m56s
Release / Upload Images to docker.io (push) Successful in 1m4s
This commit is contained in:
@@ -2,8 +2,8 @@ name: Upload ArtifactHub Metadata
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 3 1 * *'
|
||||
workflow_dispatch:
|
||||
- cron: '0 3 1 * *'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
upload-metadata:
|
||||
@@ -11,6 +11,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6.0.2
|
||||
- uses: sigstore/cosign-installer@v4.0.0
|
||||
with:
|
||||
cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
|
||||
- uses: docker/login-action@v3.7.0
|
||||
with:
|
||||
registry: git.cryptic.systems
|
||||
@@ -28,8 +31,25 @@ jobs:
|
||||
oras push git.cryptic.systems/volker.raschek/dcmerge:artifacthub.io \
|
||||
--config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
|
||||
artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
|
||||
- name: Push public cosign key to git.cryptic.systems
|
||||
env:
|
||||
COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
|
||||
run: |
|
||||
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
|
||||
oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
|
||||
--artifact-type application/vnd.dev.cosign.public-key.v1 \
|
||||
cosign.pub:application/vnd.dev.cosign.public-key.v1
|
||||
|
||||
- name: Push artifacthub-repo.yml to docker.io
|
||||
run: |
|
||||
oras push docker.io/volkerraschek/dcmerge:artifacthub.io \
|
||||
--config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
|
||||
artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
|
||||
- name: Push public cosign key to docker.io
|
||||
env:
|
||||
COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
|
||||
run: |
|
||||
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
|
||||
oras push docker.io/volkerraschek/dcmerge:cosign.pub \
|
||||
--artifact-type application/vnd.dev.cosign.public-key.v1 \
|
||||
cosign.pub:application/vnd.dev.cosign.public-key.v1
|
||||
@@ -31,6 +31,9 @@ jobs:
|
||||
"https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.deb"
|
||||
dpkg -i syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
|
||||
rm syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
|
||||
- uses: sigstore/cosign-installer@v4.0.0
|
||||
with:
|
||||
cosign-release: "v3.0.3" # renovate: datasource=github-tags depName=sigstore/cosign
|
||||
- uses: docker/setup-qemu-action@v3.7.0
|
||||
- uses: docker/setup-buildx-action@v3.12.0
|
||||
- uses: actions/setup-go@v6.2.0
|
||||
@@ -42,6 +45,8 @@ jobs:
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
|
||||
- env:
|
||||
COSIGN_PASSPHRASE: ${{ secrets.COSIGN_PASSPHRASE }}
|
||||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
||||
GITEA_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
|
||||
GONOSUMDB: ${{ vars.GONOSUMDB }}
|
||||
GOPROXY: ${{ vars.GOPROXY }}
|
||||
|
||||
@@ -311,6 +311,51 @@ sboms:
|
||||
- "--enrich=all"
|
||||
- "--output=spdx-json=$document"
|
||||
|
||||
docker_signs:
|
||||
- # ID of the sign config, must be unique.
|
||||
# Only relevant if you want to produce some sort of signature file.
|
||||
#
|
||||
# Default: 'default'.
|
||||
id: container-images
|
||||
|
||||
# Path to the signature command.
|
||||
#
|
||||
# Default: 'cosign'.
|
||||
cmd: cosign
|
||||
|
||||
# Command line arguments for the command.
|
||||
#
|
||||
# Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"].
|
||||
# Templates: allowed.
|
||||
args:
|
||||
- "sign"
|
||||
- "--key=env://COSIGN_PRIVATE_KEY"
|
||||
- "${artifact}@${digest}"
|
||||
- "--yes"
|
||||
|
||||
# Which artifacts to sign.
|
||||
#
|
||||
# all: all artifacts
|
||||
# none: no signing
|
||||
# images: only docker images
|
||||
# manifests: only docker manifests
|
||||
# '': images built by dockers_v2
|
||||
#
|
||||
# Default: ''.
|
||||
artifacts: all
|
||||
|
||||
# IDs of the artifacts to sign.
|
||||
ids:
|
||||
- container-images
|
||||
|
||||
# Stdin data to be given to the signature command as stdin.
|
||||
#
|
||||
# Templates: allowed.
|
||||
stdin: "{{ .Env.COSIGN_PASSPHRASE }}"
|
||||
|
||||
# StdinFile file to be given to the signature command as stdin.
|
||||
# stdin_file: ./passphrase.key
|
||||
|
||||
gitea_urls:
|
||||
api: https://git.cryptic.systems/api/v1
|
||||
download: https://git.cryptic.systems
|
||||
|
||||
Reference in New Issue
Block a user