-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: delete old signatures * test: signatures deletion * doc: add readme entry * chore: fix job names * doc: tested cosign version notice * 🎨 Format Python code with yapf (#52) Co-authored-by: Chizkiyahu <[email protected]> * easy way create sing docker image for debug * update README.md to v6 --------- Co-authored-by: unennhexium <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Chizkiyahu <[email protected]>
- Loading branch information
4 people
authored
Dec 30, 2024
1 parent
9288a8b
commit 4a33ce3
Showing
6 changed files
with
277 additions
and
85 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| image: | ||
| required: true | ||
| type: string | ||
| tag: | ||
| required: true | ||
| type: number | ||
| arg: | ||
| required: false | ||
| type: string | ||
| default: ${{ inputs.tag }} | ||
| multiplatform: | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| sign: | ||
| required: false | ||
| type: boolean | ||
| default: false | ||
| env: | ||
| # Use ghcr.io for GitHub Container Registry if empty | ||
| REGISTRY: ghcr.io | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Add temporary packages for testing | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| # This is used to complete the identity challenge with sigstore/fulcio. | ||
| # It isn't possible to use `${{ inputs.sign && write || none }}` here. | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| # Install the cosign tool | ||
| # https://github.com/sigstore/cosign-installer | ||
| - name: Install cosign | ||
| if: ${{ inputs.sign }} | ||
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0 | ||
| with: | ||
| cosign-release: 'v2.4.1' | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.repository_owner }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| # Extract metadata (tags, labels) for Docker, | ||
| # set environments required for signing. | ||
| # Automatically sanitize tags (lowercasing, | ||
| # replace spaces with '_', etc.) | ||
| # https://github.com/docker/metadata-action | ||
| - name: Extract Docker metadata | ||
| id: meta | ||
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | ||
| with: | ||
| images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ inputs.image }} | ||
| tags: type=raw,value=${{ inputs.tag }} | ||
| - name: Build and push | ||
| uses: docker/build-push-action@v5 | ||
| id: build-and-push | ||
| with: | ||
| file: ./CICD/Dockerfile_temp | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| build-args: I=${{ inputs.arg }} | ||
| push: true | ||
| platforms: ${{ inputs.multiplatform && 'linux/amd64,linux/arm64' || 'linux/amd64' }} | ||
| # Disable automatic manifest list by disabling attestation facts generation | ||
| provenance: ${{ !inputs.sign }} | ||
| sbom: ${{ !inputs.sign }} | ||
| # Sign the resulting Docker image digest | ||
| # https://github.com/sigstore/cosign | ||
| - name: Sign the published Docker image | ||
| if: ${{ inputs.sign }} | ||
| env: | ||
| TAGS: ${{ steps.meta.outputs.tags }} | ||
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
| # This step uses the identity token to provision an ephemeral certificate | ||
| # against the sigstore community Fulcio instance. | ||
| run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| name: signed | ||
| on: | ||
| push: | ||
| branches: [ main ] | ||
| pull_request: | ||
| branches: [ main ] | ||
| workflow_dispatch: | ||
| inputs: | ||
| skip_delete: | ||
| description: "Skip the delete steps" | ||
| required: false | ||
| default: false | ||
| type: boolean | ||
|
|
||
| concurrency: testing | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| # Required by nested `reusable.yml`. | ||
| id-token: write | ||
| jobs: | ||
| reset: | ||
| name: Reset to a clean state | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: ./ | ||
| with: | ||
| token: ${{ secrets.PAT_TOKEN }} | ||
| repository_owner: ${{ github.repository_owner }} | ||
| repository: ${{ github.repository }} | ||
| untagged_only: false | ||
| owner_type: user | ||
| with_sigs: true | ||
|
|
||
| add_temp_pkgs3: | ||
| name: Add temporary signed packages for testing | ||
| needs: reset | ||
| uses: ./.github/workflows/reusable.yml | ||
| with: | ||
| image: 'p5' | ||
| tag: 1 | ||
| sign: true | ||
|
|
||
| add_temp_pkgs4: | ||
| name: Add temporary signed packages for testing make the first untagged (keep signed tagged) | ||
| needs: add_temp_pkgs3 | ||
| uses: ./.github/workflows/reusable.yml | ||
| with: | ||
| image: 'p5' | ||
| tag: 1 | ||
| sign: true | ||
|
|
||
| delete_package_with_signature: | ||
| name: Delete package and signature | ||
| runs-on: ubuntu-latest | ||
| needs: add_temp_pkgs4 | ||
| if: github.event_name != 'workflow_dispatch' || inputs.skip_delete == false | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: ./ | ||
| id: deleted-action | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| repository_owner: ${{ github.repository_owner }} | ||
| repository: ${{ github.repository }} | ||
| package_name: p5 | ||
| untagged_only: true | ||
| owner_type: user | ||
| with_sigs: true | ||
| - shell: bash | ||
| run: | | ||
| if [[ "${{ steps.deleted-action.outputs.num_deleted }}" != 2 ]]; then | ||
| exit 1 | ||
| fi | ||
| clean_repo: | ||
| name: Delete all packages in repo | ||
| runs-on: ubuntu-latest | ||
| needs: delete_package_with_signature | ||
| if: github.event_name != 'workflow_dispatch' || inputs.skip_delete == false | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: ./ | ||
| id: deleted-action | ||
| with: | ||
| token: ${{ secrets.PAT_TOKEN }} | ||
| repository_owner: ${{ github.repository_owner }} | ||
| repository: ${{ github.repository }} | ||
| untagged_only: false | ||
| owner_type: user | ||
| with_sigs: true | ||
| - shell: bash | ||
| run: | | ||
| if [[ "${{ steps.deleted-action.outputs.num_deleted }}" != 1 ]]; then | ||
| exit 1 | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.