Skip to content

Commit

Permalink
Switch should_sign to an output and add signing data
Browse files Browse the repository at this point in the history
  • Loading branch information
LaurentGoderre committed Sep 20, 2024
1 parent 50813e2 commit b7e59af
Showing 1 changed file with 15 additions and 7 deletions.
22 changes: 15 additions & 7 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ run-name: '${{ inputs.bashbrewArch }}: ${{ inputs.firstTag }} (${{ inputs.buildI
permissions:
contents: read
actions: write # for https://github.com/andymckay/cancel-action (see usage below)
id-token: write # for AWS KMS signing (see usage below)
concurrency:
group: ${{ github.event.inputs.buildId }}
cancel-in-progress: false
Expand All @@ -34,9 +33,19 @@ defaults:
env:
BUILD_ID: ${{ inputs.buildId }}
BASHBREW_ARCH: ${{ inputs.bashbrewArch }}

# the image we'll run to access the signing tool
# https://explore.ggcr.dev/?repo=docker/image-signer-verifier
IMAGE_SIGNER: 'docker/image-signer-verifier:0.6.3@sha256:d7930e03b48064b6c2d9f9c0421f65a5dacc6aba7d91b9d2e320d2976becfeac'

# Docker Hub repository we'll push the (signed) attestation artifacts to
REFERRERS_REPO: oisupport/referrers
jobs:
build:
name: Build ${{ inputs.buildId }}
outputs:
shouldSign: ${{ steps.json.outputs.shouldSign }}
buildJson: ${{ steps.json.outputs.json }}
runs-on: ${{ inputs.bashbrewArch == 'windows-amd64' && format('windows-{0}', inputs.windowsVersion) || 'ubuntu-latest' }}
steps:

Expand Down Expand Up @@ -86,6 +95,7 @@ jobs:
".gha-bin/crane$ext" version
- name: JSON
id: json
run: |
json="$(
jq -L.scripts '
Expand All @@ -102,15 +112,13 @@ jobs:
echo "json<<$EOJSON"
cat <<<"$json"
echo "$EOJSON"
} >> "$GITHUB_ENV"
} | tee -a "$GITHUB_ENV" "$GITHUB_OUTPUT" > /dev/null
mkdir build
# TODO signing prototype -- starting very small
shouldSign="$(jq <<<"$json" -L.scripts 'include "doi"; build_should_sign')"
[ "$shouldSign" = 'true' ] || [ "$shouldSign" = 'false' ] || exit 1
echo "shouldSign=$shouldSign" >> "$GITHUB_ENV"
echo "shouldSign=$shouldSign" >> "$GITHUB_OUTPUT"
- name: Check
run: |
img="$(jq <<<"$json" -r '.build.img')"
Expand Down Expand Up @@ -153,7 +161,7 @@ jobs:
# TODO signing prototype (see above where "shouldSign" is populated)
- name: Configure AWS (for signing)
if: env.shouldSign == 'true'
if: steps.json.outputs.shouldSign == 'true'
# https://github.com/aws-actions/configure-aws-credentials/releases
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
Expand All @@ -162,7 +170,7 @@ jobs:
role-to-assume: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_ROLE_ARN || secrets.AWS_KMS_STAGE_ROLE_ARN }}
# TODO figure out if there's some way we could make our secrets ternaries here more DRY without major headaches 🙈
- name: Sign
if: env.shouldSign == 'true'
if: steps.json.outputs.shouldSign == 'true'
env:
AWS_KMS_REGION: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_REGION || secrets.AWS_KMS_STAGE_REGION }}
AWS_KMS_KEY_ARN: ${{ contains(fromJSON('["main","subset"]'), github.ref_name) && secrets.AWS_KMS_PROD_KEY_ARN || secrets.AWS_KMS_STAGE_KEY_ARN }}
Expand Down

0 comments on commit b7e59af

Please sign in to comment.