@@ -10,12 +10,12 @@ permissions:
1010 issues : read
1111 packages : write
1212 pull-requests : read
13- # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
1413 id-token : write
1514
1615# jscpd:ignore-start
1716jobs :
1817 arrange :
18+ name : Arrange
1919 runs-on : ubuntu-latest
2020 steps :
2121 - run : |
2424 exit 1
2525 fi
2626
27- act-build-arch :
27+ act-build-images :
28+ name : Act - Build multi-arch and mono-arch images
2829 needs : arrange
2930 uses : ./.github/workflows/docker-build-images.yml
3031 secrets :
@@ -55,17 +56,18 @@ jobs:
5556 }
5657 ]
5758
58- assert-build-arch :
59- needs : act-build-arch
59+ assert-build-arch-mono-arch :
60+ name : Assert - multi-arch and mono-arch builds
61+ needs : act-build-images
6062 runs-on : " ubuntu-latest"
6163 steps :
62- - name : Check built images ouput
64+ - name : Assert - built images output
6365 uses : actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
6466 with :
6567 script : |
6668 const assert = require("assert");
6769
68- const builtImagesOutput = `${{ needs.act-build-arch .outputs.built-images }}`;
70+ const builtImagesOutput = `${{ needs.act-build-images .outputs.built-images }}`;
6971 assert(builtImagesOutput.length, `"built-images" output is empty`);
7072
7173 // Check if is valid Json
@@ -132,13 +134,13 @@ jobs:
132134 username : ${{ github.repository_owner }}
133135 password : ${{ github.token }}
134136
135- - name : Check multi-arch docker image and manifest
137+ - name : Assert - multi-arch docker image and manifest
136138 uses : actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
137139 with :
138140 script : |
139141 const assert = require("assert");
140142
141- const image = `${{ fromJson(needs.act-build-arch .outputs.built-images).test-multi-arch.images[0] }}`;
143+ const image = `${{ fromJson(needs.act-build-images .outputs.built-images).test-multi-arch.images[0] }}`;
142144
143145 await exec.exec('docker', ['pull', image]);
144146
@@ -194,13 +196,32 @@ jobs:
194196 assert.equal(annotations[key], value, `Expected annotation not found: ${key}`);
195197 });
196198
197- - name : Check mono-arch docker image
199+ - uses : sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
200+
201+ - name : Assert - signed multi-arch docker image
202+ uses : actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
203+ with :
204+ script : |
205+ const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-multi-arch.images) }};
206+
207+ for(const image of images) {
208+ await exec.exec(
209+ 'cosign',
210+ [
211+ 'verify', image,
212+ '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
213+ '--certificate-identity-regexp', 'https://github.com/hoverkraft-tech/ci-github-container',
214+ ]
215+ );
216+ }
217+
218+ - name : Assert - mono-arch docker image
198219 uses : actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
199220 with :
200221 script : |
201222 const assert = require("assert");
202223
203- const image = `${{ fromJson(needs.act-build-arch .outputs.built-images).test-mono-arch.images[0] }}`;
224+ const image = `${{ fromJson(needs.act-build-images .outputs.built-images).test-mono-arch.images[0] }}`;
204225
205226 await exec.exec('docker', ['pull', image]);
206227
@@ -239,7 +260,25 @@ jobs:
239260 );
240261 });
241262
263+ - name : Assert - signed mono-arch docker image
264+ uses : actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
265+ with :
266+ script : |
267+ const images = ${{ toJson(fromJson(needs.act-build-images.outputs.built-images).test-mono-arch.images) }};
268+
269+ for(const image of images) {
270+ await exec.exec(
271+ 'cosign',
272+ [
273+ 'verify', image,
274+ '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
275+ '--certificate-identity-regexp', 'https://github.com/hoverkraft-tech/ci-github-container',
276+ ]
277+ );
278+ }
279+
242280 act-build-args-secrets-and-registry-caching :
281+ name : Act - Build with args, secrets and registry caching
243282 needs : arrange
244283 uses : ./.github/workflows/docker-build-images.yml
245284 secrets :
@@ -275,6 +314,7 @@ jobs:
275314 SECRET_ENV_GITHUB_APP_TOKEN_2
276315
277316 assert-build-args-secrets-and-registry-caching :
317+ name : Assert - Build with args, secrets and registry caching
278318 needs : act-build-args-secrets-and-registry-caching
279319 runs-on : " ubuntu-latest"
280320 steps :
0 commit comments