forked from some-natalie/image-ingest-script
-
Notifications
You must be signed in to change notification settings - Fork 0
90 lines (78 loc) · 2.65 KB
/
Copy pathingest.yaml
File metadata and controls
90 lines (78 loc) · 2.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: Mirror workflow
on:
workflow_dispatch:
jobs:
mirror:
runs-on: ubuntu-latest
strategy:
# trino:453 should fail the vulnerability scan
matrix:
image:
[
"python:3.10",
"python:3.10-dev",
"postgres:14",
"postgres:16",
"node:latest",
"trino:453",
]
continue-on-error: true
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
- name: Login to CGR container registry
uses: docker/login-action@v3
with:
registry: ${{ vars.CGR_REGISTRY }}
username: ${{ secrets.CGR_USERNAME }}
password: ${{ secrets.CGR_TOKEN }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Scan image
uses: anchore/scan-action@v3
with:
image: ${{ vars.CGR_REGISTRY }}/${{ matrix.image }}
fail-build: true
severity-cutoff: medium
- name: Verify attestation
shell: bash
run: |
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/chainguard-images/images-private/.github/workflows/release.yaml@refs/heads/main \
${{ vars.CGR_REGISTRY }}/${{ matrix.image }} | jq > attestation.json
- name: Download SBOM
shell: bash
run: |
cosign download attestation ${{ vars.CGR_REGISTRY }}/${{ matrix.image }} | jq -r .payload | base64 -d | jq .predicate >> sbom.json
- name: Cut the tag from the image name
shell: bash
run: |
echo "IMAGE_NAME=$(echo ${{ matrix.image }} | cut -d: -f1)" >> $GITHUB_ENV
echo "IMAGE_TAG=$(echo ${{ matrix.image }} | cut -d: -f2)" >> $GITHUB_ENV
- name: Upload SBOM and attestation
uses: actions/upload-artifact@v4
with:
name: ${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}
path: |
sbom.json
attestation.json
- name: Setup go
uses: actions/setup-go@v5
- name: Run incert and push
shell: bash
run: |
go install github.com/chainguard-dev/incert@latest
incert \
-ca-certs-file test.crt \
-image-url ${{ vars.CGR_REGISTRY }}/${{ matrix.image }} \
-dest-image-url ghcr.io/${{ github.repository }}/${{ matrix.image }}