From c3ba8b7fc63dc4077d23446819d23b64c74644f7 Mon Sep 17 00:00:00 2001 From: anhefti Date: Wed, 7 Dec 2022 09:18:33 +0100 Subject: [PATCH 1/9] SEBSERV-365 --- .github/workflows/buildReporting.yml | 29 +++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 700dfb38..2b2052af 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -102,6 +102,13 @@ jobs: # Run only on tagging if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') runs-on: ubuntu-latest + needs: pytest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Set env @@ -126,6 +133,13 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - + name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@main - name: Download a single artifact uses: actions/download-artifact@v2 @@ -140,4 +154,17 @@ jobs: file: ./docker/Dockerfile push: true tags: | - anhefti/seb-server:${{ env.TAG_NAME }} \ No newline at end of file + anhefti/seb-server:${{ env.TAG_NAME }} + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: cosign sign ${TAGS} + env: + COSIGN_EXPERIMENTAL: true + TAGS: ${{ env.TAG_NAME }} \ No newline at end of file From 781d9412707e6f1dc8dcce7334ac8f9d16839d38 Mon Sep 17 00:00:00 2001 From: anhefti Date: Wed, 7 Dec 2022 09:26:41 +0100 Subject: [PATCH 2/9] SEBSERV-365 fix --- .github/workflows/buildReporting.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 2b2052af..9a574f5b 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -102,13 +102,13 @@ jobs: # Run only on tagging if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') runs-on: ubuntu-latest - needs: pytest permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write + steps: - name: Set env From 85812b27b99d58b6f35095af719ebdbf70d69a34 Mon Sep 17 00:00:00 2001 From: anhefti Date: Wed, 7 Dec 2022 09:55:50 +0100 Subject: [PATCH 3/9] added meta info --- .github/workflows/buildReporting.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 9a574f5b..a2a8fa05 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -145,6 +145,14 @@ jobs: uses: actions/download-artifact@v2 with: name: Package + - + name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v3 + with: + images: anhefti/seb-server + tags: | + anhefti/seb-server:${{ env.TAG_NAME }} - name: Build and push id: docker_build From 81210a3ff601d27d71151f1bfb8a85086cc89f3c Mon Sep 17 00:00:00 2001 From: anhefti Date: Thu, 8 Dec 2022 08:44:26 +0100 Subject: [PATCH 4/9] try same --- .github/workflows/buildReporting.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index a2a8fa05..738ddd05 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -152,7 +152,13 @@ jobs: with: images: anhefti/seb-server tags: | - anhefti/seb-server:${{ env.TAG_NAME }} + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha - name: Build and push id: docker_build @@ -175,4 +181,4 @@ jobs: run: cosign sign ${TAGS} env: COSIGN_EXPERIMENTAL: true - TAGS: ${{ env.TAG_NAME }} \ No newline at end of file + TAGS: ${{ steps.meta.outputs.tags }} \ No newline at end of file From b83d2b45e9f66c86d5da00ee50505584e07c032b Mon Sep 17 00:00:00 2001 From: anhefti Date: Thu, 8 Dec 2022 08:53:01 +0100 Subject: [PATCH 5/9] fix sha --- .github/workflows/buildReporting.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 738ddd05..628a23e5 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -158,7 +158,7 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - type=sha + type=shaa - name: Build and push id: docker_build From 8427dd668ee4e0ed96281dbd06d927a51b30aab3 Mon Sep 17 00:00:00 2001 From: anhefti Date: Thu, 8 Dec 2022 09:10:22 +0100 Subject: [PATCH 6/9] tags --- .github/workflows/buildReporting.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 628a23e5..76940800 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -152,13 +152,13 @@ jobs: with: images: anhefti/seb-server tags: | - type=schedule - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=shaa + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=shaa - name: Build and push id: docker_build From ca351d8307288719da029766f0838cbded1b3863 Mon Sep 17 00:00:00 2001 From: Andreas Hefti Date: Thu, 8 Dec 2022 09:18:20 +0100 Subject: [PATCH 7/9] Update buildReporting.yml --- .github/workflows/buildReporting.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 76940800..be48ecc2 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -158,7 +158,7 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - type=shaa + type=sha - name: Build and push id: docker_build @@ -181,4 +181,4 @@ jobs: run: cosign sign ${TAGS} env: COSIGN_EXPERIMENTAL: true - TAGS: ${{ steps.meta.outputs.tags }} \ No newline at end of file + TAGS: ${{ steps.meta.outputs.tags }} From 42ba0bce0b1a469f1ae3870ecc74faf7ef660348 Mon Sep 17 00:00:00 2001 From: anhefti Date: Thu, 8 Dec 2022 09:26:17 +0100 Subject: [PATCH 8/9] try --- .github/workflows/buildReporting.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index be48ecc2..5cecad3b 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -158,7 +158,6 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - type=sha - name: Build and push id: docker_build From 4c8b1f973e8c515c93c744ff9daea29233a37a4b Mon Sep 17 00:00:00 2001 From: anhefti Date: Thu, 8 Dec 2022 09:45:42 +0100 Subject: [PATCH 9/9] tags raw --- .github/workflows/buildReporting.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/buildReporting.yml b/.github/workflows/buildReporting.yml index 5cecad3b..fbe97da4 100644 --- a/.github/workflows/buildReporting.yml +++ b/.github/workflows/buildReporting.yml @@ -152,12 +152,7 @@ jobs: with: images: anhefti/seb-server tags: | - type=schedule - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} + type=raw,${{ env.TAG_NAME }} - name: Build and push id: docker_build